Had a question on what header is being used for rate-limiting. For context we have an nginx.conf w/ set_real_ip and we’re using a provider that sends us traffic with the client’s actual IP in Some-Client-IP header.
Does Discourse look at X-Forwarded-For or X-Real-IP for rate limiting? I think it’s looking at X-Forwarded-For because in production.log I see my rever proxy’s IP. Is the correct solution to change X-Forwarded-For to look at $remote_addr also?
Did you add that stanza to your app.yml? Those settings need to be in the NGINX that is inside the container. See also Set up Discourse on a server with existing Apache sites. That’s for Apache, but the part that goes in app.yml is the same regardless of what is doing the reverse proxy.
We don’t have HAProxy on the outside of the containers, we have a DNS provider that does some pre-processing for us so the real_ip_header is in another header value, and we actually have a list of IP addresses that need to be replaced.
We actually also have see a list of X-Forwarded-For, I’m wondering if that’s the cause for the wrong IP’s to show up.
For example, I think we see 111.11.11.111 in the production logs, but not 55.555.55.55 which is what we want (as it’s set in x-real-ip)