HTTP Transaction Rate Limiting (TRL) is a mechanism for limiting the number and/or rate of connections on a per user basis. This feature requires that the website be using HTTP Basic Authentication. When the Authorization header is present, the ServerIron will extract the username from the header and apply the appropriate TRL policy.
First, create a http-trl-policy based on maximum connections and/or connection rate.
Second, create a CSW rule to determine http-trl eligibility.
Lastly, create a CSW policy that refers back to the http-trl policy.
http-trl policy syntax:
client-name <name> <monitor-interval|max-connections> <options> default <monitor-interval|max-connections> <options>
http-trl policy syntax (continued):
monitor-interval <interval> <warning> <shutdown> <holddown> max-conn <max-connections>
The example provided below uses the CSW rule 'r1' to specify HTTP requests which contain an "Authorization" header with a value of "Basic".
The CSW policy 'p1' in turn says that if rule 'r1' is matched, then http-trl policy 'trl-p1'
should be applied.
Lastly, the http-trl policy 'trl-p1' allows users 'jdoe' and 'johnd' additional connections
and higher connection rates than all other (default) users.
Below is an example configuration
server source-nat-ip 10.10.1.254/24 0.0.0.0 port-range 2
default max-conn 5
default monitor-interval 1 10 20 0
default exceed-action redirect "foo.com" "/warning.html"
client-name "jdoe" max-conn 20
client-name "jdoe" monitor-interval 1 20 40 0
client-name "jdoe" exceed-action drop
client-name "johnd" max-conn 30
client-name "johnd" monitor-interval 1 20 40 0
client-name "johnd" exceed-action reset
csw-rule r1 header Authorization pattern Basic
match r1 http-trl trl-p1
server real rs1 10.10.1.10
server real rs2 10.10.1.11
server virtual csw-vip 220.127.116.11
port http csw-policy "p1"
port http csw
bind http rs1 http rs2 http
Review here for further info on HTTP TRL in security administration manual
Review the TRL section in security administration manual for further information on usage of traffic rate limiting feature in non web traffic scenarios. [hint: use TOC button to see other security/rate limiting features]