When I tried rate limiting by IP address, it seems that DDPRateLimiter was using my upstream proxy IP address even though I had set HTTP_FORWARDED_COUNT properly. I think there is/was an off-by-1 bug in _clientAddress function in the ddp-server package in livedata_server.js? The last line was
return forwardedFor[forwardedFor.length - httpForwardedCount];
Whereas it seems like you should subtract 1 from that. I changed it, and it seems to be using the right IP address now.