gddo-server: use X-Appengine-User-Ip to identify ip of requests.

When running on GAE, the X-Real-Ip in header is shielded as well.
X-Appengine-User-Ip contains the real ip address in this situation.

This fixes golang/gddo#393.

Change-Id: I64fc4aa0a16a613a4ce4727aa1425d081ce1f0c9
Reviewed-on: https://go-review.googlesource.com/22067
Reviewed-by: Alan Donovan <adonovan@google.com>
diff --git a/gddo-server/main.go b/gddo-server/main.go
index 5c9315c..92907c6 100644
--- a/gddo-server/main.go
+++ b/gddo-server/main.go
@@ -707,7 +707,10 @@
 	}()
 
 	if *trustProxy {
-		if s := req.Header.Get("X-Real-Ip"); s != "" {
+		// If running on GAE, use X-Appengine-User-Ip to identify real ip of requests.
+		if s := req.Header.Get("X-Appengine-User-Ip"); s != "" {
+			req.RemoteAddr = s
+		} else if s := req.Header.Get("X-Real-Ip"); s != "" {
 			req.RemoteAddr = s
 		}
 	}