ip address based rate-limiting does not use real client ip address but last proxy ip address

[albertforweb]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

2.8.0

Current Behavior

when kong use those configurations:
trusted_ips = 0.0.0.0/0,::/0
real_ip_header = X-Forwarded-For
real_ip_recursive = on

the ip address based rate-limiting does not use real client ip address but use the last proxy ip address as identifier for rate limiting control,

the kong PDK method 'kong.client.get_forwarded_ip returns the last proxy ip address , as it uses nginx variable , 'ngx.var.remote_addr' , see

kong/kong/pdk/client.lua

Line 91 in 7ea02bc

function _CLIENT.get_forwarded_ip()

Expected Behavior

the PDK API 'kong.client.get_forwarded_ip' should return the real client ip address , rather than the last proxy ip address

Steps To Reproduce

step 0 : config kong wit those
trusted_ips = 0.0.0.0/0,::/0
real_ip_header = X-Forwarded-For
real_ip_recursive = on
step 1 : configure ip address based rate-limiting plugin
step 2 : annotate ingress with the rate-limiting plugin
step 3 : call endpoint with route defined in ingress
step 4 : observe the identifier used by the rate-limiting plugin for rate control
step 5 : found that :
* 5.1 kong PDK method 'kong.client.get_forwarded_ip returns the last proxy ip address
* 5.2 the 'kong.client.get_forwarded_ip' actually get ip address from nginx variable , 'ngx.var.remote_addr' , see

kong/kong/pdk/client.lua

Line 91 in 7ea02bc

function _CLIENT.get_forwarded_ip()

* 5.3. added debug headers in rate-limiting plugin, which shows those in response when hit the limits, only the nginx variable 'ngx.var.http_x_forwarded_for' gives the real client ip where the request was sent

HTTP/2 429
date: Fri, 30 Aug 2024 21:13:28 GMT
content-type: application/json; charset=utf-8
content-length: 41
ratelimit-limit: 100
ratelimit-remaining: 0
ratelimit-reset: 32
retry-after: 32
**ratelimit-identifier: 2001:420:c0c8:1009::407**
x-ratelimit-remaining-minute: 0
x-ratelimit-limit-minute: 100
**x-debug-info: {"kong_client_get_forwarded_ip":"10.0.70.198","ngx_var_realip_remote_addr":"10.0.70.198","ngx_var_http_x_forwarded_for":"2001:420:c0c8:1009::407"}**
vary: Origin
access-control-allow-credentials: true
access-control-expose-headers: X-Auth-Token
via: api-gateway
content-security-policy: default-src 'self'; base-uri 'self'; frame-ancestors 'self'; block-all-mixed-content

{
  "message":"API rate limit exceeded"
}

Anything else?

the 3.7.x PDK API kong.client.get_forwarded_ip has same issue.

kong/kong/pdk/client.lua

Line 91 in e89feb5

function _CLIENT.get_forwarded_ip()

[Water-Melon]

Thanks for your report. I think this might be what you need:
https://github.com/Kong/kong/blob/7ea02bc284c95d3c5b10bf80b70166525b7d1a2a/kong/pdk/client.lua#L61C12-L61C38

[albertforweb]

thanks @Water-Melon for helping.

however, the link you shared indicates it also use nginx variable ' return ngx.var.realip_remote_addr or ngx.var.remote_addr'

in my above test, the ngx.var.realip_remote_addr and ngx.var.remote_addr both hold the proxy ip, not the real client ip as http_x_forwarded_for

{"kong_client_get_forwarded_ip":"10.0.70.198","ngx_var_realip_remote_addr":"10.0.70.198","ngx_var_http_x_forwarded_for":"2001:420:c0c8:1009::407"}

[chobits]

Could you try new version of Kong, I tested kong master, it worked as what you expected.

see my test case:

• kong.conf

trusted_ips = 0.0.0.0/0,::/0
real_ip_header = X-Forwarded-For
real_ip_recursive = on

• my plugin code

  kong.response.set_header("x-debug-info",
    string.format('{"kong_client_get_forwarded_ip":"%s","ngx_var_realip_remote_addr":"%s","ngx_var_http_x_forwarded_for":"%s"}',
    kong.client.get_forwarded_ip(),
    ngx.var.realip_remote_addr,
    ngx.var.http_x_forwarded_for))

• my tested result:

 $ curl localhost:8000/mock -o /dev/null -sv -H 'a: modified-me' -H 'x-forwarded-for: 2001:420:c0c8:1009::407'
*   Trying [::1]:8000...
* connect to ::1 port 8000 failed: Connection refused
*   Trying 127.0.0.1:8000...
* Connected to localhost (127.0.0.1) port 8000
> GET /mock HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/8.4.0
> Accept: */*
> a: modified-me
> x-forwarded-for: 2001:420:c0c8:1009::407
>
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Connection: keep-alive
< Content-Length: 9593
< Server: gunicorn/19.9.0
< Access-Control-Allow-Credentials: true
< Date: Tue, 10 Sep 2024 09:26:23 GMT
< Access-Control-Allow-Origin: *
< X-BChen-Plugin: response
< x-debug-info: {"kong_client_get_forwarded_ip":"2001:420:c0c8:1009::407","ngx_var_realip_remote_addr":"127.0.0.1","ngx_var_http_x_forwarded_for":"2001:420:c0c8:1009::407"}
< X-Kong-Upstream-Latency: 459
< X-Kong-Proxy-Latency: 2
< Via: 1.1 kong/3.9.0
< X-Kong-Request-Id: 843d0821f812e95ab778584f2ce3c16c
<
{ [9593 bytes data]
* Connection #0 to host localhost left intact

You could see that kong.client.get_forwarded_ip() get the ip address from x-forwarded-for header, from the above replied header x-debug-info: {"kong_client_get_forwarded_ip":"2001:420:c0c8:1009::407","ngx_var_realip_remote_addr":"127.0.0.1","ngx_var_http_x_forwarded_for":"2001:420:c0c8:1009::407"}

[github-actions]

This issue is marked as stale because it has been open for 14 days with no activity.

[github-actions]

Dear contributor,

We are automatically closing this issue because it has not seen any activity for three weeks.
We're sorry that your issue could not be resolved. If any new information comes up that could
help resolving it, please feel free to reopen it.

Your contribution is greatly appreciated!

Please have a look
our pledge to the community
for more information.

Sincerely,
Your Kong Gateway team