Forum Discussion

Teivin's avatar
Teivin
Icon for Nimbostratus rankNimbostratus
Feb 22, 2021

Rate-limit based on User-Agent String

Hello, below is the code I'm using to accomplish this. Right now, the count is timing out every second instead of every 360 seconds as listed below. Does anyone see why this would happen?

 

when HTTP_REQUEST {

# Default rate to limit requests

set UASmaxRate 50

# Default rate to warn

set UASwarnRate 30

# During this many seconds

set UAStimeout 360

# Increment and Get the current request count bucket

set epoch [clock seconds]

set currentCount [table incr -notouch "Count_[HTTP::header User-Agent]_${epoch}"]

if { $currentCount eq "" } then {

# Initialize a new request count bucket

table set "Count_[HTTP::header User-Agent]_${epoch}" 1 indef $UAStimeout

set currentCount 1

}

# Actually check for being over limit

if { $currentCount >= ${UASmaxRate} } then {

log local0. "ERROR: UAS:[HTTP::header User-Agent] exceeded ${UASmaxRate} requests per second. Rejecting request. Current requests: ${currentCount}."

reject

}

elseif { $currentCount > $UASwarnRate } then {

log local0. "WARNING: UAS:[HTTP::header User-Agent] exceeded ${UASwarnRate} requests per second. Will reject at ${UASmaxRate}. Current requests: ${currentCount}."

}

log local0. "UAS:[HTTP::header User-Agent]: currentCount: ${currentCount}"

}

devops
iRules
LTM
security

1 Reply

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 27, 2021

    i dont do iRules well from my mind but i feel there is something tricky with creating tables based on the time. 

    table set "Count_[HTTP::header User-Agent]_${epoch}" 1 indef $UAStimeout

    doesnt that generate a new table like with every new request on a different time?

    if i would trouble shoot this i'd add some log lines during the checking and creating of tables to see the values that are used and returned.