Hi, is there a way to tie a customer to a specific IP, without any authentication inside Kong?
Use-case is to apply specific rate-limiting to specific IPs like Kong rate limit whitelist IPs or even Ip-Restrictions on Consumers, minus the authentication, while having a default per-IP rate-limit for all the other IPs (limit_by: ip
) on the Service. The proxified app is doing authentication by itself. This is not quite exactly as Consumer identification without authorization.
What I tried so far is creating a Consumer staging_app_client
, limit it to an IP and set the rate-limit plugin to the staging_app_client
Consumer like this:
# add staging_app_client consumer
curl -i -X POST http://kong:8001/consumers/ --data "username=staging_app_client"
# limit this consumer to IP 8.8.8.8
curl -X POST http://kong:8001/consumers/staging_app_client/plugins --data "name=ip-restriction" --data "config.whitelist=8.8.8.8"
# rate-limit the consumer
curl -X POST http://kong:8001/consumers/staging_app_client/plugins --data "name=rate-limiting" --data "config.day=1000" --data "config.hour=100"
But when initiating requests from this IP 8.8.8.8
to the Kong gateway, we still see the global (for the Service) per-IP rate-limit being applied in the X-RateLimit-Limit-*
headers.
Also I was not able to find how to tie this Consumer to a specific Service, as we plan in the future to have more than 1 service behind Kong.
Is it impossible to achieve this?