HTTP Request Throttle iRule help

will that iRule only work for the ips in RequestLimit_Whitelist and RequestLimit_Blacklist data groupsi don't think so.

 

 

Otherwise, the client will be tracked. If they hit URLs that match the RequestLimit_URLlist data group then these requests are counted. Once the request rate hits throttle_activate_rate, the client is throttled down to throttle_limit_rate. Once they slow down enough they will be un-throttled.

In reference to the second irule at this link: http://devcentral.f5.com/wiki/iRules.HTTPRequestThrottle.ashx

 

 

IPs in the white list are never throttled.

 

IPs in the black list are always throttled.

 

IPs in neither list are throttled only if the send a request to a URI in the RequestLimit_URL datagroups.

 

 

These datagroups are maintained by you. They are not updated dynamically.

 

 

You do not have to use the IP white/black lists, although you must define them otherwise you get an error.

 

 

You should use The RequestLimit_URL list. Otherwise nothing is throttled.

 

 

This irule is not CMP compatible as is, this means that if you are on version 9.4 or above and using a bigip appliance with multiple CPUs, your virtual will be handled by only one CPU.

 

 

This irule also has old commands which will not survive an upgrade to the latest versions (v10.x or v11.x)

 

 

 

As to the first irule at that link: It is simpler and CMP compatible and will survive an upgrade. I wrote it for those reasons although it is not as feature rich as irule 2.

 

 

IRule 1 throttles POSTS only, if you want it to throttle GETs instead, just change the POST to a GET in the if statement.

 

 

If you need the features of the 2 irule, let us know, we will try to update it.

 

 

HTH.

 

Thanks for the Reply

 

 

"These datagroups are maintained by you. They are not updated dynamically

 

You do not have to use the IP white/black lists, although you must define them otherwise you get an error."

 

 

 

So if I don't list any IPs in the datagroups can this rule still allow and block IPs based on number of requests per sec.

 

 

 

"You should use The RequestLimit_URL list. Otherwise nothing is throttled"

 

 

 

We don't want to throttle the IPs based on the URL list, we want to do this based on number of requests per second.

 

 

 

 

Your best bet is i-Rule 1.

 

 

Her is a version of i-Rule 1 that throttles all requests:

 

 

This is a complete rewrite that is CMP-friendly, see older TMOS v9 code below.

 

 

Request Throttling

 

 

This I-Rule allows only "maxRate" HTTP requests within "windowSecs" interval.

 

This version defaults to limiting POSTs. If you need to limit GETs and/or POSTs

 

See notes below.

 

It is possible to limit on a user basis. See notes below.

 

 

CMP compatible: Yes

 

 

This rule requires:

 

A default pool so that the session table can be used

 

 

05/20/2010, Irule revised to use CMP compatible commands.

 

- "static" is added to global variable names.

 

- arrays replaced with subtables.

 

 

This rule developed on:

 

TMOS v10.1.0 build 3341.0

 

LTM

 

 

 

 

when RULE_INIT {

 

set static::maxRate 5

 

set static::windowSecs 2

 

set static::timeout 30

 

}

 

 

when HTTP_REQUEST {

 

 

This I-Rule limits "POST" requests, if you want to limit GETs instead, replace

 

"POST" with "GET" in if statement below.

 

If you want to limit all types or requests, remove this "if" statement below as well as its

 

Corresponding curly bracket '\}' on or around line 67 clearly maked with a comment.

 

 

 

set myUserID "user"

 

 

set currentTime [clock seconds]

 

set windowStart [expr {$currentTime - $static::windowSecs}]

 

set postCount 0

 

 

PH stands for posthistory, a term from the original irule.

 

 

log -noname local0. "Table Keys [table keys -subtable 'PH:${myUserID}.${AES_key}']"

 

 

foreach { requestTime } [table keys -subtable "PH:${myUserID}"] {

 

count POSTs with start time > $windowStart, delete the rest

 

if { $requestTime > $windowStart } {

 

incr postCount 1

 

} else {

 

table delete -subtable "PH:${myUserID}" $requestTime

 

}

 

}

 

 

if { $postCount < $static::maxRate } {

 

add new record to array w/myUserID.rand + currentTime

 

set requestID "PH:${myUserID}"

 

table set -subtable $requestID $currentTime "ignored" $static::timeout

 

} else {

 

log -noname local0. "POST Rejected: current postCount for ${myUserID}: $postCount"

 

HTTP::respond 501 content "Request blockedExceeded requests/sec limit."

 

return

 

}

 

 

}