For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mohanad's avatar
Mohanad
Icon for Cirrostratus rankCirrostratus
Jun 19, 2023

iRule for limiting concurrent sessions to VS

Hello everyone, i'm looking for iRule for limiting concurrent sessions. when the sessions has reached the maximum (10,000), new sessions will be droped if the mobile app trying to connect to this u...
application delivery
devops
security
Paulius's avatar
Paulius
Icon for MVP rankMVP
Jun 19, 2023

Mohanad I believe you could do the following but this hasn't been tested so proceed with caution before configuring this in production.

when CLIENT_ACCEPTED priority 500 {

    set tbl "connlimit:[IP::client_addr]"
    set key "[TCP::client_port]"

}

when HTTP_REQUEST priority 500 {

    if { [table keys -subtable ${tbl} -count] > 1000 } {
        if {[HTTP::uri] contains "/v1/healthCheck"} {
            HTTP::respond 404 content "Maximum concurrent sessions limit reached"
            event CLIENT_CLOSED disable
            drop
        } else {
            event CLIENT_CLOSED disable
            reject
        }
    } else {
        table set -subtable ${tbl} ${key} "ignored" 180
        set timer [after 60000 -periodic { table lookup -subtable ${tbl} ${key} }]
    }

}

when CLIENT_CLOSED priority 500 {
    after cancel ${timer}
    table delete -subtable ${tbl} ${key}
}

Do you have any particular reason you couldn't use the connection limit of the pool member or total pool members connections and then generate a response based on those pool members being in a "down" state when the connection limit is reached? It seems like this unnecessarily overcomplicates your configuration and makes it a bit more difficult to support in the future.