Forum Discussion
limit client connection
Hi guys,
Is it possible using irule to limit number of connections from each client ip address?
If yes, pls. give me some samples how to do it. Thanks!
Regards,
Ken
4 Replies
- That's a great question, and one we've seen before.
Here's a great post made a little while back that explains this, and gives a good example of the code.
Click here - http://devcentral.f5.com/default.aspx?tabid=28&forumid=5&postid=1674&view=topic
-Colin - Hi Colin,
I have tested the following irule and it can sucessfully to check the number of connections. However, it cannot reject the connections more than 5.
I opened a few browsers to access BIG-IP vip, i see the log show "Client $client_ip has too many connections" after the connection greater than 5. But, when I open additional browser to access the vip, it still can access the server. Based on my understand, the rule should block the sixth connection from same ip address. Is it true? Thanks!when RULE_INIT { array set ::active_clients { } log local0. "phase1" } when CLIENT_ACCEPTED { set client_ip [IP::remote_addr] if { [info exists ::active_clients($client_ip)] } { if {$::active_clients($client_ip) > 5 } { log "Client $client_ip has too many connections" reject return } else { log local0. "$::active_clients($client_ip)" incr ::active_clients($client_ip) } } else { set ::active_clients($client_ip) 1 } } when CLIENT_CLOSED { if { [info exists ::active_clients($client_ip)] } { incr ::active_clients($client_ip) -1 if { $::active_clients($client_ip) <= 0 } { unset ::active_clients($client_ip) } } } - I think the problem with your iRule is that after doing the "reject" command, the CLIENT_CLOSED event is still evaluated. So, the active_client count is decremented even though it wasn't incremented by this connection. So, you should move the "incr ::active_client($client_ip)" line to before the check for > 5. That way the current connection will be counted and then decremented after being reset.
- Another way to handle this would be to disable the CLIENT_CLOSED event when you do the reject. You can do this by adding the command "event CLIENT_CLOSED disable" before the "return" where you reject the connection.
