Forum Discussion
André_Amaro_215
Nimbostratus
NimbostratusHow to limit access by time?
Dear community,
I need to handle requests for a particular domain in a different way. I usually apply a few simple conditions, for example, requests must arrive with the xpto.com header to be forwarded to the pool.
- I use a BIG-IP LTM 13.0.0.
From what I've been researching I believe that the FLOW_INIT function helps me with what I need, but I still can not reach my goal.
Below is a simple example of what I use to test:
when HTTP_REQUEST {
if {[HTTP::host] equals "drop.test:8080"} {
switch -glob [HTTP::uri] {
"/test/*" {
log local0. "/test/ - accept - source: [IP::remote_addr] - uri: [HTTP::host][HTTP::uri]"
HTTP::respond "Test ok!"
}
"/drop/*" {
log local0. "/drop/ - accept - source: [IP::remote_addr] - uri: [HTTP::host][HTTP::uri]"
HTTP::respond "Drop ok!"
}
default {
log local0. "reject - source: [IP::remote_addr] - uri: [HTTP::host][HTTP::uri]"
reject
}
}
}
}
Lee_SutcliffeNacreous
You could achieve this using subtables. Use two tables, a "pre-block" table to cache IP information, and a "block" table of IP addresses that have breached your policy. Using the lifetime facility you can create an effective TTL for the connection.
Example high level overview
1) Check if IP is in the 'block' subtable. yes - block no - continue 2) Is the IP in the 'pre-block' subtable yes - if counter > 49 add to block table with lifetime of 30 min - else increment connection counter where IP is the key, counter is the value. no - write IP address to 'pre-block' table with a value of '1' and a lifetime of 30minSee the following link for further reading on subtables https://devcentral.f5.com/articles/v101-the-table-command-subtables