From 6e01eeac8221605e2ab5c7f305b1fa5c89cf4818 Mon Sep 17 00:00:00 2001
From: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Date: Thu, 23 Jan 2025 10:22:49 -0500
Subject: [PATCH] Fix Proxy web server middleware order (#51386)

The limiter middleware was being executed prior to the middleware
responsible updating the client IP from X-Forwarded-For headers.
This results in erroneously enforcing connection limits in NAT
environments.
---
 lib/service/service.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/service/service.go b/lib/service/service.go
index 9acad10449fad..29f3bfbd822b0 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -4550,9 +4550,9 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 			Server: &http.Server{
 				Handler: utils.ChainHTTPMiddlewares(
 					webHandler,
-					makeXForwardedForMiddleware(cfg),
 					limiter.MakeMiddleware(proxyLimiter),
 					httplib.MakeTracingMiddleware(teleport.ComponentProxy),
+					makeXForwardedForMiddleware(cfg),
 				),
 				// Note: read/write timeouts *should not* be set here because it
 				// will break some application access use-cases.