[SOLVED] Ratelimit with excludedIPs not working

I have following Middleware for rateLimit, in which I want to exclude specifics IPs from it.

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: ratelimit
  namespace: dev
spec:
  rateLimit:
      period: 1m
      average: 8
      burst: 5
      sourceCriterion:
        ipStrategy:
          excludedIPs:
          - xx.xx.xx.xx/32 # My Public IP

But this Middleware still apply rate-limit to My Public IP

Hey @rp346

Can you please make sure that Traefik gets the correct IP address ? it should match the IP you have excluded in the middleware.
You can enable accesslog to verify it.

This is what I see in Traefik Logs.
I have 91.197.205.234/32 in excludedIPs

91.197.205.234 - - [10/May/2021:18:37:25 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162818 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 4ms
91.197.205.234 - - [10/May/2021:18:37:26 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162819 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 4ms
91.197.205.234 - - [10/May/2021:18:37:26 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162820 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 3ms
91.197.205.234 - - [10/May/2021:18:37:27 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162821 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 3ms
91.197.205.234 - - [10/May/2021:18:37:28 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162822 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 3ms
91.197.205.234 - - [10/May/2021:18:37:28 +0000] "GET /api/v1/build_version HTTP/1.1" 429 17 "-" "-" 1162823 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "-" 0ms
91.197.205.234 - - [10/May/2021:18:37:29 +0000] "GET /api/v1/build_version HTTP/1.1" 429 17 "-" "-" 1162824 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "-" 0ms
91.197.205.234 - - [10/May/2021:18:37:29 +0000] "GET /api/v1/build_version HTTP/1.1" 429 17 "-" "-" 1162825 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "-" 0ms

Hello @rp346

This is a little tricky how the Middleware RateLimits works, so let me explain that:

  • General rule, all IP addresses that are added to the exclude IPs will be considered as the same source and common rate limits will be applied to all of them. That explains why your IP was blocked after reaching the specified limit.

The configuration you prepared, works in the following way.

  • Any request that does not come from 91.197.205.234/32 gets into a different bucket (each unique IP gets its own bucket),
  • all requests coming from the matching IP will be added to the bucket for the "" (emptyString) and defined limits will be applied. Since there is one IP in the excludeIPs list, it has no effect and you can remove the excludeIPs criteria.

I understand what you are trying to achieve, so here is the solution you might consider implementing.
In general, you can just create two routes,

  • one with rate limits
  • the second without assigned rateLimit middleware, the router exclusively for your IP 91.197.205.234/32.

If you can not rely on the source IP, you can consider applying headers to the requests. You can distinguish the incoming request by adding any specific Header to the request and based on that route the network traffic to the router without middleware rateLimit.

Here is the example:

spec:
  routes:
    - kind: rule
      match: Host(`my.example.com`) && HeadersRegexp(`X-No-Limit`, `true`)
      middlewares: 
        - name: no-limit-middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: no-limit-middleware
spec:
  headers:
    customRequestHeaders:
      X-No-Limit: "true"
    customResponseHeaders:
      X-No-Limit-Response: "you-have-no-limits-enjoy"

I hope that explains that a little bit. You can also have a look at the issue 8052 where one of my teammates explains that, also.

Thank you, Jakub

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.