security: Support proxy with rate limiting and include CI test coverage for nginx rev proxy (#4373)

Previously Etherpad would not pass the correct client IP address through and this caused the rate limiter to limit users behind reverse proxies.  This change allows Etherpad to use a client IP passed from a reverse proxy.

Note to devs: This header can be spoofed and spoofing the header could be used in an attack.  To mitigate additional *steps should be taken by Etherpad site admins IE doing rate limiting at proxy.*  This only really applies to large scale deployments but it's worth noting.

tests/ratelimit/nginx.conf

@@ -0,0 +1,26 @@
+events {}
+http {
+  server {
+        access_log  /dev/fd/1;
+        error_log   /dev/fd/2;
+        location / {
+            proxy_pass             http://172.23.42.2:9001/;
+            proxy_set_header       Host $host;
+            proxy_pass_header Server;
+            # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+            proxy_buffering off;
+            proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
+            proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
+            proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+            proxy_set_header Host $host;  # pass the host header                                                   
+            proxy_http_version 1.1;  # recommended with keepalive connections                                                    
+            # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
+	}
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+  }
+}