`ratelimit` not taking effect when `proxy` is used

Hullo.

Just fired up Caddy for the first time today with a simple Caddyfile - I just want to wrap some rate-limiting around an existing web service. The problem is that the rate-limiting directive is being ignored. I’m using 0.9.5…

0.0.0.0:2015
prometheus 0.0.0.0:9180
proxy / localhost:8888
ratelimit / 2 2 minute
tls off

When I run Caddy with -plugins I can see both the proxy and ratelimit plugins are listed (and the Prometheus /metrics endpoint is working fine.)

What am I doing wrong? I should be getting HTTP 429 if I try more than 2 HTTP requests in a row, but I’m able to make many more than that.

Cheers,
Gavin.

Looks like you found a bug. Same effect with:

0.0.0.0:2015 {
	root .
	ratelimit /hit.html 2 2 minute
}

I’ve opened an issue: Not working with Caddy 0.9.5 · Issue #9 · xuqingfeng/caddy-rate-limit · GitHub

2 Likes

OK for the group, this plugin did a ‘smart’ thing and allowed all RFC1918 addresses 10.0.0.0/8 etc. to be classed as ‘internal traffic’ and were not subject to the rate-limiting.

This makes the plugin less useful for use in AWS. However, by adding the ‘realip’ plugin, I have been able to get the desired behaviour.

This is now my working config:

0.0.0.0:2015
prometheus 0.0.0.0:9180
realip {
    from 10.0.0.0/8
}
ratelimit / 3 3 minute
proxy / localhost:8888
tls off
log stdout

and the log shows the real public IP of the end client, rather than the internal address of the AWS ELB .

1 Like

Thanks, @captncraig, for the realip plugin, by the way! @gdhgdhgdh Glad you got it working.