private/web: fix ratelimter IP handling

Change-Id: Idab43f15fb5b90d9d831193d0e7119e64513f271

private/web/ratelimiter.go

@@ -7,6 +7,7 @@ import (
 	"context"
 	"net"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 
@@ -69,7 +70,7 @@ func (rl *IPRateLimiter) cleanupLimiters() {
 //Limit applies a per IP rate limiting as an HTTP Handler.
 func (rl *IPRateLimiter) Limit(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ip, _, err := net.SplitHostPort(r.RemoteAddr)
+		ip, err := getRequestIP(r)
 		if err != nil {
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			return
@@ -83,6 +84,26 @@ func (rl *IPRateLimiter) Limit(next http.Handler) http.Handler {
 	})
 }
 
+//getRequestIP gets the original IP address of the request by handling the request headers.
+func getRequestIP(r *http.Request) (ip string, err error) {
+	realIP := r.Header.Get("X-REAL-IP")
+	if realIP != "" {
+		return realIP, nil
+	}
+
+	forwardedIPs := r.Header.Get("X-FORWARDED-FOR")
+	if forwardedIPs != "" {
+		ips := strings.Split(forwardedIPs, ", ")
+		if len(ips) > 0 {
+			return ips[0], nil
+		}
+	}
+
+	ip, _, err = net.SplitHostPort(r.RemoteAddr)
+
+	return ip, err
+}
+
 //getUserLimit returns a rate limiter for an IP.
 func (rl *IPRateLimiter) getUserLimit(ip string) *rate.Limiter {
 	rl.mu.Lock()