Forum Discussion
Satoshino
Cirrus
CirrusIrule Trigger two times
Hi,
I created this irule in order to set rate limit based on source IP:
when RULE_INIT {
set static::maxRate 4
set static::windowSecs 10
log local0. "Var Creation"
}
when HTTP_REQUEST {
log local0. [IP::client_addr]
#check IP
if { [IP::addr [IP::client_addr] equals 192.168.19.12]} {
# set variables
set clientip_var [IP::client_addr]
set get_count [table key -count -subtable $clientip_var]
log local0. "$get_count before increase"
# main condition
if { $get_count < $static::maxRate } {
incr get_count 1
log local0. "$get_count after increase"
table set -subtable $clientip_var $get_count $clientip_var indefinite $static::windowSecs
} else {
log local0. "404!?"
HTTP::respond 404 content { "HTML PAGE" } -reset
return
}
} else {
return
}
}This irule create an Array and count session number, when the sessions reach maxRate value the irule reset newest session, until flush.
I realized that when I send a request from the client (with the correct ip) to vs the irule is triggered twice, this means that the array reaches the limit with 2 requests instead of 4.
have you ever had such a problem?
log:
first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increase
second request:
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after increase
third and fourth request:
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 before increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?Best regards at all
Looking at the logs at glance, its actually 2 requests not 1 requests.
You are stating the below is just 1 request.
first request: Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increaseBut if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.
May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.
Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.
jaikumar_f5MVP
Looking at the logs at glance, its actually 2 requests not 1 requests.
You are stating the below is just 1 request.
first request: Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increaseBut if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.
May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.
Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.
- jaikumar_f5
The easy way to identify what were the HTTP REQUESTS would be the log the URI. Please test if that gives some clue.
SatoshinoHi,
you right, was browser fault
Thanks you