Application Delivery (ADX)

HTTP transaction rate limiting (TRL)

by pmorrissey on ‎06-22-2009 09:00 AM - edited on ‎10-31-2013 03:33 PM by bcm1 (1,182 Views)

Summary

HTTP Transaction Rate Limiting (TRL) is a mechanism for limiting the number and/or rate of connections on a per user basis. This feature requires that the website be using HTTP Basic Authentication. When the Authorization header is present, the ServerIron will extract the username from the header and apply the appropriate TRL policy.

 

 

Specifics

First, create a http-trl-policy based on maximum connections and/or connection rate.

Second, create a CSW rule to determine http-trl eligibility.

Lastly, create a CSW policy that refers back to the http-trl policy.

 

http-trl policy syntax:

client-name <name> <monitor-interval|max-connections> <options> default <monitor-interval|max-connections> <options>

http-trl policy syntax (continued):

monitor-interval <interval> <warning> <shutdown> <holddown> max-conn <max-connections>

 

The example provided below uses the CSW rule 'r1' to specify HTTP requests which contain an "Authorization" header with a value of "Basic".

The CSW policy 'p1' in turn says that if rule 'r1' is matched, then http-trl policy 'trl-p1'

should be applied.

Lastly, the http-trl policy 'trl-p1' allows users 'jdoe' and 'johnd' additional connections

and higher connection rates than all other (default) users.

 

Below is an example configuration

Sample Script/Code/Configuration

 

!

server source-nat-ip 10.10.1.254/24 0.0.0.0 port-range 2

!

http-trl-policy "trl-p1"

default max-conn 5

default monitor-interval 1 10 20 0

default exceed-action redirect "foo.com" "/warning.html"

client-name "jdoe" max-conn 20

client-name "jdoe" monitor-interval 1 20 40 0

client-name "jdoe" exceed-action drop

client-name "johnd" max-conn 30

client-name "johnd" monitor-interval 1 20 40 0

client-name "johnd" exceed-action reset

!

csw-rule r1 header Authorization pattern Basic

!

csw-policy p1

match r1 http-trl trl-p1

!

server real rs1 10.10.1.10

port http

!

server real rs2 10.10.1.11

port http

!

server virtual csw-vip 1.1.1.100

port http

port http csw-policy "p1"

port http csw

bind http rs1 http rs2 http

!

 

Further Reading

Review here for further info on HTTP TRL in security administration manual

 

Review the TRL section in security administration manual for further information on usage of traffic rate limiting feature in non web traffic scenarios. [hint: use TOC button to see other security/rate limiting features]

Contributors