Forum Discussion
John_Alam_45640
Historic F5 Account
Here is a better version of this irule.
when RULE_INIT {
This is the max requests allowed during "interval" specified below.
set static::maxRate 10;
Below is the lifetime of the subtable record in seconds.
This defines the interval during which requests are tallied. Example: Rate=10 and Timeout=3, allows 10 requests in 3 seconds
Note: do not use very high timeout because it increases memory utilization especially under high load.
Note: A rate of 100 in 50 seconds is the same is a rate of 20 in 1 second. But 1 second is a lot easier on memory,
Because the records expire more quickly and the table does become too large.
set static::timeout 3;
}
when HTTP_REQUEST {
set getCount [table lookup -notouch -subtable requests [IP::client_addr]]
if { $getCount equals "" } {
log local0. "New one: getCount=$getCount [IP::client_addr] [clock seconds]"
table set -subtable requests [IP::client_addr] "1" $static::timeout $static::timeout
} else {
if { $getCount < $static::maxRate } {
table incr -notouch -subtable requests [IP::client_addr]
} else {
if {$getCount == $static::maxRate } {
log local0. "User @ [IP::client_addr] [clock seconds] has reached $getCount in $static::timeout seconds."
table incr -notouch -subtable requests [IP::client_addr]
}
HTTP::respond 501 content "Request blocked Exceeded requests/sec limit."
drop
return
}
}
}
Alexander_Kwong
Dec 06, 2013Nimbostratus
Sorry forgot to mention that we tested it out and it works, however, after a few refreshes on the webpage from the same client, we get the "Request blocked" message. So my question is, if we are using SNAT and multiple clients connect, will this block other legitimate users that access the site at the same time? Or does this filter only by real client IP address (not NAT'ed).