Application Delivery (ADX)

HTTP transaction rate limiting (TRL)

by pmorrissey on ‎06-22-2009 09:00 AM - edited on ‎10-31-2013 03:33 PM by bcm1 (1,047 Views)


HTTP Transaction Rate Limiting (TRL) is a mechanism for limiting the number and/or rate of connections on a per user basis. This feature requires that the website be using HTTP Basic Authentication. When the Authorization header is present, the ServerIron will extract the username from the header and apply the appropriate TRL policy.




First, create a http-trl-policy based on maximum connections and/or connection rate.

Second, create a CSW rule to determine http-trl eligibility.

Lastly, create a CSW policy that refers back to the http-trl policy.


http-trl policy syntax:

client-name <name> <monitor-interval|max-connections> <options> default <monitor-interval|max-connections> <options>

http-trl policy syntax (continued):

monitor-interval <interval> <warning> <shutdown> <holddown> max-conn <max-connections>


The example provided below uses the CSW rule 'r1' to specify HTTP requests which contain an "Authorization" header with a value of "Basic".

The CSW policy 'p1' in turn says that if rule 'r1' is matched, then http-trl policy 'trl-p1'

should be applied.

Lastly, the http-trl policy 'trl-p1' allows users 'jdoe' and 'johnd' additional connections

and higher connection rates than all other (default) users.


Below is an example configuration

Sample Script/Code/Configuration



server source-nat-ip port-range 2


http-trl-policy "trl-p1"

default max-conn 5

default monitor-interval 1 10 20 0

default exceed-action redirect "" "/warning.html"

client-name "jdoe" max-conn 20

client-name "jdoe" monitor-interval 1 20 40 0

client-name "jdoe" exceed-action drop

client-name "johnd" max-conn 30

client-name "johnd" monitor-interval 1 20 40 0

client-name "johnd" exceed-action reset


csw-rule r1 header Authorization pattern Basic


csw-policy p1

match r1 http-trl trl-p1


server real rs1

port http


server real rs2

port http


server virtual csw-vip

port http

port http csw-policy "p1"

port http csw

bind http rs1 http rs2 http



Further Reading

Review here for further info on HTTP TRL in security administration manual


Review the TRL section in security administration manual for further information on usage of traffic rate limiting feature in non web traffic scenarios. [hint: use TOC button to see other security/rate limiting features]