Forum Discussion

Satoshino's avatar
Satoshino
Icon for Cirrus rankCirrus
Apr 30, 2021

Irule Trigger two times

Hi, I created this irule in order to set rate limit based on source IP: when RULE_INIT {     set static::maxRate 4     set static::windowSecs 10     log local0. "Var Creation"      }   when HTTP_R...
devops
iRules
LTM
  • jaikumar_f5's avatar
    jaikumar_f5
    Apr 30, 2021

    Looking at the logs at glance, its actually 2 requests not 1 requests.

    You are stating the below is just 1 request.

    first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

    But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

    May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

     

    Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

jaikumar_f5's avatar
jaikumar_f5
Icon for MVP rankMVP

Looking at the logs at glance, its actually 2 requests not 1 requests.

You are stating the below is just 1 request.

first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

 

Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

jaikumar_f5's avatar
jaikumar_f5
Icon for MVP rankMVP
Apr 30, 2021

The easy way to identify what were the HTTP REQUESTS would be the log the URI. Please test if that gives some clue.