Rate Limit blocking multiple IPs even if the limit is not reached

Traefik Traefik v2
,
1

So, I was playing with the Rate Limit middleware to figure the best values for it. And, I configured the middleware to look for IP in the X-Forwarded-For header. I just bombarded the server with thousands of requests via BlazeMeter, which has, let say, IP1. And then I was trying to reach the server with my local machine which has IP2. But I was getting 429 most of the time on my local machine. I don't know what I did wrong or if this is the expected behavior.

Server Setup

ALB --> Traefik --> Nodejs

Note: Traefik does receive the user's IP in the X-Forwarded-For header.

Middleware config

        request-limit:
            rateLimit:
                average: 100
                burst: 50
                period: 1s
                sourceCriterion:
                    requestHost: true
                    ipStrategy:
                        depth: 1

This thing bugging me for a few days. Any help would be appreciated.

2

Are you sure you are using the correct depth?

3

Yes, ALB attaches the client's ip in the header like X-Forwarded-For: client_ip and this is what traefik receives.

And, I guess depth: 1 is appropriate for this header value.

4

Thought I'd ask, as it seems like this would be the expected behavior if the wrong depth was being used.

5

I saw that you have requestHost: true that might be overriding the ipStrategy

Edit: Nope it shouldn't FTFM:

The precedence order is ipStrategy , then requestHeaderName , then requestHost .

6

At first, I also thought that the depth was the issue. Then I logged the headers in traefik but everything seems fine.

This issue making my head spin. If this issue continues i might be not able to use rate-limit for the time being, which i absolutely don't want to.

BTW, Thanks for your help.

7

Hello @numToStr and @cakiwi , it seems there is some confusion on how the source criterion works because it's properties should be mutually exclusive and you should see an error during the middleware creation phase like:

"iPStrategy and RequestHost are mutually exclusive"

Code reference here.

We should update the documentation on this anyway as its not stated anywhere.

8

I don't think that's the issue as I also checked with only ipStrategy in the yaml config but the rate limiter still blocking the requests from different IPs.