Rate limiting traffic for exchnage OAB using source ip addresses/subnets

Question

Hello There,
I have a single VIP that takes care of multiple client requests for MS exchange 2013 like outlook web access, offline address book etc and i have achieved it using I-rules.
Here is what my irule looks like:
Exchange 2013 iRule to select pool without persistence when all Exchange
HTTP-based services are accessed through the same virtual server.
when HTTP_REQUEST {
    switch -glob -- [string tolower [HTTP::path]] {
        "/microsoft-server-activesync" {
            pool Exchange_prod_2013_as_pool7
            COMPRESS::disable
            CACHE::disable
            return
        }
        "/owa*" {
        pool Exchange_prod_2013_owa_pool7
        return
    }
    "/ecp*" {
         Exchange Control Panel.

pool Exchange_prod_2013_owa_pool7
        return
    }
    "/ews*" {
         Exchange Web Services.
        pool Exchange_prod_2013_oa_pool7
        COMPRESS::disable
        CACHE::disable
        return
    }
    "/oab*" {
         Offline Address Book.
        pool Exchange_prod_2013_oa_pool7
        persist none
        return
    }
    "/rpc/rpcproxy.dll" {
         Outlook Anywhere.
        pool Exchange_prod_2013_oa_pool7
        COMPRESS::disable
        CACHE::disable
        return
    }
    "/autodiscover*" {
         Requests for Autodiscovery information.
        pool Exchange_prod_2013_ad_pool7
        persist none
        return
    }
    default {
        pool Exchange_prod_2013_owa_pool7
    }
}

}
when HTTP_RESPONSE {
    if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} {
        ONECONNECT::reuse disable
        ONECONNECT::detach disable
        NTLM::disable
    }
        if {[HTTP::header exists "Transfer-Encoding"]} {
        HTTP::payload rechunk
    }
} 
We have a requirement for rate limiting traffic to "/oab" using souce ip/network addresses. I have created an object list containing the subnets i want rate limited, but i am not able to figure out how i can include it in my existing irule above.
I am not looking for an exact answer eventhough it wont hurt, but more importantly i looking for a sense of direction.
Thankyou!

mikeshimkus_111 · Answer

Hi Puneet, this DevCentral post might be helpful:&nbsp;
https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting.Uo-iusRxG-w&nbsp;
Mike&nbsp;

puneet_110030 · Answer

HI Mike,&nbsp;
Thanks for the response. I have checked that URL, it will work good as long as i intend to do rate limiting based on either uri or source addresses. I want to do both for /oab and i am not sure how i can combine the 2.&nbsp;
Furthermore my orginal irule starts with global switch and i am wondering if i need to chnage that as well.&nbsp;
Thanks,
Puneet&nbsp;

john_alam_45640 · Answer

Puneet:
This thread should be helpful:
https://devcentral.f5.com/questions/how-to-limit-a-client-ip-from-continuously-opening-connections-to-the-server
There is an irule in that thread.  
You should be able to: 
1) add this to your iRUle:
when RULE_INIT {
 This is the max requests allowed during "interval" specified below.

set static::maxRate 10;

Below is the lifetime of the subtable record in seconds. 
 This defines the interval during which requests are tallied. Example: Rate=10 and Timeout=3, allows 10 requests in 3 seconds 
 Note: do not use very high timeout because it increases memory utilization especially under high load. 
 Note: A rate of 100 in 50 seconds is the same is a rate of 20 in 1 second. But 1 second is a lot easier on memory, 
 Because the records expire more quickly and the table does become too large.
set static::timeout 3;

}
And 2) take this section below here, and put it under the /oab part of your switch command.  Then it should only limit the /oab uri.
    set getCount [table lookup -notouch -subtable requests [IP::client_addr]]
            if { $getCount equals "" } {
                log local0. "New one:  getCount=$getCount [IP::client_addr] [clock seconds]"
                table set -subtable requests [IP::client_addr] "1" $static::timeout $static::timeout
            } else {

if { $getCount &lt; $static::maxRate } {
                table incr -notouch -subtable requests [IP::client_addr]

} else {
                if {$getCount == $static::maxRate } {
                    log local0. "User @ [IP::client_addr] [clock seconds] has reached $getCount in $static::timeout seconds."
                   table incr -notouch -subtable requests [IP::client_addr]
                }
                HTTP::respond 501 content "Request blocked Exceeded requests/sec limit."
                drop
                return
            }

}

puneet_110030 · Answer

John,
Many Thanks for your response. While i will certainly give it a shot, i am also looking at the possibility of redirecting the traffic related to "/oab" to a diferent VIP using my existing i-rule. This will allow me to manipulate traffic. Any thoughts on that!

Thanks,

puneet_110030 · Answer

can we add something like "rateclass OAB_RATE_LIMIT" under /oab within the original irule to rate limit traffic related to oab.

Forum Discussion

Rate limiting traffic for exchnage OAB using source ip addresses/subnets

6 Replies

Recent Discussions

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Related Content

Introduction to F5 Distributed Cloud Console Rate Limiting Feature

ASM filtered HTML exceeded limit: event code C190 Filtered Response HTML exceeded max limit

HTTP Session Limit

Changing subnet mask of ConfigSync/Failover Address

Rate Limiting SSL VPN User Traffic