Nimbostratus
NimbostratusHi,
A dual-policy setup is justified in some cases, but here you can ease your management efforts and go with one. When it comes to creating exceptions for "good bots", you can identify those by User-Agent header.
For example, those are top well-known "good bots" https://www.keycdn.com/blog/web-crawlers/
iRule logic for allowing those specific bots, without globally disabling the violation itself would work as summarized by 5 steps below. This will not do rate-throttling but will help you distinguish well-known bots from the rest.
If you have your own bot/crawler, just make up a User-Agent header if it doesn't already have one. Pardon for not providing you code, I lack ability to test at this hour and don't want to provide something completely untested.
Hope this will get you started!
NimbostratusHi Hannes,
I really appreciate your reply. I like the idea of checking the user-agent and checking for just 1 violation to prevent workarounds. I'll have to check the logs and see what user-agent our bots are using.
The main reason I was thinking about doing it this way is because our apps that are getting scraped are behind an auth wall, so bots have to present creds to get in, so we aren't getting Google, Bing, etc. The good bots are used by companies that are acting as agents or intermediaries to get data on behalf of groups of real users, and we are required to allow them or the real users who hire these companies can claim we deny access to their own data. The problem is when the bots scrape too fast, thus the daytime and nighttime rate ceilings. We have rate requirements that the bot handlers are aware of but don't always respect, so we need a technical control.
I'll check the user-agents. Assuming the bots DON'T use unique user-agents, does it look like my idea will work? Any obvious alternatives? I'm in a bit of a time crunch and also don't have full admin rights in the ASM (we use a delegated admin model), so trial and error will take some time that I don't have much of.
One other question: will this iRule fire before the ASM processes any security policy, so I can choose whether one of the 2 custom policies gets applied and have the default be used otherwise? Do I need to make any config changes to achieve this? I read about setting the "Trigger ASM iRule event setting" in a security policy, but I want this iRule to run before the default security policy if possible. I am still very new to ASM so I don't know if this is feasible, or what is the accepted way of selecting which security policy to use.
I really appreciate your help! Please feel free to recommend reading material in lieu of an answer if that seems appropriate.
Nathan