Rate Limiter: Add Trusted Proxy Configuration for X-Forwarded-For Support

## Problem

The rate limiter in `ground-control/internal/middleware/ratelimit.go` currently only uses `r.RemoteAddr` for client identification and ignores `X-Forwarded-For` headers. While this is secure against IP spoofing, it becomes problematic when Ground Control runs behind a reverse proxy (nginx, AWS ALB, K8s Ingress).

When behind a proxy, all requests appear to come from the proxy's IP, causing all clients to share the same rate limit bucket.

## Current Behavior

```go
func getClientIP(r *http.Request) string {
    // Only use RemoteAddr - ignores X-Forwarded-For
    host, _, err := net.SplitHostPort(r.RemoteAddr)
    // ...
}
```

## Proposed Solution

Add configuration for trusted proxies:

1. Add `TrustedProxies []string` configuration option
2. Only parse `X-Forwarded-For` when the immediate client is in the trusted list
3. Validate the header chain to prevent spoofing

## Reference

- File: `ground-control/internal/middleware/ratelimit.go:106-115`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rate Limiter: Add Trusted Proxy Configuration for X-Forwarded-For Support #287

Problem

Current Behavior

Proposed Solution

Reference

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Rate Limiter: Add Trusted Proxy Configuration for X-Forwarded-For Support #287

Description

Problem

Current Behavior

Proposed Solution

Reference

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions