How does Hasura IP rate limiting work if requests go through a reverse proxy before hitting Hasura?

[arcticmatt]

Our website is hosted on Cloudflare, which acts as a reverse proxy https://support.cloudflare.com/hc/en-us/articles/200170786.

That means the original visitor IP address is in a header called CF-Connecting-IP.

I'm not sure if Hasura's rate limiting (see https://hasura.io/learn/graphql/hasura-advanced/security/4-rate-limit/) is smart enough to deal with this, or if it will rate limit Cloudflare's IP addresses.

[ecthiender]

@arcticmatt Hasura looks into the x-real-ip or x-forwarded-for request headers. These are standard headers usually filled in by the proxies. Do you know if Cloudflare already adds x-real-ip/x-forwarded-for headers?

If the above are not found, then it will look up the connecting client's IP address from the packet

[ammarfaris]

It seems that Cloudflare adds x-forwarded-for in the headers, so it is a non-issue right? (just to double confirm) @ecthiender @arcticmatt

reference:
https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/#x-forwarded-for