Forum Discussion

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Jun 11, 2016

Universal Persistence with X-forwarder

Hi Experts   Can I use Universal persistence using x-forwarder with i-rule? I would have each x-forwarded IP stick to the same back-end pool member. Will this work? Can you please share code? Any ...
application delivery
cloud
iRules
LTM
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jul 20, 2016

    A formatted version of the "Per VS" rate limiting. You can apply the same irule to all standard VS using UIE persistence.

     

    when RULE_INIT {
    set static::maxReqs 3;
    set static::timeout 60;
}

when HTTP_REQUEST {
        set vs [URI::basename [virtual]]
        if { [HTTP::header exists "X-Forwarded-For"] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values "X-Forwarded-For"]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        if { ([HTTP::method] eq "GET") and ([class match [string tolower [HTTP::uri]] ends_with $vs_URI_LIST_TO_LIMIT] ) } {

            whitelist
            if { [class match [IP::client_addr] equals $vs_ips_whitelist] }{
               return
            }
            set getcount [table lookup -notouch "$vs_$client_IP_addr:[HTTP::uri]"]
            if { $getcount equals "" } {
                table set "$vs_$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch "$vs_$client_IP_addr:[HTTP::uri]"
                } else {
                    reject
                }
            }
        }
        persist uie $clientip 
}

when HTTP_RESPONSE { 
    persist add uie $clientip 
}

     

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus

Hi Yann

 

What about this one? Is it same as your code logic or different?

 

From http://devcentral.f5.com/wiki/iRules.table.ashx

 

Limit each client IP address to 20K concurrent connections

 

when CLIENT_ACCEPTED {

 Max connections per client IP

set limit 20000 

 Set a subtable name with a standard prefix and the client IP

set tbl "connlimit:[IP::client_addr]"

 Use a key of the client IP:port

set key "[IP::client_addr][TCP::client_port]"

 Check if the subtable has over X entries

if { [table keys -subtable $tbl -count] >= $limit } {

  log local0. "[IP::client_addr]:[TCP::client_port]: Rejecting connection ([table keys 

  -subtable $tbl -count] connections / limit: $limit)"

  reject

} 

else {


    Add the client IP:port to the client IP-specific subtable 

      with a max lifetime of 1260 seconds (30min), matched with L4 profile

   table set -subtable $tbl $key "ignored" 1260

   log local0. "[IP::client_addr]:[TCP::client_port]: Allowing connection ([table keys 

    -subtable $tbl -count] connections / limit: $limit)"

}

}

 when CLIENT_CLOSED {

 When the client connection is closed, remove the table entry

 table delete -subtable $tbl $key

 log local0. "[IP::client_addr]:[TCP::client_port]: Decrementing ([table keys -subtable $tbl 
 -count] connections / limit: $limit)"


}
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Aug 17, 2016

You can modify the previously provided irule to this :

 

when RULE_INIT {
     set static::maxReqs 20000;
     set static::timeout 1800;
}

when CLIENT_ACCEPTED {
    set client_IP_addr [IP::client_addr]
    set getcount [table lookup -notouch "$client_IP_addr:[TCP::client_port]"]
    if { $getcount equals "" } {
        table set "$client_IP_addr:[TCP::client_port]" "1" $static::timeout $static::timeout
    } else {
        if { $getcount < $static::maxReqs } {
            table incr -notouch "$client_IP_addr"
        } else {
            reject
        }
    }
}

 

In this case, the rate limit is really by connection, not only by IP address.