Forum Discussion

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Jun 11, 2016

Universal Persistence with X-forwarder

Hi Experts   Can I use Universal persistence using x-forwarder with i-rule? I would have each x-forwarded IP stick to the same back-end pool member. Will this work? Can you please share code? Any ...
application delivery
cloud
iRules
LTM
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jul 20, 2016

    A formatted version of the "Per VS" rate limiting. You can apply the same irule to all standard VS using UIE persistence.

     

    when RULE_INIT {
    set static::maxReqs 3;
    set static::timeout 60;
}

when HTTP_REQUEST {
        set vs [URI::basename [virtual]]
        if { [HTTP::header exists "X-Forwarded-For"] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values "X-Forwarded-For"]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        if { ([HTTP::method] eq "GET") and ([class match [string tolower [HTTP::uri]] ends_with $vs_URI_LIST_TO_LIMIT] ) } {

            whitelist
            if { [class match [IP::client_addr] equals $vs_ips_whitelist] }{
               return
            }
            set getcount [table lookup -notouch "$vs_$client_IP_addr:[HTTP::uri]"]
            if { $getcount equals "" } {
                table set "$vs_$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch "$vs_$client_IP_addr:[HTTP::uri]"
                } else {
                    reject
                }
            }
        }
        persist uie $clientip 
}

when HTTP_RESPONSE { 
    persist add uie $clientip 
}

     

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Aug 17, 2016

Hi Sumanta,

you may try one of the iRules below. They will either track the HTTP request or TCP connections per timeframe by just using a single table call. The expected RAM consumption should be very little...

iRule to track the TCP connection / timeframe

 

 

when RULE_INIT {
     set static::maxReqs 20000;
     set static::timeout 1800;
}
when CLIENT_ACCEPTED {
    if { [set count [table incr -mustexist "DoS_[IP::client_addr]" "1"]] ne "" } then {
        if { $count < $static::maxReqs } then {
             Allow the request
        } elseif { $count == $static::maxReqs } then {
            log -noname local0.debug "DoS Protection: Client \"[IP::client_addr]\" has reached its HTTP request limits. Blocking the client for the next \"[table lifetime -remaining "DoS_[IP::client_addr]"]\" seconds."
            reject
        } else {
            reject
        }
    } else {
        table set "DoS_[IP::client_addr]" "1" indefinite $static::timeout
    }
}

 

iRule to track the HTTP request / timeframe

 

when RULE_INIT {
     set static::maxReqs 20000;
     set static::timeout 1800;
}
when HTTP_REQUEST {
    if { [set count [table incr -mustexist "DoS_[IP::client_addr]" "1"]] ne "" } then {
        if { $count < $static::maxReqs } then {
             Allow the request
        } elseif { $count == $static::maxReqs } then {
            log -noname local0.debug "DoS Protection: Client \"[IP::client_addr]\" has reached its HTTP request limits. Blocking the client for the next \"[table lifetime -remaining "DoS_[IP::client_addr]"]\" seconds."
            reject
        } else {
            reject
        }
    } else {
        table set "DoS_[IP::client_addr]" "1" indefinite $static::timeout
    }
}

 

Cheers, Kai