For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Satoshino's avatar
Satoshino
Icon for Cirrus rankCirrus
Apr 30, 2021
Solved

Irule Trigger two times

Hi, I created this irule in order to set rate limit based on source IP: when RULE_INIT {     set static::maxRate 4     set static::windowSecs 10     log local0. "Var Creation"      }   when HTTP_R...
devops
iRules
LTM
  • jaikumar_f5's avatar
    jaikumar_f5
    Apr 30, 2021

    Looking at the logs at glance, its actually 2 requests not 1 requests.

    You are stating the below is just 1 request.

    first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

    But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

    May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

     

    Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

jaikumar_f5's avatar
jaikumar_f5
Icon for Noctilucent rankNoctilucent
Apr 30, 2021

Looking at the logs at glance, its actually 2 requests not 1 requests.

You are stating the below is just 1 request.

first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after  increase

But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

 

Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

Satoshino's avatar
Satoshino
Icon for Cirrus rankCirrus
May 25, 2021

Hi,

 

you right, was browser fault

 

Thanks you