CD
Cloudflare Developers6mo ago
similardisaster

Worker Rate Limiting API Not Triggering for IPv6

We noticed when using the Rate Limit api/binding for workers that the rate limit never seemed to trigger for IPv6 traffic. It only triggered for IPv4 traffic. This was tested using cf-connecting-ip and x-real-ip as the rate limiter key. Is there a different header or method we can use to reliably rate limit by IP? Not sure if our IPv4 settings for the site are causing the issues. We are aware that shared IP's is a common issue with rate limiting per IP, for our use case this is not an issue.
2 Replies
Chaika
Chaika6mo ago
Never? Did you try logging? One thing with IPv6 is you usually want to rate limit by the /64 (CF normal rate limiting does this too) because how many IPv6s you can get easily and each device having a different ip/changing every so often thanks to slaac, etc this works fine for me: 
export default {
    async fetch(req: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
        const ipAddress = req.headers.get('cf-connecting-ip') || '';
        console.log(ipAddress);
        const { success } = await env.MY_RATE_LIMITER.limit({ key: ipAddress });

        if (!success) {
            console.log(`rl`);
            return new Response(`429 Failure – rate limit exceeded for ${ipAddress}`, { status: 429 });
        }
        console.log(`no rl`);
        return new Response('Hello World!');
    },
};
export default {
    async fetch(req: Request, env: Env, ctx: ExecutionContext): Promise<Response> {
        const ipAddress = req.headers.get('cf-connecting-ip') || '';
        console.log(ipAddress);
        const { success } = await env.MY_RATE_LIMITER.limit({ key: ipAddress });

        if (!success) {
            console.log(`rl`);
            return new Response(`429 Failure – rate limit exceeded for ${ipAddress}`, { status: 429 });
        }
        console.log(`no rl`);
        return new Response('Hello World!');
    },
};
# The rate limiting API is in open beta.
[[unsafe.bindings]]
name = "MY_RATE_LIMITER"
type = "ratelimit"
# An identifier you define, that is unique to your Cloudflare account.
# Must be an integer.
namespace_id = "1001"

# Limit: the number of tokens allowed within a given period in a single
# Cloudflare location
# Period: the duration of the period, in seconds. Must be either 10 or 60
simple = { limit = 2, period = 10 }
# The rate limiting API is in open beta.
[[unsafe.bindings]]
name = "MY_RATE_LIMITER"
type = "ratelimit"
# An identifier you define, that is unique to your Cloudflare account.
# Must be an integer.
namespace_id = "1001"

# Limit: the number of tokens allowed within a given period in a single
# Cloudflare location
# Period: the duration of the period, in seconds. Must be either 10 or 60
simple = { limit = 2, period = 10 }
ET https://quick-rate-limit-test..workers.dev/ - Ok @ 5/29/2024, 10:13:35 PM
  (log) 2603:7080:no
  (log) no rl
GET https://quick-rate-limit-test..workers.dev/favicon.ico - Ok @ 5/29/2024, 10:13:35 PM
  (log) 2603:7080:no
  (log) no rl
GET https://quick-rate-limit-test..workers.dev/ - Ok @ 5/29/2024, 10:13:39 PM
  (log) 2603:7080:no
  (log) rl
GET https://quick-rate-limit-test..workers.dev/favicon.ico - Ok @ 5/29/2024, 10:13:39 PM
  (log) 2603:7080:no
  (log) rl
ET https://quick-rate-limit-test..workers.dev/ - Ok @ 5/29/2024, 10:13:35 PM
  (log) 2603:7080:no
  (log) no rl
GET https://quick-rate-limit-test..workers.dev/favicon.ico - Ok @ 5/29/2024, 10:13:35 PM
  (log) 2603:7080:no
  (log) no rl
GET https://quick-rate-limit-test..workers.dev/ - Ok @ 5/29/2024, 10:13:39 PM
  (log) 2603:7080:no
  (log) rl
GET https://quick-rate-limit-test..workers.dev/favicon.ico - Ok @ 5/29/2024, 10:13:39 PM
  (log) 2603:7080:no
  (log) rl
similardisaster
similardisasterOP6mo ago
Chaika, thanks, that's super helpful - I will test this out. Did not know about using the /64 I realized we are on enterprise and I believe we use the "Overwrite headers" version of psuedo IPv4 (https://developers.cloudflare.com/network/pseudo-ipv4/) so I am trying to narrow down if issue is due to ipv6 or due to that setting, or something else Will probably try using CF-Connecting-IPv6 if provided and use the /64 of that
Want results from more Discord servers?
Add your server