cancel
Showing results for 
Search instead for 
Did you mean: 

Irule Trigger two times

Satoshino
Cirrus
Cirrus

Hi,

 

I created this irule in order to set rate limit based on source IP:

 

when RULE_INIT {     set static::maxRate 4     set static::windowSecs 10     log local0. "Var Creation"      }   when HTTP_REQUEST {                 log local0. [IP::client_addr]        #check IP        if { [IP::addr [IP::client_addr] equals 192.168.19.12]} {           # set variables                  set clientip_var [IP::client_addr]         set get_count [table key -count -subtable $clientip_var]         log local0. "$get_count before increase"           # main condition          if { $get_count < $static::maxRate } {             incr get_count 1             log local0. "$get_count after increase"             table set -subtable $clientip_var $get_count $clientip_var indefinite $static::windowSecs          } else {             log local0. "404!?"             HTTP::respond 404 content { "HTML PAGE" } -reset                   return         }         } else {                    return       } }

This irule create an Array and count session number, when the sessions reach maxRate value the irule reset newest session, until flush.

 

I realized that when I send a request from the client (with the correct ip) to vs the irule is triggered twice, this means that the array reaches the limit with 2 requests instead of 4.

have you ever had such a problem?

 

log:

first request: Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increase second request: Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 before increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 after increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 before increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after increase third and fourth request: Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after increase Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!? Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 before increase Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?

Best regards at all

1 ACCEPTED SOLUTION

Looking at the logs at glance, its actually 2 requests not 1 requests.

You are stating the below is just 1 request.

first request: Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increase

But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

 

Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

View solution in original post

3 REPLIES 3

Looking at the logs at glance, its actually 2 requests not 1 requests.

You are stating the below is just 1 request.

first request: Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12 Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increase

But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.

May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.

 

Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.

The easy way to identify what were the HTTP REQUESTS would be the log the URI. Please test if that gives some clue.

Hi,

 

you right, was browser fault

 

Thanks you