cancel
Showing results for 
Search instead for 
Did you mean: 

Rate-limit based on User-Agent String

Teivin
Nimbostratus
Nimbostratus

Hello, below is the code I'm using to accomplish this. Right now, the count is timing out every second instead of every 360 seconds as listed below. Does anyone see why this would happen?

 

when HTTP_REQUEST {

# Default rate to limit requests

set UASmaxRate 50

# Default rate to warn

set UASwarnRate 30

# During this many seconds

set UAStimeout 360

# Increment and Get the current request count bucket

set epoch [clock seconds]

set currentCount [table incr -notouch "Count_[HTTP::header User-Agent]_${epoch}"]

if { $currentCount eq "" } then {

# Initialize a new request count bucket

table set "Count_[HTTP::header User-Agent]_${epoch}" 1 indef $UAStimeout

set currentCount 1

}

# Actually check for being over limit

if { $currentCount >= ${UASmaxRate} } then {

log local0. "ERROR: UAS:[HTTP::header User-Agent] exceeded ${UASmaxRate} requests per second. Rejecting request. Current requests: ${currentCount}."

reject

}

elseif { $currentCount > $UASwarnRate } then {

log local0. "WARNING: UAS:[HTTP::header User-Agent] exceeded ${UASwarnRate} requests per second. Will reject at ${UASmaxRate}. Current requests: ${currentCount}."

}

log local0. "UAS:[HTTP::header User-Agent]: currentCount: ${currentCount}"

}

1 REPLY 1

boneyard
MVP
MVP

i dont do iRules well from my mind but i feel there is something tricky with creating tables based on the time.

table set "Count_[HTTP::header User-Agent]_${epoch}" 1 indef $UAStimeout

doesnt that generate a new table like with every new request on a different time?

 

if i would trouble shoot this i'd add some log lines during the checking and creating of tables to see the values that are used and returned.