add filter_private_ips option to discard private IPs.

Might be used when tracker is behind reverse proxy and one of provided
addresses in `real_ip_header` is private/local address.

Additional changes:

* check if provided address is not multicast/broadcast
* configure `http.Server.ReadHeaderTimeout` with `http.ReadTimeout` to mitigate Slowloris
* update dependencies
* minor docs fixes

dist/example_config.yaml

@@ -73,10 +73,14 @@ mochi:
         ping_routes:
             - "/ping"
 
-        # When enabled, the IP address used to connect to the tracker will not
-        # override the value clients advertise as their IP address.
+        # When not enabled, tracker will use only address from which client connected to tracker.
+        # When enabled, the IP address that clients advertise as their IP address will
+        # be appended as announce candidate.
         allow_ip_spoofing: false
 
+        # When enabled, IPs from private, local and loopback subnets will be ignored
+        filter_private_ips: false
+
         # The HTTP Header containing the IP address of the client.
         # This is only necessary if using a reverse proxy.
         real_ip_header: "x-real-ip"
@@ -110,10 +114,14 @@ mochi:
         # Disabling this should increase performance/decrease load.
         enable_request_timing: false
 
-        # When enabled, the IP address used to connect to the tracker will not
-        # override the value clients advertise as their IP address.
+        # When not enabled, tracker will use only address from which client connected to tracker.
+        # When enabled, the IP address that clients advertise as their IP address will
+        # be appended as announce candidate.
         allow_ip_spoofing: false
 
+        # When enabled, IPs from private, local and loopback subnets will be ignored
+        filter_private_ips: false
+
         # The maximum number of peers returned for an individual request.
         max_numwant: 100