We have implemented host ip based rate limiting using python plugin with auth hook and its working fine. The issue is that if there is anything wrong with the plugin, all clients start getting 403, which is wrong.
We experienced this recently in production and we had to take the whole tyk implementation away from system. here is the link to that Error with middleware in one gateway while other pods are working fine
I understand that auth hook is required to create a session in first place but is there a way that we can implement this without the auth hook so that users don’t get 403 if there is something wrong with middleware.
I tried setting ‘x-tyk-authorization’ to host ip and setting up the session and token in pre hook, but it keeps on looking for the IP in redis to do authorization.
Looks like there is no way to implement rate limiting based on IP without doing any kind of authorization
The alternative is to use Golang plugin or program a separate connection to Redis then modify the key
Coming back to this, would ensuring one gateway starts before the others not mitigate this?
Also, could you explain more about why you feel a 403 output when there is a plugin error is wrong? My thinking would be if there is a plugin error that is critical to the API request, surely you would want to block authentication and mitigate any kind of security risk. Or would it be the status of the error you are more concerned about?
The whole point of authentication just to implement rate limiting seems wrong.
We do have API rate limiting on the API level. IP-based rate limits need the IP to be tracked. Which requires some kind of persistent storage, hence Redis.
If there are any plugin related errors, system should generate 500 and not 403
I can’t replicate this. The 403s are auth failed responses. If there is a plugin error, the status code is always 500. Maybe if you share your gateway version and plugin code, I could reproduce it.
But you could set the authentication to use the authToken and utilize the gateway Keys API in a pre-request middleware call to create a custom key (/tyk/keys/{keyID}) in Redis for the identified IP address
The value of the key returned in the response body
{
"key": "base64encoded value of {"org":"<org_id>","id":"<custom key id> e.g. 172.x.x.x","h":"<hash_key_function>e.g. murmur64"}"
}