I've started logging some info about the traffic to my service (just a landing page for a client) and decided to implement a rate-limiter since I was seeing some spam bots trying to crawl pages maliciously and wanted to deter them.

However, not that I'm looking at the IPs and they're all printing out the same value, so I'm assuming it's some internal server/network IP for the reverse proxy in front of the service that is provided by Railway.

My question is, is there a specific way/header/place that I should be looking for the request IP address in, to execute proper rate limiting or is that just simply not possible due to the architecture of the service? My concern is that by rate-limiting a single IP, if there's ever any spike in traffic users will start getting rate-limited instantly

Kind Regards,

Bruno