Rate limit plugin behaviour with corporate proxy between user and API Gateway?

sraravet · December 17, 2020, 10:28am

Hi

As per the documentation of rate limit plugin, Rate limiting plugin will throttle the client requests based on client_ip of end user.
What if there is a corporate proxy between end user and API GW? The typical request flow that I am thinking about looks like this: End user (browser) —> corporate proxy —> Load balancer —> Kong API GW
In this case even if use we x-forwarded-for(with load balancer) OR remote_addr (without load balancer) to determine the actual end user’s IP address, will it give it correctly OR it will be of corporate proxy server?

thanks in adance

sraravet · January 6, 2021, 11:17am

Hi

can anybody help me to understand the above behaviour from Rate Limit plugin?

Thanks in Advance

Thiago_Bruno · September 23, 2021, 10:25pm

i´ve had the same problem.
any one else ??

tyree731 · September 28, 2021, 12:36pm

Kong’s rate limiting plugin is going to pull the IP address using the kong.client.get_forwarded_ip() PDK method, a method which uses Kong’s understanding of the forwarded or client IP address. You can configure how Kong detects the forwarded IP address using the trusted_ips, real_ip_header, and real_ip_recursive configurations within kong.conf. See the linked documentation for how to configure those values.

For an example, here is how we configure those configuration variables:

trusted_ips       = <comma-delimeted list of IP addresses for our load balancer>
real_ip_header    = X-Forwarded-For
real_ip_recursive = on

Hope that helps.