Pending rule event HTTP_REQUEST aborted
Hi ,
We are currently experiencing some issues with an irule we are using . We got this irule through a consultant and installed it more than a year ago . It always worked good , but recently we got some complaint.
Irule is used for checking traffic coming in onto our reverse proxies . And if we see connections coming from same client and trying to access same uri , we check for some threshold . (max connection allowed are 50 conn. in 20 seconds timeframe ) This was done in order to have some protection due to behavior we experienced before.
Since a week we got complaints for people accessing a specific url via our reverse proxies.It was working for most people , but some clients couldn't access .After checking we remarked we were getting the "abort" messages for those client IP's who were complaining.
I'm not an expert in programming irules. I've seen from other articles , that this could be related to connections not being present in the table anymore . But I'm puzzled how connection could be dropped before event "http-request" is activating . And why we only have this behavior quite recently.
Does anybody has an idea what is causing this behavior in this irule?
Following is the irule :
when RULE_INIT {
METRICS FOR ALL IP CLIENTS
set static::maxRate 50
set static::windowSecs 20
METRICS FOR KNOWN PROXY ONLY
set static::maxRateProxy 200
set static::windowSecsProxy 20
SET BLOCKING METHOD: DROP OR REJECT
0=reject 1=drop
set static::blocking 0
DEBUG FLAG: 0 off , 1 on
log to /var/log/ltm
be aware that every get request will be logged! use only if needed
set static::ratelimit_debug 0
}
when HTTP_REQUEST {
check which URI to apply rate limiting , no specific http method
if { [class match [string tolower [HTTP::uri]] starts_with [URI::basename [virtual name]]-ratelimit-uri] } {
if { $static::ratelimit_debug > 0 } { log local0. "HTTP-RATE-LIMITING: vs=[virtual name] client_ip=[IP::client_addr] uri=[HTTP::uri]" }
whitelist: do nothing
if { [class match [IP::client_addr] equals [URI::basename [virtual name]]-ratelimit-whitelist] }{
return
}
set variables for readability
set limiter [string tolower [HTTP::uri]]
set clientip_limitervar [IP::client_addr]:$limiter
set get_count [table key -count -subtable $clientip_limitervar]
known proxy: apply proxy metrics
if { [class match [IP::client_addr] equals [URI::basename [virtual name]]-ratelimit-proxy] }{
main condition
if { $get_count < $static::maxRateProxy } {
incr get_count 1
table set -subtable $clientip_limitervar $get_count $clientip_limitervar indefinite $static::windowSecsProxy
} else {
log local0. "HTTP-RATE-LIMITING: vs=[virtual name] proxy=yes client_ip=[IP::client_addr] has exceeded the number of allowed requests maxrate=$static::maxRateProxy time_window=$static::windowSecsProxy uri=[HTTP::uri]"
if { $static::blocking > 0 } { drop } else { reject }
return
}
} else {
any other clients: apply standard metrics
main condition
if { $get_count < $static::maxRate } {
incr get_count 1
table set -subtable $clientip_limitervar $get_count $clientip_limitervar indefinite $static::windowSecs
} else {
log local0. "HTTP-RATE-LIMITING: vs=[virtual name] client_ip=[IP::client_addr] has exceeded the number of allowed requests maxrate=$static::maxRate time_window=$static::windowSecs uri=[HTTP::uri]"
if { $static::blocking > 0 } { drop } else { reject }
return
}
}
}
}