Traefik – how to rate-limit services behind cloudflare?

by Posted on

Intro

Traefik is a reverse proxy that runs in docker, and can also be used in kubernetes clusters. It dynamically routes requests based on what labels are sat on the containers you are running. I personally use traefik in front of all my services that run in docker, including this blog.

In terms of configuring Traefik, you have something that is called middlewares. A middleware can be something that receives the original request in to your traefik instance, and then does something to that request, and lastly sends it off to the original application. One thing I was looking at recently, was to use a middleware to set up rate-limiting on one of my services.

Source: https://doc.traefik.io/traefik/middlewares/overview/

The problem

Since I am using cloudflare in front of my services, I had issues figuring out exactly how to be able to rate limit the requests coming in. Cloudflare uses a header named CF-connecting-IP to store the original user’s IP, but traefik does not look for this header by default, nor any other header like X-Forwarded-For.

How to make Traefik use a header to group requests?

Rate limits are (most often) based on a user’s IP Address. If I did not use Cloudflare in my instance, these are the labels I would use in order to rate limit my service:

# [...] # compose.yml
services:
  my-service:
#    [...]

    labels:
      #port 80
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-http.rule=Host(`${WEBSITE_URL}`)"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-http.entrypoints=web"
      #https
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=Host(`${WEBSITE_URL}`)"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.entrypoints=websecure"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=httpsresolver"
      - "traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=${HTTP_PORT}"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls=true"
      - "traefik.enable=true"
      #----------------------------------------------------------

      # Rate limits
      - "traefik.http.middlewares.my-rate-limit.ratelimit.average=8"
      - "traefik.http.middlewares.my-rate-limit.ratelimit.burst=15"
      - "traefik.http.middlewares.my-rate-limit.ratelimit.period=2s"
      # Attach the rate limit middleware to the route for this service
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=my-rate-limit"
      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}-http.middlewares=my-rate-limit"

If you look at the bottom sections “Rate limits” and “Attach..”, these two are setting the rate limits on the route to my service.

In order to make that work with Cloudflare, all you have to add is one more label, that gives the middleware the information where to find the original IPs.

      - "traefik.http.middlewares.my-rate-limit.ratelimit.sourcecriterion.requestheadername=CF-connecting-IP"

This tells your traefik middleware to group the requests based on the value in CF-connecting-IP, and hence get access to the source IP that triggered the request. Read more here.

Wrapping up

If you want to learn more about rate-limiting, how the settings work in more detail, please refer to the official Traefik documentation.

Published by denNorske

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.