Forum Discussion

Mohanad's avatar
Mohanad
Icon for Cirrostratus rankCirrostratus
Jun 19, 2023

iRule for limiting concurrent sessions to VS

Hello everyone,

i'm looking for iRule for limiting concurrent sessions.

when the sessions has reached the maximum (10,000), new sessions will be droped if the mobile app trying to connect to this uri (/v1/healthCheck), i found 2 iRules, but i want to combine them to achieve the required actions

as far i understand the below irule working on layer4

 

 

 

when CLIENT_ACCEPTED {
    set tbl "connlimit:[IP::client_addr]"
    set key "[TCP::client_port]"

    if { [table keys -subtable $tbl -count] > 1000 } {
        event CLIENT_CLOSED disable
        reject
    } else {
        table set -subtable $tbl $key "ignored" 180
        set timer [after 60000 -periodic { table lookup -subtable $tbl $key }]
    }
}
when CLIENT_CLOSED {
    after cancel $timer
    table delete -subtable $tbl $key
}

 

 

 

and this one on layer 7 

 

 

 

when HTTP_REQUEST {
    if {[HTTP::uri] contains "/v1/healthCheck"} {
            HTTP::respond 404 content "Maximum concurrent sessions limit reached"
            drop
        }
    }

 

 

 

 Thank you.

application delivery
devops
security
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jun 19, 2023

    Mohanad I believe you could do the following but this hasn't been tested so proceed with caution before configuring this in production.

    when CLIENT_ACCEPTED priority 500 {

    set tbl "connlimit:[IP::client_addr]"
    set key "[TCP::client_port]"

}

when HTTP_REQUEST priority 500 {

    if { [table keys -subtable ${tbl} -count] > 1000 } {
        if {[HTTP::uri] contains "/v1/healthCheck"} {
            HTTP::respond 404 content "Maximum concurrent sessions limit reached"
            event CLIENT_CLOSED disable
            drop
        } else {
            event CLIENT_CLOSED disable
            reject
        }
    } else {
        table set -subtable ${tbl} ${key} "ignored" 180
        set timer [after 60000 -periodic { table lookup -subtable ${tbl} ${key} }]
    }

}

when CLIENT_CLOSED priority 500 {
    after cancel ${timer}
    table delete -subtable ${tbl} ${key}
}

    Do you have any particular reason you couldn't use the connection limit of the pool member or total pool members connections and then generate a response based on those pool members being in a "down" state when the connection limit is reached? It seems like this unnecessarily overcomplicates your configuration and makes it a bit more difficult to support in the future.