I wonder what request header does the rate-limiting plugin use to identify client? I suppose it should be the x-forwarded-for header. In my case, that header variable contains 2 IPs - the real client’s IP and an IP from pod’s subnet (this one changes from request to request).
So if my rate limit is set to say 5 requests per minute, the plugin actually allows for 15 requests - I guess it is because of the second IP (the one from pod’s network) that rotates.
Any hint how to fix this?
PS: I forgot to mention I’m running kong ingress controller in kubernetes cluster.
Have you set real_ip_recursive?
No, I didn’t set the real_ip_recursive. Just installed kong ingress controller (pretty much default install) and deployed echo service, ingress and rate_limiting plugin. This is the response I get (126.96.36.199 is Loadbalancer, 188.8.131.52 is my IP):
kong $ curl -i $PROXY_IP/echo HTTP/1.1 200 OK Date: Wed, 29 Apr 2020 09:42:45 GMT Content-Type: text/plain; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-RateLimit-Remaining-Minute: 2 X-RateLimit-Limit-Minute: 3 RateLimit-Remaining: 2 RateLimit-Limit: 3 RateLimit-Reset: 15 X-Kong-Upstream-Latency: 2 X-Kong-Proxy-Latency: 1 Via: kong/2.0.3 Hostname: echo-599d77c5c7-s8t55 Pod Information: node name: 10.1.64.4 pod name: echo-599d77c5c7-s8t55 pod namespace: prod pod IP: 10.244.2.3 Server values: server_version=nginx: 1.12.2 - lua: 10010 Request Information: client_address=10.244.0.4 method=GET real path=/echo query= request_version=1.1 request_scheme=http request_uri=http://184.108.40.206:8080/echo Request Headers: accept=*/* connection=keep-alive host=220.127.116.11 user-agent=curl/7.68.0 x-forwarded-for=18.104.22.168, 10.244.1.0 x-forwarded-host=22.214.171.124 x-forwarded-port=8000 x-forwarded-proto=http x-real-ip=10.244.1.0 Request Body: -no body in request-
By the way, there is no pod with IP 10.244.1.0, so it must be something dynamicaly generated…
That must be the internal IP of your Load Balancer.
Please read the following doc:
I have a K8s cluster on Digital Ocean, and it accepts Proxy Protocol on the Load Balancer, I was reading that guide, but didn’t get how to set the environment variables in Kong.
This guide might be helpful: