I need help to understand InFlightRequest

Hello everyone,

I'm using Traefik version: v2.10.4

My goal is to limit the number of connections per IP, for example, 3.
For instance, in my configuration I've written this:

    amount: 3
      requestHost: false

What I would like is, given two IPs: IP1 and IP2, I would like IP1 to be able to open 2 connections to my reverse proxy, and IP2 to also be able to open 2 connections. The sum of both amounts to 4. Of course, I don't want either IP2 (or IP1) to be able to open 4 connections on their own.

However, in my tests, the limit still remains at 3. So, IP1 will open 2 connections, but IP2 will only be able to open just one connection (and not 2 as desired).

In the documentation, I read the following:

"The amount option defines the maximum amount of allowed simultaneous in-flight request. The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy)."

Source: Traefik InFlightReq Documentation - Traefik

So, it's clearly written "based on the same sourceCriterion strategy", I thought this configuration allowed me to only base this on my clients' IP addresses.

For your information, I also tried with requestHost set to true.

Or just this configuration:

    amount: 3

Or even with ipStrategy with a depth set to 1.

But despite all my attempts, I never achieve the desired result.

Did I miss something?


Edit 1: In case it wasn't clear, I indeed receive the 429 error when IP2 tries to open more than one connection while IP1 has already opened 2 connections. Therefore, it seems that InFlightReq doesn't count the open connections based on the clients' IPs but on something else...

Edit 2: I use the option --network host which should avoid some Docker IP Gateway issue.

Edit 3: In other words, how to group the requests per client IP?

"Host" is the target host (domain), so that probably not what you want.

You should check sourceCriterion.ipStrategy (doc), which uses the IP in the http header, so no need for network host.

Thank you for your answer!

Sadly I don't have any X-Forwarded-For Header in my HTTP Headers.

I found a workaround yesterday, this problem is now solved.

Traefik itself usually sets X-Forwarded-For Header for http requests, test with whoami.

Thanks again for your reply!

In my tests, I tried with different ipStrategy as I mentioned in my first post, but it wasn't enough to differentiate the clients.

Instead of whoami, I exposed the complete Headers in my accessLog with json format, and I didn't find any reference to X-Forwarded-For

Maybe access log only includes client headers, not Traefik added headers.