Forum Discussion

MDolati_178990's avatar
MDolati_178990
Icon for Nimbostratus rankNimbostratus
Jul 01, 2017

I want restrict number of connection based on source IP if cookie exist for that source IP.

Hi Dears, i want to limit number of get request based on existing cookie for example i have a client with source IP 1.1.1.1 and i have a server with IP 2.2.2.2 i want F5 check cookies for source IP 1.1.1.1 and if cookie exist F5 limit number of get request to 10.

 

BIG-IP
iRules
security
  • MDolati_178990's avatar
    MDolati_178990
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2017

    I want to make relation between cookie and number of session for example if i have a cookie called AAA this cookie just can establish 10 session or 10 get request.

     

  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jul 04, 2017

    So, the cookie name/value will be provided by own server node or will get it from BIG-IP rule? In another words, who will control the cookie that BIG-IP should verify and count it? It's just a relevant information to my start.

     

    Regards.

     

  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Ret. Employee
    Jul 05, 2017

    It depends.

    If your requirement is "limit the number of accesses from the same source within a certain timeframe", you can use iRule table with an expiry timer to keep track of past sessions. For example, if the same user accesses the BIG-IP LTM 10 times within 100s, send back 50x response. You can determine the identity of the user by IP or cookie or any other unique values. The following sample shows IP address version. If you want to use cookie, you can use the value from 

    HTTP::cookie
    as the unique key.

    If you are talking about "limit the currently running (connected) sessions in parallel", it would be a bit complicated: you need to decrement the count upon the CLIENT_CLOSE event. Better error handling may be needed too. HTTP sessions are usually short-lived, so you may not need to go this path (I think).

    when RULE_INIT {
  set static::subtable "SatTest"
  set static::maxCount 10
}

when HTTP_REQUEST {

   Default timeout is 180(s). The entry is deleted if not touched more than 'timeout'.
  set timeout 100
   Default lifetime is 180(s). The entry is deleted after 'lifetime' from creation.
  set lifetime 100

  set ip [IP::client_addr]
  set count [table lookup -notouch -subtable $static::subtable $ip]

  if {$count == ""} {
    log local0. "$ip does not exist. Created."
    table set -subtable $static::subtable $ip 1 $timeout $lifetime
  }
  elseif {$count > $static::maxCount} {
    log local0. "$ip exeeded the max count. $count > $static::maxCount. Call rejected."
    HTTP::respond 503 content "I am overloaded."
    return
  }
  else {
    log local0. "$ip $count + 1"
    table incr -subtable $static::subtable $ip
  }
}

    See also: