For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fmoghimi's avatar
fmoghimi
Icon for Nimbostratus rankNimbostratus
Jul 09, 2021

Connection limit for a URI path.

Hi

 

I just got the question to put a connection limit for a single URI path of a virtual server.

The virtual server is used for multiple applications. so like, www.example.com/app1 or /app2.

So If i set the connection limit for the example.com virtual server, the connection limit is set for both app1 and app2. The virtual server has a rewrite profile for this.

Is it possible to set a connection limit for a single application?

The only way I can see it work is an irule, but i'm pretty new to irules, I haven't found anything on the internet about this.

Any help is appreciated. Thanks in advance!

application delivery
iRules
LTM
security

1 Reply

  • Amine_Kadimi's avatar
    Amine_Kadimi
    Icon for MVP rankMVP
    Jul 09, 2021

    Hi,

    You are looking after limiting L7 requests and not L4 connections which are not aware of the /app1 /app2... paths.

    This iRule is a good starting point :

    # This iRule limits the number of HTTP Requests from a specified client IP address to 100 HTTP Requests for 5 minutes
# A Data Group IP_Throttle_List will contain the IP addresses that require throttling
 
when HTTP_REQUEST {
 
# Check if the IP address is within the defined list of addresses to throttle
if { [class match [IP::client_addr] equals IP_Throttle_List ] } {
 
        # Check if there is an entry for the client_addr in the table
        if { [ table lookup -notouch [IP::client_addr] ] != "" } {
        # If the value is less than 100 increment it by one
            log local0. "Client Throttle: Value present for [IP::client_addr]"
                        if { [ table lookup -notouch [client_addr] ] < 100 } {
                        log local0. "Client Throttle: Number of requests from client = [ table lookup -notouch [client_addr] ]"
                        table incr -notouch [IP::client_addr] 1
                        } else {
                            log local0. "Client Throttle: Client has exceeded the number of allowed requests of [ table lookup -notouch [client_addr] ]"
                            # This else statement is invoked when the table key value for the client IP address is more than 100. That is, the client has reached the 100 request limit
                                    HTTP::respond 200 content {
                                        <html>
                                        <head>
                                        <title>Information Page</title>
                                        </head>
                                        <body>
                                          We are sorry, but the site has received too many requests. Please try again later.
                                        </body>
                                        </html>
                                    }
                       }
            } else {
                    # If there is no entry for the client_addr create a new table to track number of HTTP_REQUEST. Lifetime is set to 5 minutes
                    log local0. "Client Throttle: Table created for [IP::client_addr]"
                    table set [IP::client_addr] 1 300
                    }
 
} else {
    return
}
 
}

    Source: https://clouddocs.f5.com/api/irules/Limit-the-number-of-HTTP-requests-by-a-client-within-a-specified-time.html

    You can remove the class match part if not needed. And you can add the check of the exact path requested by the client using :

    if { [HTTP::uri] starts_with "/app1" } {
     ...
 }

    Let me know if that helps