IP Addresses are not differentiated from one another?
mileung opened this issue · comments
I deployed an API that uses limiter on Google Cloud Run. On separate devices with different IP addresses, when I hit the rate limit on one device, the limit is hit on the other device. I have verified the two devices have different IP addresses by searching "my ip" in a browser on both devices. So it seems that the IP address or the key used for the store is the same.
Hello,
Do you have a reverse proxy in front of tour API ?
Not to my knowledge. Maybe Google Cloud Run is doing something I'm not aware of.
I made a rate limited test endpoint that prints the ip of the request and they are different on different devices, so there doesn't seem to be a proxy.
Yeah, pretty sure Google Cloud Run uses a reverse proxy. The different IP is not an argument because it's a best practice to have multiple reverse-proxy for availability.
You should use the TrustForwardHeader
option so the library will look at X-Real-IP
and/or X-Forwarded-For
headers to uses the public IP address.
Line 17 in 3b276cf
But be careful, if Google Cloud Run doesn't have a reverse proxy, and my diagnosis is wrong, this could leave you with potential IP spoofing for your limiter.
Thanks, that seems to have fixed the issue!