Virtual server connection limit with HTTP response

Problem this snippet solves:

This rule allows administrators to configure a maximum TCP connection limit for a virtual server. When the limit is reached, LTM sends a static HTML response.

The iRule maintains a count of active connections using a global variable. The rule assumes a connection count of zero to start with. To ensure the iRule starts with a valid connection count, it would be advisable to add the iRule to the virtual server when there are no active connections to the virtual server.

Code :

when RULE_INIT {

   # Set a global max for number of concurrent TCP connections
   set ::max_connections 2

   # Set an HTML response to sent to clients who make a request while the VIP is over the max connection count
   set ::html_content "over limit"

   # Print debug messages to /var/log/ltm?  1=yes, 0=no
   set ::debug 1

   # Initialize a counter for active connections (don't modify this)
   set ::active_connections 0
}
when HTTP_REQUEST {

   # If we're over the limit for this connection, send a response
   if {$::active_connections > $::max_connections}{

      # Send a response
      HTTP::respond 200 content $::html_content

      # Close the connection
      TCP::close

      # Log a message to /var/log/ltm if debug is enabled
      if {$::debug}{log local0. "Over limit (current/max: $::active_connections/$::max_connections). Sent response to [IP::client_addr]"}

   # We're not over the limit, so check if this is the first HTTP request on the TCP connection.  
   } elseif {[HTTP::request_num] == 1}{
      set validrequest 1
      # Increment the TCP connection count.
      incr ::active_connections 1
   }
}

when CLIENT_CLOSED {
   # A connection was closed, so decrement the global counter
   if {$validrequest == 1}{
       incr ::active_connections -1
   }
}
Published Mar 18, 2015
Version 1.0
utility

Was this article helpful?

8 Comments

Sort By
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Apr 30, 2015
    ATTENTION: This code is for v9.x.x of BIG-IP only (which is no longer supported). DO NOT USE this on higher versions
  • samstep_81205's avatar
    samstep_81205
    Icon for Nimbostratus rankNimbostratus
    Apr 30, 2015
    ATTENTION: This code is for v9.x.x of BIG-IP only (which is no longer supported). DO NOT USE this on higher versions
  • Aaron_33366's avatar
    Aaron_33366
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2015
    This iRule does exactly what I want to do! However someone commented that his is only for v9. I would think this should still work on 11.5.1 because the iRule is the TCL code. Can anyone validate that this would work on 11.5.1 code. In the mean time I will look to do a test myself as well. Thanks in advance.
  • Chris_FP's avatar
    Chris_FP
    Icon for Cirrus rankCirrus
    Oct 26, 2015
    It may work perfectly but it could also be demoting any VS it is attached to from CMP. https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13033.html explains why. You should really be using session tables instead.
  • luis_54438's avatar
    luis_54438
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2015
    It worked for TMOS 11.5.1. Use set static::max_connections 2 set static::html_content "over limit" set static::debug 1 set static::active_connections 0 And call it with $static::active_connections $static::max_connections $static::debug $static::active_connections best regards
  • Rama_75068's avatar
    Rama_75068
    Icon for Nimbostratus rankNimbostratus
    Dec 06, 2016

    Hi, I have tried the iRules with 11.5.4, there seems to be error in LTM logs

     

    - can't read "validrequest":no such variable while executing "if{$validrequest == 1}{incr static::active_connections -1}"

     

    When try to simulate connection limit, the http page redirected, but it also redirects all the active users currently logging in the server.

     

    Kindly advise. Thank you