Forum Discussion
John_Alam_45640
Historic F5 Account
Puneet:
This thread should be helpful: https://devcentral.f5.com/questions/how-to-limit-a-client-ip-from-continuously-opening-connections-to-the-server
There is an irule in that thread.
You should be able to: 1) add this to your iRUle: when RULE_INIT {
This is the max requests allowed during "interval" specified below.
set static::maxRate 10;
Below is the lifetime of the subtable record in seconds.
This defines the interval during which requests are tallied. Example: Rate=10 and Timeout=3, allows 10 requests in 3 seconds
Note: do not use very high timeout because it increases memory utilization especially under high load.
Note: A rate of 100 in 50 seconds is the same is a rate of 20 in 1 second. But 1 second is a lot easier on memory,
Because the records expire more quickly and the table does become too large.
set static::timeout 3;
}
And 2) take this section below here, and put it under the /oab part of your switch command. Then it should only limit the /oab uri.
set getCount [table lookup -notouch -subtable requests [IP::client_addr]]
if { $getCount equals "" } {
log local0. "New one: getCount=$getCount [IP::client_addr] [clock seconds]"
table set -subtable requests [IP::client_addr] "1" $static::timeout $static::timeout
} else {
if { $getCount < $static::maxRate } {
table incr -notouch -subtable requests [IP::client_addr]
} else {
if {$getCount == $static::maxRate } {
log local0. "User @ [IP::client_addr] [clock seconds] has reached $getCount in $static::timeout seconds."
table incr -notouch -subtable requests [IP::client_addr]
}
HTTP::respond 501 content "Request blocked Exceeded requests/sec limit."
drop
return
}
}
Puneet_110030
Nov 22, 2013Nimbostratus
All i want to do use my existing irule, but only rate limit traffic related to subsection /oab.
not able to figure out how i can do that