30-Apr-202102:17 - last edited on 04-Jun-202320:55 by JimmyPackets
Hi,
I created this irule in order to set rate limit based on source IP:
when RULE_INIT {
set static::maxRate 4
set static::windowSecs 10
log local0. "Var Creation"
}
when HTTP_REQUEST {
log local0. [IP::client_addr]
#check IP
if { [IP::addr [IP::client_addr] equals 192.168.19.12]} {
# set variables
set clientip_var [IP::client_addr]
set get_count [table key -count -subtable $clientip_var]
log local0. "$get_count before increase"
# main condition
if { $get_count < $static::maxRate } {
incr get_count 1
log local0. "$get_count after increase"
table set -subtable $clientip_var $get_count $clientip_var indefinite $static::windowSecs
} else {
log local0. "404!?"
HTTP::respond 404 content { "HTML PAGE" } -reset
return
}
} else {
return
}
}
This irule create an Array and count session number, when the sessions reach maxRate value the irule reset newest session, until flush.
I realized that when I send a request from the client (with the correct ip) to vs the irule is triggered twice, this means that the array reaches the limit with 2 requests instead of 4.
have you ever had such a problem?
log:
first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increase
second request:
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 3 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after increase
third and fourth request:
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 after increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 4 before increase
Apr 30 10:06:27 F5SecLab info tmm1[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 404!?
30-Apr-202102:48 - last edited on 22-Nov-202207:46 by JimmyPackets
Looking at the logs at glance, its actually 2 requests not 1 requests.
You are stating the below is just 1 request.
first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increase
But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.
May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.
Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.
30-Apr-202102:48 - last edited on 22-Nov-202207:46 by JimmyPackets
Looking at the logs at glance, its actually 2 requests not 1 requests.
You are stating the below is just 1 request.
first request:
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 0 before increase
Apr 30 10:06:24 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 after increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 192.168.19.12
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 1 before increase
Apr 30 10:06:25 F5SecLab info tmm[11625]: Rule /Common/Rate_Limit_Irule <HTTP_REQUEST>: 2 after increase
But if we look at the Irule of yours, in HTTP_REQUEST event, your 1st piece of code itself is logging the client ip [IP::client_addr]. Comparing that with the above logs, we can see that it got triggered twice in line 2 & line 5, so its actually 2 HTTP_REQUEST not one. You may think its 1 request, but its actually 2.
May be there was some image, html, json resource references were their in the page you 1st queried & then second would been that call.
Can you open your developer tool when sending the the requests & see what's all flowing in the network chart.
