Add remark about X-Forwarded-For.

README.md

@@ -81,7 +81,17 @@ You already know that the frontend code imports the backend code. But now, gunic
 
     where `./` is the location from which you will run gunicorn.
 
-3. To run non-daemonized, on a specific port, with logging to the terminal, I use:
+3. If you are using a proxy like NGINX, make sure you are setting X-Forwarded-For so that Etiquette sees the user's real IP, and not the proxy's own (127.0.0.1) IP. For example:
+
+    ```
+    location / {
+        ...
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        ...
+    }
+    ```
+
+4. To run non-daemonized, on a specific port, with logging to the terminal, I use:
 
     ```
     ~/cmd/python ~/cmd/gunicorn_py etiquette_flask_prod:site --bind "0.0.0.0:6667" --access-logfile "-" --access-logformat "%(h)s | %(t)s | %(r)s | %(s)s %(b)s"
@@ -89,6 +99,7 @@ You already know that the frontend code imports the backend code. But now, gunic
 
 It is expected that you create a shortcut file or launch script so you don't have to type the whole filepath every time.
 
+
 ### Running Etiquette REPL
 
 Run `python etiquette_repl.py` to launch the Python interpreter with the PhotoDB pre-loaded into a variable called `P`. Try things like `P.new_photo` or `P.digest_directory`.

frontends/etiquette_flask/backend/common.py

@@ -77,6 +77,10 @@ site.route = decorate_and_route
 
 @site.before_request
 def before_request():
+    # Note for prod: If you see that remote_addr is always 127.0.0.1 for all
+    # visitors, make sure your reverse proxy is properly setting X-Forwarded-For
+    # so that werkzeug's proxyfix can set that as the remote_addr.
+    # In NGINX: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     request.is_localhost = (request.remote_addr == '127.0.0.1')
     if site.localhost_only and not request.is_localhost:
         flask.abort(403)