Proxy & Load balancer settings

Proxy & Client's IP address

We'll automatically use the x-forwarded-for header to determine the client's IP address when behind a proxy.

If you're publicly exposing your server without a load balancer in front of it, you should set the AIKIDO_TRUST_PROXY env var to false to ensure that the correct IP address is used. Otherwise, someone could potentially spoof their IP address by adding the above header and thus bypassing the rate limiting

Rate limiting & Load balancers

By default each Zen instance will maintain its own rate limit counters. This means when you have 3 instances of an application, and set the rate limit to 10 per minute, the customer in theory could send 30 requests (10 per server).

In the case of round robin load balancing Aikido can calculate rate limits based on the number of instances. In the example above it would mean that the customer is able to send a maximum of 10 request as configured.

You can find this option under "Advanced Options" under the "Routes" tab when looking at a specific Zen app.

Additional configuration for ASP.NET Core

ASP.NET core will not automatically pick up x-forwarded-for without additional configuration. For more details check out the Microsoft docs.

Configuration via environment variables

Blocking vs Detection Mode in Zen Firewall