Plugin execution order

Hi Guys,

Recently I added IP Restriction Kong plugin for our Developer Portal at SAP Ariba. One thing I came across during testing was every request that comes from NOT Whitelisted IP is also counted for rate-limit plugin which can lead to DOS attack.

So, I just went through doc. It looks like the IP-Restriction plugin has the priority over rate-limiting plugin.

Please clarify:

  • Why is every request that comes from NOT Whitelisted IP(ip-restriction plugin) is also counted for rate-limit plugin? I believe Kong executes all the plugin(s) configured and then responds with the error, isn’t it?
  • Is there a way I can exit from ip-restriction plugin if the request is not from the valid IP?
  • or is there any other way to resolve this issue?

Thanks and kind regards,

Hi Team Kong,

Please clarify this problem. Your response is very much appreciated.


That’s what the plugin does.
If a request originates from an IP address that is not whitelisted, it will reject the request.
Since the priority is higher than the rate-limiting plugin, the IP-restriction plugin will reject the request, before rate-limiting plugin has a chance to execute.