Recently I added IP Restriction Kong plugin for our Developer Portal at SAP Ariba. One thing I came across during testing was every request that comes from NOT Whitelisted IP is also counted for rate-limit plugin which can lead to DOS attack.
So, I just went through https://docs.konghq.com/0.11.x/plugin-development/custom-logic/#plugins-execution-order doc. It looks like the IP-Restriction plugin has the priority over rate-limiting plugin.
- Why is every request that comes from NOT Whitelisted IP(ip-restriction plugin) is also counted for rate-limit plugin? I believe Kong executes all the plugin(s) configured and then responds with the error, isn’t it?
- Is there a way I can exit from ip-restriction plugin if the request is not from the valid IP?
- or is there any other way to resolve this issue?
Thanks and kind regards,