For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Puneet_110030's avatar
Puneet_110030
Icon for Nimbostratus rankNimbostratus
Nov 22, 2013

Rate limiting traffic for exchnage OAB using source ip addresses/subnets

Hello There, I have a single VIP that takes care of multiple client requests for MS exchange 2013 like outlook web access, offline address book etc and i have achieved it using I-rules.

Here is what my irule looks like:

Exchange 2013 iRule to select pool without persistence when all Exchange HTTP-based services are accessed through the same virtual server.

when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::path]] { "/microsoft-server-activesync" { pool Exchange_prod_2013_as_pool7 COMPRESS::disable CACHE::disable return } "/owa*" {

        pool Exchange_prod_2013_owa_pool7
        return
    }
    "/ecp*" {
         Exchange Control Panel.

        pool Exchange_prod_2013_owa_pool7
        return
    }
    "/ews*" {
         Exchange Web Services.
        pool Exchange_prod_2013_oa_pool7
        COMPRESS::disable
        CACHE::disable
        return
    }
    "/oab*" {
         Offline Address Book.
        pool Exchange_prod_2013_oa_pool7
        persist none
        return
    }
    "/rpc/rpcproxy.dll" {
         Outlook Anywhere.
        pool Exchange_prod_2013_oa_pool7
        COMPRESS::disable
        CACHE::disable
        return
    }
    "/autodiscover*" {
         Requests for Autodiscovery information.
        pool Exchange_prod_2013_ad_pool7
        persist none
        return
    }
    default {
        pool Exchange_prod_2013_owa_pool7
    }
}

} when HTTP_RESPONSE { if { [string tolower [HTTP::header values "WWW-Authenticate"]] contains "negotiate"} { ONECONNECT::reuse disable ONECONNECT::detach disable NTLM::disable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk }

}

We have a requirement for rate limiting traffic to "/oab" using souce ip/network addresses. I have created an object list containing the subnets i want rate limited, but i am not able to figure out how i can include it in my existing irule above.

I am not looking for an exact answer eventhough it wont hurt, but more importantly i looking for a sense of direction.

Thankyou!

application delivery
devops
iApps
iRules
linerate
performance
TMSH

6 Replies

  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Nov 22, 2013

    Hi Puneet, this DevCentral post might be helpful:

     

    https://devcentral.f5.com/articles/iruleology-table-based-rate-limiting.Uo-iusRxG-w

     

    Mike

     

  • Puneet_110030's avatar
    Puneet_110030
    Icon for Nimbostratus rankNimbostratus
    Nov 22, 2013

    HI Mike,

     

    Thanks for the response. I have checked that URL, it will work good as long as i intend to do rate limiting based on either uri or source addresses. I want to do both for /oab and i am not sure how i can combine the 2.

     

    Furthermore my orginal irule starts with global switch and i am wondering if i need to chnage that as well.

     

    Thanks, Puneet

     

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Nov 22, 2013

    Puneet:

    This thread should be helpful: https://devcentral.f5.com/questions/how-to-limit-a-client-ip-from-continuously-opening-connections-to-the-server

    There is an irule in that thread.

    You should be able to: 1) add this to your iRUle: when RULE_INIT {

     This is the max requests allowed during "interval" specified below.

set static::maxRate 10;

 Below is the lifetime of the subtable record in seconds. 
 This defines the interval during which requests are tallied. Example: Rate=10 and Timeout=3, allows 10 requests in 3 seconds 
 Note: do not use very high timeout because it increases memory utilization especially under high load. 
 Note: A rate of 100 in 50 seconds is the same is a rate of 20 in 1 second. But 1 second is a lot easier on memory, 
 Because the records expire more quickly and the table does become too large.
set static::timeout 3;

    }

    And 2) take this section below here, and put it under the /oab part of your switch command. Then it should only limit the /oab uri.

        set getCount [table lookup -notouch -subtable requests [IP::client_addr]]
            if { $getCount equals "" } {
                log local0. "New one:  getCount=$getCount [IP::client_addr] [clock seconds]"
                table set -subtable requests [IP::client_addr] "1" $static::timeout $static::timeout
            } else {

            if { $getCount < $static::maxRate } {
                table incr -notouch -subtable requests [IP::client_addr]

            } else {
                if {$getCount == $static::maxRate } {
                    log local0. "User @ [IP::client_addr] [clock seconds] has reached $getCount in $static::timeout seconds."
                   table incr -notouch -subtable requests [IP::client_addr]
                }
                HTTP::respond 501 content "Request blocked Exceeded requests/sec limit."
                drop
                return
            }

            }
    • Puneet_110030's avatar
      Puneet_110030
      Icon for Nimbostratus rankNimbostratus
      Nov 22, 2013
      John, Many Thanks for your response. While i will certainly give it a shot, i am also looking at the possibility of redirecting the traffic related to "/oab" to a diferent VIP using my existing i-rule. This will allow me to manipulate traffic. Any thoughts on that! Thanks,
    • Puneet_110030's avatar
      Puneet_110030
      Icon for Nimbostratus rankNimbostratus
      Nov 22, 2013
      can we add something like "rateclass OAB_RATE_LIMIT" under /oab within the original irule to rate limit traffic related to oab.
    • Puneet_110030's avatar
      Puneet_110030
      Icon for Nimbostratus rankNimbostratus
      Nov 22, 2013
      All i want to do use my existing irule, but only rate limit traffic related to subsection /oab. not able to figure out how i can do that