Without trust proxy, the rate limiter uses the reverse proxy IP instead of the real client IP, making all requests appear to come from one IP. Set TRUST_PROXY=1 in production when behind a single nginx/Apache hop.