For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Jun 11, 2016
Solved

Universal Persistence with X-forwarder

Hi Experts   Can I use Universal persistence using x-forwarder with i-rule? I would have each x-forwarded IP stick to the same back-end pool member. Will this work? Can you please share code? Any ...
application delivery
cloud
iRules
LTM
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jul 20, 2016

    A formatted version of the "Per VS" rate limiting. You can apply the same irule to all standard VS using UIE persistence.

     

    when RULE_INIT {
    set static::maxReqs 3;
    set static::timeout 60;
}

when HTTP_REQUEST {
        set vs [URI::basename [virtual]]
        if { [HTTP::header exists "X-Forwarded-For"] } {
            set client_IP_addr [getfield [lindex  [HTTP::header values "X-Forwarded-For"]  0] "," 1]
        } else {
            set client_IP_addr [IP::client_addr]
        }
        if { ([HTTP::method] eq "GET") and ([class match [string tolower [HTTP::uri]] ends_with $vs_URI_LIST_TO_LIMIT] ) } {

            whitelist
            if { [class match [IP::client_addr] equals $vs_ips_whitelist] }{
               return
            }
            set getcount [table lookup -notouch "$vs_$client_IP_addr:[HTTP::uri]"]
            if { $getcount equals "" } {
                table set "$vs_$client_IP_addr:[HTTP::uri]" "1" $static::timeout $static::timeout
            } else {
                if { $getcount < $static::maxReqs } {
                    table incr -notouch "$vs_$client_IP_addr:[HTTP::uri]"
                } else {
                    reject
                }
            }
        }
        persist uie $clientip 
}

when HTTP_RESPONSE { 
    persist add uie $clientip 
}

     

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Aug 18, 2016

Hi Kai

 

Thanks for the updated codes. I got some reference from DC and used the below code. Till now it appears to work fine and meet my requirements.

 

when CLIENT_ACCEPTED {
  set tbl "connlimit:[IP::client_addr]"
  set key "[TCP::client_port]"
  table set -subtable $tbl $key "ignored" 180
  if { [table keys -subtable $tbl -count] > 30000 } {
    table delete -subtable $tbl $key
    event CLIENT_CLOSED disable
    reject
  } else {
    set timer [after 1260 -periodic { table lookup -subtable $tbl $key }]
  }
}
when CLIENT_CLOSED {
  after cancel $timer
  table delete -subtable $tbl $key
}
}

Let me see how far it lasts the DOS attack tests. Probably, I'll get to test your code later on.

 

Regards,

 

Sumanta.

 

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Aug 18, 2016

Hi Kai

 

Thanks for your feedback. I didn't know that timer was in millisec. I matched with L4 profile timer values at 1260 sec. Probably, I'll use your code and test.

 

Regards,

 

Sumanta.