For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

fmoghimi's avatar
fmoghimi
Icon for Nimbostratus rankNimbostratus
Jul 09, 2021

Connection limit for a URI path.

Hi   I just got the question to put a connection limit for a single URI path of a virtual server. The virtual server is used for multiple applications. so like, www.example.com/app1 or /app2. S...
application delivery
iRules
LTM
security
Amine_Kadimi's avatar
Amine_Kadimi
Icon for MVP rankMVP
Jul 09, 2021

Hi,

You are looking after limiting L7 requests and not L4 connections which are not aware of the /app1 /app2... paths.

This iRule is a good starting point :

# This iRule limits the number of HTTP Requests from a specified client IP address to 100 HTTP Requests for 5 minutes
# A Data Group IP_Throttle_List will contain the IP addresses that require throttling
 
when HTTP_REQUEST {
 
# Check if the IP address is within the defined list of addresses to throttle
if { [class match [IP::client_addr] equals IP_Throttle_List ] } {
 
        # Check if there is an entry for the client_addr in the table
        if { [ table lookup -notouch [IP::client_addr] ] != "" } {
        # If the value is less than 100 increment it by one
            log local0. "Client Throttle: Value present for [IP::client_addr]"
                        if { [ table lookup -notouch [client_addr] ] < 100 } {
                        log local0. "Client Throttle: Number of requests from client = [ table lookup -notouch [client_addr] ]"
                        table incr -notouch [IP::client_addr] 1
                        } else {
                            log local0. "Client Throttle: Client has exceeded the number of allowed requests of [ table lookup -notouch [client_addr] ]"
                            # This else statement is invoked when the table key value for the client IP address is more than 100. That is, the client has reached the 100 request limit
                                    HTTP::respond 200 content {
                                        <html>
                                        <head>
                                        <title>Information Page</title>
                                        </head>
                                        <body>
                                          We are sorry, but the site has received too many requests. Please try again later.
                                        </body>
                                        </html>
                                    }
                       }
            } else {
                    # If there is no entry for the client_addr create a new table to track number of HTTP_REQUEST. Lifetime is set to 5 minutes
                    log local0. "Client Throttle: Table created for [IP::client_addr]"
                    table set [IP::client_addr] 1 300
                    }
 
} else {
    return
}
 
}

Source: https://clouddocs.f5.com/api/irules/Limit-the-number-of-HTTP-requests-by-a-client-within-a-specified-time.html

You can remove the class match part if not needed. And you can add the check of the exact path requested by the client using :

if { [HTTP::uri] starts_with "/app1" } {
     ...
 }

Let me know if that helps