Rate-limiting by IP - which IP does the plugin use

Hi,
I wonder what request header does the rate-limiting plugin use to identify client? I suppose it should be the x-forwarded-for header. In my case, that header variable contains 2 IPs - the real client’s IP and an IP from pod’s subnet (this one changes from request to request).
So if my rate limit is set to say 5 requests per minute, the plugin actually allows for 15 requests - I guess it is because of the second IP (the one from pod’s network) that rotates.
Any hint how to fix this?
Thanks
PS: I forgot to mention I’m running kong ingress controller in kubernetes cluster.

Have you set real_ip_recursive?
https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header

No, I didn’t set the real_ip_recursive. Just installed kong ingress controller (pretty much default install) and deployed echo service, ingress and rate_limiting plugin. This is the response I get (158.101.182.128 is Loadbalancer, 188.167.228.132 is my IP):

kong $ curl -i $PROXY_IP/echo
HTTP/1.1 200 OK
Date: Wed, 29 Apr 2020 09:42:45 GMT
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Remaining-Minute: 2
X-RateLimit-Limit-Minute: 3
RateLimit-Remaining: 2
RateLimit-Limit: 3
RateLimit-Reset: 15
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 1
Via: kong/2.0.3



Hostname: echo-599d77c5c7-s8t55

Pod Information:
        node name:      10.1.64.4
        pod name:       echo-599d77c5c7-s8t55
        pod namespace:  prod
        pod IP: 10.244.2.3

Server values:
        server_version=nginx: 1.12.2 - lua: 10010

Request Information:
        client_address=10.244.0.4
        method=GET
        real path=/echo
        query=
        request_version=1.1
        request_scheme=http
        request_uri=http://158.101.182.128:8080/echo

Request Headers:
        accept=*/*
        connection=keep-alive
        host=158.101.182.128
        user-agent=curl/7.68.0
        x-forwarded-for=188.167.228.132, 10.244.1.0
        x-forwarded-host=158.101.182.128
        x-forwarded-port=8000
        x-forwarded-proto=http
        x-real-ip=10.244.1.0

Request Body:
        -no body in request-

By the way, there is no pod with IP 10.244.1.0, so it must be something dynamicaly generated…

That must be the internal IP of your Load Balancer.
Please read the following doc:

I have a K8s cluster on Digital Ocean, and it accepts Proxy Protocol on the Load Balancer, I was reading that guide, but didn’t get how to set the environment variables in Kong.

This guide might be helpful:


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ