Is there an IRules to control active connections?

Hi Jack,

 

There is an excellent example in the code share that can be easily modified.

 

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/LimitConnectionsFromClient.html

 

 

In that example it's limiting the connetion from the client and rejecting the packets. You can then replace the reject command with a HTTP::respond 403 or HTTP::redirect "http://domain.com/error.page"

 

 

I hope this helps

 

 

Bhattman

Dear Bhattman, thanks for yoru advise. The code works fine in rejecting. I have replaced the reject command with HTTP::redirect "http://mydomain.com/error.page" but it says HTTP::redirect does not applies to this event. Is there any thing else I need to define in the code?

You are right.

 

 

Here is another code that might work, it works based on cookies.

 

 

rule session_limit {   
      when RULE_INIT {   
         array set ::active_sessions { }   
         set ::total_active_clients 0   
         set ::max_active_clients 20   
      }   
      when HTTP_REQUEST {   
         if { not [info exists client_id] } {   
            if { [HTTP::cookie exists "ClientID"] } {   
               set client_id [HTTP::cookie "ClientID"]   
               set need_cookie 0   
            } else {   
               set client_id [string range [AES::key 128] 8 end]   
               set need_cookie 1   
            }   
            if { not [info exists ::active_sessions($client_id)] } {   
               if { $::total_active_clients >= $::max_active_clients } {   
                  HTTP::redirect "http://mydomain.com/error.page"   
                  return   
               }   
               incr ::total_active_clients   
               set ::active_sessions($client_id) 1   
            } else {   
               incr ::active_sessions($client_id)   
            }   
         }   
      }   
      when HTTP_RESPONSE {   
         if { $need_cookie } {   
            HTTP::cookie insert name "ClientID" value $client_id   
            set need_cookie 0   
         }   
      }   
      when CLIENT_CLOSED {   
         if { [info exists client_id] and [info exists ::active_sessions($client_id)] } {   
            incr ::active_sessions($client_id) -1   
            if { $::active_sessions($client_id) <= 0 } {   
               unset ::active_sessions($client_id)   
               incr ::total_active_clients -1   
            }   
         }   
      }   
   }   
 

 

 

Bhattman

 

Dear Bhattman, pardon me for asking again, if i set > "set ::max_active_clients 2" for testing. I am still able to access the url with 3 different pc on top of 2 pc. Is it suppose to work in this way or there is something that I need to re-fine in the code?

That looks great Bhattman! I am wondering what ways there are to remotely modify the global variable max_active_clients. I've worked out two ways but not sure if there is a better way,

 

 

1 - Use iControl to delete and recreate a dummy irule. On the creation of the irule it will automatically run the RULE_INIT routine and modify the global variable.

 

 

iRule - Dummy_Rule

 

 

when RULE_INIT {

 

set ::max_active_clients 30

 

log local0. "Changing max_active to $::max_active_clients"

 

}

 

 

 

 

2 - Use a data group to keep the variable and modify it with iControl. In this example MAX_USERS is a data group with one element.

 

 

Likely would need to move the creation of the variable into the "when HTTP_REQUEST" routine.

 

 

when HTTP_REQUEST {

 

set ::max_active_clients [class element 0 MAX_USERS]

 

 

 

 

Anthony

Either option should work fine. You could also change the iRule to read the datagroup directly instead of a global variable and then use iControl to update the datagroup entry.

 

 

If you're on version 10.1+ you should use the table command instead of arrays. Hamish added an example to the Codeshare here:

 

 

http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP_Session_Limit.html

 

 

Aaron