perf: scale workers + per-tablet rate limiting for 20 concurrent users

The default 2-worker gunicorn could only serve 2 concurrent tablet requests,
queueing the rest, and the rate limiter saw every tablet as the same Nginx
container IP, so 20 users would have collectively burned through the
100 req/min general bucket.

- gunicorn: 5 workers x 4 gthread, --forwarded-allow-ips=*, access log
- uvicorn: 4 workers, --proxy-headers, --forwarded-allow-ips=*
- RateLimitMiddleware: resolve real client IP from
  X-Forwarded-For -> X-Real-IP -> request.client.host
- Bump rate_limit_general 100 -> 300 req/min/IP (per tablet now)
- Flask: ProxyFix(x_for=1, x_proto=1, x_host=1) so request.remote_addr
  is the tablet IP, not the Nginx IP
- APIClient: forward X-Forwarded-For + X-Real-IP to FastAPI for both
  JSON and multipart/files calls; safe no-op outside request context
- 12 new tests (7 server + 5 client) covering header precedence,
  forwarding behavior and ProxyFix install

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

server/Dockerfile

@@ -23,4 +23,4 @@ RUN mkdir -p uploads/images uploads/pdfs uploads/logos uploads/reports
 EXPOSE 8000
 
 # Entry point: Alembic upgrade + Uvicorn
-CMD ["sh", "-c", "alembic -c migrations/alembic.ini upgrade head && uvicorn main:app --host 0.0.0.0 --port 8000 --workers 2"]
+CMD ["sh", "-c", "alembic -c migrations/alembic.ini upgrade head && uvicorn main:app --host 0.0.0.0 --port 8000 --workers 4 --proxy-headers --forwarded-allow-ips='*'"]

server/config.py

@@ -23,9 +23,9 @@ class Settings(BaseSettings):
     upload_dir: str = "uploads"
     max_upload_size_mb: int = 50
 
-    # Rate Limiting (requests per minute)
+    # Rate Limiting (requests per minute, per real client IP)
     rate_limit_login: int = 5
-    rate_limit_general: int = 100
+    rate_limit_general: int = 300
 
     # SSL (Production)
     ssl_certfile: str | None = None

server/middleware/rate_limit.py

@@ -32,6 +32,25 @@ class RateLimitMiddleware(BaseHTTPMiddleware):
         self._general_requests: dict[str, list[float]] = defaultdict(list)
         self._request_count = 0  # Counter for triggering eviction
 
+    @staticmethod
+    def _client_ip(request: Request) -> str:
+        """Resolve the originating client IP, honoring proxy headers.
+
+        Order of precedence: ``X-Forwarded-For`` (first hop), ``X-Real-IP``,
+        ``request.client.host``. Required because Nginx and the Flask client
+        sit between the tablet and the API; without parsing these headers
+        every tablet shares one bucket.
+        """
+        xff = request.headers.get("x-forwarded-for")
+        if xff:
+            first = xff.split(",")[0].strip()
+            if first:
+                return first
+        real = request.headers.get("x-real-ip")
+        if real:
+            return real.strip()
+        return request.client.host if request.client else "unknown"
+
     def _clean_window(self, timestamps: list[float], now: float) -> list[float]:
         """Remove timestamps outside the current sliding window."""
         cutoff = now - self.WINDOW_SECONDS
@@ -68,7 +87,7 @@ class RateLimitMiddleware(BaseHTTPMiddleware):
         return True, 0
 
     async def dispatch(self, request: Request, call_next: Callable) -> Response:
-        client_ip = request.client.host if request.client else "unknown"
+        client_ip = self._client_ip(request)
         now = time.time()
         path = request.url.path
 

server/tests/test_rate_limit_proxy.py

@@ -0,0 +1,65 @@
+"""Tests for RateLimitMiddleware honoring proxy headers (X-Forwarded-For)."""
+from middleware.rate_limit import RateLimitMiddleware
+
+
+class _FakeRequest:
+    """Minimal stand-in for starlette.requests.Request."""
+
+    def __init__(self, headers: dict[str, str], host: str | None = "10.0.0.1"):
+        self.headers = headers
+
+        class _Client:
+            pass
+
+        if host is None:
+            self.client = None
+        else:
+            self.client = _Client()
+            self.client.host = host
+
+
+def test_client_ip_uses_x_forwarded_for_first_hop():
+    req = _FakeRequest(
+        headers={"x-forwarded-for": "203.0.113.5, 10.0.0.2"},
+        host="10.0.0.1",
+    )
+    assert RateLimitMiddleware._client_ip(req) == "203.0.113.5"
+
+
+def test_client_ip_strips_whitespace():
+    req = _FakeRequest(headers={"x-forwarded-for": "  198.51.100.7  "})
+    assert RateLimitMiddleware._client_ip(req) == "198.51.100.7"
+
+
+def test_client_ip_falls_back_to_x_real_ip():
+    req = _FakeRequest(headers={"x-real-ip": "203.0.113.99"}, host="10.0.0.1")
+    assert RateLimitMiddleware._client_ip(req) == "203.0.113.99"
+
+
+def test_client_ip_falls_back_to_request_client_host():
+    req = _FakeRequest(headers={}, host="172.18.0.5")
+    assert RateLimitMiddleware._client_ip(req) == "172.18.0.5"
+
+
+def test_client_ip_returns_unknown_without_client():
+    req = _FakeRequest(headers={}, host=None)
+    assert RateLimitMiddleware._client_ip(req) == "unknown"
+
+
+def test_x_forwarded_for_overrides_x_real_ip():
+    req = _FakeRequest(
+        headers={
+            "x-forwarded-for": "203.0.113.5",
+            "x-real-ip": "10.0.0.2",
+        },
+        host="10.0.0.1",
+    )
+    assert RateLimitMiddleware._client_ip(req) == "203.0.113.5"
+
+
+def test_empty_x_forwarded_for_falls_through():
+    req = _FakeRequest(
+        headers={"x-forwarded-for": "", "x-real-ip": "203.0.113.42"},
+        host="10.0.0.1",
+    )
+    assert RateLimitMiddleware._client_ip(req) == "203.0.113.42"