Forum Discussion

Cirrus

Jun 11, 2016

Universal Persistence with X-forwarder

Hi Experts Can I use Universal persistence using x-forwarder with i-rule? I would have each x-forwarded IP stick to the same back-end pool member. Will this work? Can you please share code? Any ...

Jul 20, 2016

A formatted version of the "Per VS" rate limiting. You can apply the same irule to all standard VS using UIE persistence.

when RULE_INIT {
    set static::maxReqs 3;
    set static::timeout 60;
}

when HTTP_REQUEST {
        set vs [URI::basename [virtual]]
        if { [HTTP::header exists "X-Forwarded-For"] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values "X-Forwarded-For"]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        if { ([HTTP::method] eq "GET") and ([class match [string tolower [HTTP::uri]] ends_with $vs_URI_LIST_TO_LIMIT] ) } {

            whitelist
            if { [class match [IP::client_addr] equals $vs_ips_whitelist] }{
               return
            }
            set getcount [table lookup -notouch "$vs_$client_IP_addr:[HTTP::uri]"]
            if { $getcount equals "" } {
                table set "$vs_$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch "$vs_$client_IP_addr:[HTTP::uri]"
                } else {
                    reject
                }
            }
        }
        persist uie $clientip 
}

when HTTP_RESPONSE { 
    persist add uie $clientip 
}

Sumanta_88744

Cirrus

Hi Yann

Can you please assist with the error debug I pasted? Sorry to bother you so much.

01070151:3: Rule [/Common/iRule_rate_limit] error: Unable to find value_list (URI_LIST_TO_LIMIT) referenced at line 7: [class match [string tolower [HTTP::uri]] ends_with URI_LIST_TO_LIMIT]

Regards,

Sumanta.

Sumanta_88744

Cirrus

Aug 17, 2016

Hi Yann

Thanks, I'll create the data group. But will this prevent when I test using continuous telnet to IP/port 443, using a perl script? My intention is to limit connections below 20K, from each source IP, to that specific VS, running on port 443.

So, will your code only allow and rate limit URIs and reject everything else such as telnet sessions? The assumption is URIs are valid and legitimate and any other connection attempt on Layer 4 maybe considered as a DOS, right?

Regards,

Sumanta.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Universal Persistence with X-forwarder

Recent Discussions

Is a Dedicated Interface, VLAN, and Self IP Required for a VIP in an F5 Configuration?

REST API to download License JSON report?

question about getting hsl data to be formatted properly in splunk

Problem with lets encrypt and redirect after update

where can find silverline ddos protect config guide?

Related Content

XFF Universal Persistence iRule

Extracting X-Forwarded-For in Node.js

TCP Option 28 X-Forwarded-For Header

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

X-Forwarded-For on L4 VS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS