Rate-limiting by IP - which IP does the plugin use

Questions
1

Hi,
I wonder what request header does the rate-limiting plugin use to identify client? I suppose it should be the x-forwarded-for header. In my case, that header variable contains 2 IPs - the real client’s IP and an IP from pod’s subnet (this one changes from request to request).
So if my rate limit is set to say 5 requests per minute, the plugin actually allows for 15 requests - I guess it is because of the second IP (the one from pod’s network) that rotates.
Any hint how to fix this?
Thanks
PS: I forgot to mention I’m running kong ingress controller in kubernetes cluster.

2

Have you set real_ip_recursive?
https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header

3

No, I didn’t set the real_ip_recursive. Just installed kong ingress controller (pretty much default install) and deployed echo service, ingress and rate_limiting plugin. This is the response I get (158.101.182.128 is Loadbalancer, 188.167.228.132 is my IP):

kong $ curl -i $PROXY_IP/echo
HTTP/1.1 200 OK
Date: Wed, 29 Apr 2020 09:42:45 GMT
Content-Type: text/plain; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-RateLimit-Remaining-Minute: 2
X-RateLimit-Limit-Minute: 3
RateLimit-Remaining: 2
RateLimit-Limit: 3
RateLimit-Reset: 15
X-Kong-Upstream-Latency: 2
X-Kong-Proxy-Latency: 1
Via: kong/2.0.3



Hostname: echo-599d77c5c7-s8t55

Pod Information:
        node name:      10.1.64.4
        pod name:       echo-599d77c5c7-s8t55
        pod namespace:  prod
        pod IP: 10.244.2.3

Server values:
        server_version=nginx: 1.12.2 - lua: 10010

Request Information:
        client_address=10.244.0.4
        method=GET
        real path=/echo
        query=
        request_version=1.1
        request_scheme=http
        request_uri=http://158.101.182.128:8080/echo

Request Headers:
        accept=*/*
        connection=keep-alive
        host=158.101.182.128
        user-agent=curl/7.68.0
        x-forwarded-for=188.167.228.132, 10.244.1.0
        x-forwarded-host=158.101.182.128
        x-forwarded-port=8000
        x-forwarded-proto=http
        x-real-ip=10.244.1.0

Request Body:
        -no body in request-

By the way, there is no pod with IP 10.244.1.0, so it must be something dynamicaly generated…

4

That must be the internal IP of your Load Balancer.
Please read the following doc:
https://github.com/Kong/kubernetes-ingress-controller/blob/master/docs/guides/preserve-client-ip.md

5

I have a K8s cluster on Digital Ocean, and it accepts Proxy Protocol on the Load Balancer, I was reading that guide, but didn’t get how to set the environment variables in Kong.

6

This guide might be helpful: