Question posted in 
I have setup an API-Gateway with kong and below is my kong.yml file.
_format_version: "2.1"
_transform: true
services:
- name: auth-service
url: http://xxxxxxxxxxx
routes:
- name: auth-routes
paths:
- /auth
- name: audit-service
url: http://xxxxxxxxxxx
routes:
- name: audit-routes
paths:
- /audits
plugins:
- name: rate-limiting
service: auth-service
config:
minute: 100
hour: 1000
day: 10000
- name: rate-limiting
service: audit-service
config:
minute: 100
hour: 1000
day: 10000
As you can see in my other server, I have couple of services running and kong handles the traffic according to the rotes.
The problem is, when the ratelimit is reached, kong blocks all IPs. Not just attacking IP. I tested this by running a K6 with a droplet and while it’s running, I tried calling the API gateway from my PC and I got the message saying "rate-limit reached"
Any idea how to fix this ? Thanks!
2
Answers
According to the documentation, the IP is determined from headers passed into the requests : https://docs.konghq.com/hub/kong-inc/rate-limiting/#limit-by-ip-address
Is there any proxy, firewall or load balancer in front of your API gateway that could possibly always set the same IP into those headers, which would lead the plugin to think that all the requests come from the same IP address ?
Make sure you preserve client IP address:
https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/security/client-ip/
Cloudfront and Firewalls on the way to gateway may replace Host IP with their own and pass client IP in another header like X-Forwarded-For, you should configure your Kong to copy real IP.