no-idea-what-im
Jul 02, 2014Nimbostratus
Exponential backoff iRule and True-Client-IP HTTP header
Hi,
I am working on using the exponential backoff iRule (https://devcentral.f5.com/wiki/irules.POST-Request-Exponential-Backoff.ashx) to help with some suspicious login attempts.
The issue I am running into, is that in order to block the client IP, I need to adjust the example iRule to use a custom x-forwarded-for header (true-client-ip). The iRule currently uses the CLIENT_ACCEPT IP::remote_addr to build the session ID, but I need it to use the HTTP::header "True-Client-IP" header, which is not avail in CLIENT_ACCEPTED.
Below is the example exponential backoff code, with my comments preceded with a . I am new to iRules and programming, so please accept my apologies in advance.
Any help or ideas would be greatly appreciated.
when RULE_INIT {
set static::min_lockout 2
set static::max_lockout 86400
set static::logging 1
}
when CLIENT_ACCEPTED {
set static::session_id "[IP::remote_addr]:[TCP::remote_port]"
Ideally, the above line would read something like
set static::session_id "[HTTP::header "True-Client-IP"]:[TCP::remote_port]" , but does not work
set static::state_table "[virtual name]-exp-backoff-state"
}
when HTTP_REQUEST {
if { [HTTP::method] eq "POST" } {
set prev_attempts [table lookup -subtable $static::state_table $static::session_id]
if { $prev_attempts eq "" } { set prev_attempts 0 }
exponential backoff - http://en.wikipedia.org/wiki/Exponential_backoff
set new_lockout [expr (1 << ($prev_attempts-1))]
if { $new_lockout > $static::max_lockout } {
set new_lockout $static::max_lockout
} elseif { $new_lockout < $static::min_lockout } {
set new_lockout $static::min_lockout
}
table incr -subtable $static::state_table $static::session_id
table timeout -subtable $static::state_table $static::session_id $new_lockout
if { $static::logging > 0 } {
log local0. "POST request ([expr ($prev_attempts+1)]) from $static::session_id received during lockout period, updating lockout to ${new_lockout}s"
}
if { $prev_attempts > 1 } {
alternatively respond with content - https://devcentral.f5.com/wiki/iRules.HTTP__respond.ashx
set response "Hold up there!Hold up there!You're"
append response " posting too quickly. Wait a few moments are try again."
HTTP::respond 200 content $response
}
}
}