Cloud Native应用交付
  • 首页
  • 关于本站
  • 个人介绍
  • Downloads
  • Repo
    • Github
    • Container
  • F5
    • F5 Python SDK
    • F5-container
    • F5-LBaaS
  • 社交
    • 联系我
    • 微信/微博
    • 公众号
    • 打赏赞助
行至水穷处 坐看云起时
☁️We are in new App Mesh era: imesh.club ☁️
  1. 首页
  2. F5-Tech tips
  3. 正文

纯irule防御HTTP slow post

2017年09月04日 4638点热度 0人点赞 0条评论

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Based on 'Mitigating Slow HTTP Post DDoS Attacks With iRules' from George Watkins
#
# Requires LTM v10.0+ for the after command
when RULE_INIT {
   # This iRule enforces a minimum length of time ($static::timeout) for a client to send POST request data.
   # The initial values are 2Kb / 2 sec = 1 Kb/s for the first 2Kb.  These values should be tailored for the client base.
   # Default amount of request payload to collect (in bytes).
   # This is the maximum amount of content we will collect.
   # Clients will still be able to send unlimited payload sizes.
   set static::collect_length 2048
   # Default timeout, for POST requests, to send $collect_length bytes (in milliseconds)
   set static::timeout 2000
   # HTML response to send for blocked requests
   set static::block_html {Your POST request is not being received quickly enough. Please retry.}
   # Log debug messages to /var/log/ltm? 1=yes, 0=no.
   set static::post_debug 1
}
when HTTP_REQUEST {
   # Only check POST requests. If the application supports other request methods with payloads, add them in a switch statement here.
   if { [HTTP::method] equals "POST"} {
      if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: POST to [HTTP::host][HTTP::uri]" }
      # Create a local variable copy of the collection amount
      set collect_length $static::collect_length
      # Create a local variable copy of the static timeout
      set timeout $static::timeout
      # Check for a non-existent Content-Length header
      if {[HTTP::header Content-Length] eq ""}{
         # Use default collect length for POSTs without a Content-Length header
         set collect_length $static::collect_length
         if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: No Content-Length value" }
      } elseif {[HTTP::header Content-Length] <= 0}{
         # Don't try to collect a payload if there isn't one
         unset collect_length
         if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: Content-Length: 0." }
      } elseif {[HTTP::header Content-Length] > $static::collect_length}{
         # Use the default collect length
         set collect_length $static::collect_length
         if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: Content-Length: [HTTP::header Content-Length], collecting $collect_length" }
      } else {
         # Collect the actual payload length
         set collect_length [HTTP::header Content-Length]
         # Calculate a custom timeout based on the same ratio we use for the default collect length and default timeout
         set timeout [expr {[HTTP::header Content-Length] * $static::timeout / $static::collect_length }]
         if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: Content-Length: [HTTP::header Content-Length], collecting $collect_length bytes with timeout $timeout ms" }
      }
      # If the POST Content-Length isn't 0, collect (a portion of) the payload
     if {[info exists collect_length]}{
         # If the entire request hasn't been received within X seconds, send a 408, and close the connection
         set id [after $timeout {
            if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: $timeout ms reached. Closing connection" }
            HTTP::respond 408 content $static::block_html Connection Close
            TCP::close
         }]
         # Trigger collection of the request payload
         HTTP::collect $collect_length
         if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: Collecting $collect_length" }
      }
   }
}
when HTTP_REQUEST_DATA {
   if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: Collected [HTTP::payload length] bytes." }
   # Check if the 'after' ID exists
   if {[info exists id]} {
      # If all the POST data has been received, cancel the connection closure
      if { $static::post_debug } { log local0. "[IP::client_addr]:[TCP::client_port]: Canceling \$id: $id" }
      after cancel $id
   }
}

 

本作品采用 知识共享署名 4.0 国际许可协议 进行许可
标签: http slow post
最后更新:2017年09月04日

纳米

http://linjing.io

打赏 点赞
< 上一篇
下一篇 >

文章评论

取消回复

纳米

http://linjing.io

☁️迈向Cloud Native ADC ☁️

认证获得:
Kubernetes: CKA #664
Microsoft: MCSE MCDBA
Cisco: CCNP
Juniper: JNCIS
F5:
F5 Certified Solution Expert, Security
F5 Certified Technology Specialist, LTM/GTM/APM/ASM
F5 Certified BIG-IP Administrator
  • 点击查看本博技术要素列表
  • 分类目录
    • Avi Networks (3)
    • Cisco ACI (1)
    • CISCO资源 (21)
    • F5 with ELK (8)
    • F5-Tech tips (38)
    • F5技术 (203)
    • Juniper (4)
    • Linux (7)
    • Nginx (18)
    • SDN (4)
    • ServiceMesh (19)
    • WEB编程 (8)
    • WINDOWS相关 (7)
    • 业界文章 (18)
    • 交换机技术 (20)
    • 化云为雨/Openstack (35)
    • 协议原理 (52)
    • 容器/k8s (64)
    • 我的工作 (19)
    • 我的生活 (70)
    • 网站技术 (19)
    • 路由器技术 (80)
    • 项目案例 (28)
    文章归档
    标签聚合
    F5 k8s openstack nginx istio DNS envoy gtm docker network flannel api irule bigip neutron cc kubernetes ELK vxlan BGP dhcp VPN IPSec lbaas ingress ingress controller nginx plus sidecar IPSec VPN NAT sql
    最新 热点 随机
    最新 热点 随机
    Say hello for 2021 二进制flannel部署,非cni网络模式下与k8s CIS结合方案 又是一年国庆 Service Account Token Volume Projection Istio ingressgateway 静态TLS证书加载与SDS发现方式配置区别 Istio里Gateway的port定义与实际ingressgateway的listener端口关系及规则 Helm 3 部署NGINX Ingress Controller 应用交付老兵眼中的Envoy, 云原生时代下的思考 Istio sidecar iptables以及流量控制分析 Istio 熔断策略及envoy配置
    Say hello for 2021
    F5 ASM用户默认不受weblogic (CVE-2017-10271)漏洞影响 明天就考642-811了 CMI, Device group 同步逻辑图解 Configuring ISDN DDR with Dialer Profiles Neutron/DVR L2 Agent F5 iApp intruduction Node Affinity / Taints /Tolerations Tunnel mode GTM Essentials,详细介绍GTM重要知识点 UPDATED TO V1.5.2 [转]RTR/SLA 在多ISP环境下下的应用--已经更新,切换后线路恢复时,已能自动恢复
    链接表
    • Jimmy Song‘s Blog
    • SDNap
    • SDNlab
    • SDN论坛
    • Service Mesh社区
    • 三斗室
    • 个人profile

    COPYRIGHT © 2020 Cloud Native应用交付. ALL RIGHTS RESERVED.

    THEME KRATOS MADE BY VTROIS

    京ICP备14048088号-1

    京公网安备 11010502041506号

    [ Placeholder content for popup link ] WordPress Download Manager - Best Download Management Plugin