I have following Middleware for rateLimit, in which I want to exclude specifics IPs from it.
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ratelimit
namespace: dev
spec:
rateLimit:
period: 1m
average: 8
burst: 5
sourceCriterion:
ipStrategy:
excludedIPs:
- xx.xx.xx.xx/32 # My Public IP
But this Middleware still apply rate-limit to My Public IP
Hey @rp346
Can you please make sure that Traefik gets the correct IP address ? it should match the IP you have excluded in the middleware.
You can enable accesslog to verify it.
This is what I see in Traefik Logs.
I have 91.197.205.234/32 in excludedIPs
91.197.205.234 - - [10/May/2021:18:37:25 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162818 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 4ms
91.197.205.234 - - [10/May/2021:18:37:26 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162819 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 4ms
91.197.205.234 - - [10/May/2021:18:37:26 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162820 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 3ms
91.197.205.234 - - [10/May/2021:18:37:27 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162821 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 3ms
91.197.205.234 - - [10/May/2021:18:37:28 +0000] "GET /api/v1/build_version HTTP/1.1" 200 166 "-" "-" 1162822 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "http://10.2.19.232:80" 3ms
91.197.205.234 - - [10/May/2021:18:37:28 +0000] "GET /api/v1/build_version HTTP/1.1" 429 17 "-" "-" 1162823 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "-" 0ms
91.197.205.234 - - [10/May/2021:18:37:29 +0000] "GET /api/v1/build_version HTTP/1.1" 429 17 "-" "-" 1162824 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "-" 0ms
91.197.205.234 - - [10/May/2021:18:37:29 +0000] "GET /api/v1/build_version HTTP/1.1" 429 17 "-" "-" 1162825 "dev-ethernet-api-external-2-cd38a9d28c8529547d1a@kubernetescrd" "-" 0ms
Hello @rp346
This is a little tricky how the Middleware RateLimits works, so let me explain that:
The configuration you prepared, works in the following way.
I understand what you are trying to achieve, so here is the solution you might consider implementing.
In general, you can just create two routes,
rateLimit middleware, the router exclusively for your IP 91.197.205.234/32.If you can not rely on the source IP, you can consider applying headers to the requests. You can distinguish the incoming request by adding any specific Header to the request and based on that route the network traffic to the router without middleware rateLimit.
Here is the example:
spec:
routes:
- kind: rule
match: Host(`my.example.com`) && HeadersRegexp(`X-No-Limit`, `true`)
middlewares:
- name: no-limit-middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: no-limit-middleware
spec:
headers:
customRequestHeaders:
X-No-Limit: "true"
customResponseHeaders:
X-No-Limit-Response: "you-have-no-limits-enjoy"
I hope that explains that a little bit. You can also have a look at the issue 8052 where one of my teammates explains that, also.
Thank you, Jakub
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.