Lab 3: Exploring Rate Limiting & Routes

The following lab tasks will guide you through the configuration of Rate Limiting feature sets. Rate Limiting can be used to implement a variety of L7 security controls; assisting in L7 DDoS, protecting heavy URLs (service process impactful) or mitigating impacts to other controlled endpoints.

Routes in F5 XC can be utilized to accomplish L7 routing based on URI to multiple origin pools.

Expected Lab Time: 20 minutes

Task 1: Establishing a Baseline

In this task you will access a test website/webpage to experience access without a Rate Limiting Policy engaged. Following completion of Task1, you will build a Rate Limit Policy (Task2) and then test the Rate Limited experience (Task3).

  1. In your local web browser access the following link, replacing namespace with your own:

    http://<namespace>.lab-sec.f5demos.com/ratelimit.php

  2. Refresh the page multiple times and notice you do not receive any errors nor blocked

    messages. You can also open your browser’s developers to observe requests receiving 200Ks.

    Let’s change that behavior.

lab000

Task 2: Creating a Rate Limiting Policy

In this task you will add a Rate Limiting Policy to the application Load Balancer previously created.

  1. Return to the Web App & API Protection configuration window. In the left-hand

    navigation, expand Manage and click Load Balancers > HTTP Load Balancers.

  2. Use the Action Dots and click Manage Configuration

  3. Click Edit Configuration in the top right-hand corner.

lab001

lab002

  1. Click Common Security Controls in the left-hand navigation & locate Rate Limiting.

  2. Click the dropdown for Rate Limiting and select Custom Rate Limiting Parameters.

lab003

  1. In the expanded Custom Rate Limiting Parameters click the View Configuration Link.

lab004

  1. In the resulting Rate Limit Configuration window, in the Request Rate Limiter

    section set the following values as shown:

    • Number: 2

    • Per Period: Minute

    • Burst Multiplier: 1

  2. Click the drop-down for Rate Limiter Policies and select Rate Limiter Policies.

lab005

  1. In the new row for Rate Limiter Policies, click the dropdown an then select Add

    Item from the list as shown.

lab006

  1. In the Rate Limiter Policy window, enter rate-limit in the Name field in

    Metadata section and then click Configure within the Rules section.

  2. In the resulting Rules window, click Add Item.

lab007

lab008

  1. In the Rate Limiter Policy window within the Metadata section input

    rate-limit-auth into the Name field.

  2. Using the Actions drop-down select, Apply Rate Limiter.

  3. In the left-hand navigation, click on Request Match.

lab009

  1. In the Request Match section and select the Configure link in the HTTP Method

    section as shown.

  2. In the resulting HTTP Method window under Method List, select POST then

    click Apply.

lab010

lab011

  1. Observe that HTTP Method now appears Configured.

  2. Further down in the Request Match section, select the Configure link in the

    HTTP Path section as shown.

  3. Observe the various Path definition options, click Add Item in the Prefix Values

    section the input /auth.php as shown and then click Apply.

lab012

lab013

  1. Observe that HTTP Path now also appears Configured. Click Apply on the

    Rate Limiter Policy window.

  2. Observe the rate limit rule just created and click Add Item to build another rule.

lab014

lab015

  1. In the Rate Limiter Policy window within the Metadata section input

    rate-limit-page into the Name field.

  2. Using the Actions drop-down select, Apply Rate Limiter.

  3. In the left-hand navigation, click on Request Match.

lab016

  1. In the Request Match section and select the Configure link in the HTTP Method

    section as shown.

  2. In the resulting HTTP Method window under Method List, select GET then

    click Apply.

lab017

lab018

  1. Observe that HTTP Method now appears Configured.

  2. Further down in the Request Match section, select the Configure link in the

    HTTP Path section as shown.

  3. Observe the various Path definition options, click Add Item in the Prefix Values

    section the input /ratelimit.php as shown and then click Apply.

lab019

lab020

  1. Observe that HTTP Path now also appears Configured. Click Apply on the

    Rate Limiter Policy window.

  2. Observe the added rate limit rule and click Add Item to build another rule.

lab021

lab022

  1. In the Rate Limiter Policy window within the Metadata section input

    bypass into the Name field.

  2. Using the Actions drop-down, select Bypass Rate Limiter.

  3. In the left-hand navigation, click on Request Match.

lab023

  1. In the Request Match section, select the Configure link in the HTTP Method

    section as shown.

  2. In the resulting HTTP Method window under Method List, select ANY then

    click Apply.

lab024

lab025

  1. Observe that HTTP Method now appears Configured.

  2. Further down in the Request Match section, select the Configure link in the

    HTTP Path section as shown.

  3. Observe the various Path definition options, click Add Item in the Prefix Values

    section the input / as shown and then click Apply.

lab026

lab027

  1. Observe that HTTP Path now also appears Configured. Click Apply on the

    Rate Limiter Policy window.

  2. Observe the three created rate limit rules and click Apply.

lab028

lab029

  1. Observe that rules are now Configured. Complete the custom Rate Limiter Policy by

    clicking Continue.

lab030

  1. Observe the Request Rate Limiter options for number of requests, the Per Period

    interval and the Burst Multiplier.

  2. Also observe that IPs can be allowed without Rate Limiting policies being applied

  3. Click Apply to add the Rate Limit Configuration to the application Load Balancer.

Note

Although only one policy is being added, multiple Rate Limit policies can be attached.

lab031

  1. Observe that the Custom Rate Limiting Parameters now show Configured and then

    click on Other Settings in the left-hand navigation.

  2. Once at the bottom of the HTTP Load Balancer configuration, click Save and Exit.

lab032

lab033

Task 3: Testing Rate Limiting

Now we will retest access to our website and see if our experience has indeed changed.

  1. In your local web browser access the following link, replacing namespace with your own:

    http://<namespace>.lab-sec.f5demos.com/ratelimit.php

  2. Refresh the page multiple times and quickly… did you experience a different result?

    Rate Limited responses receive 429 response codes and block pages as shown in the

    image below.

lab034

  1. Rate Limited requests can also be seen in Security Events as Service Policy blocks.

  2. Review your Security Events by navigating back to the Security Dashboard to see the 429

    blocks.

Note

Review Lab2/Task4 to find Security Events. You can copy you support ID to search with!

lab035

lab036

Task 4: Observing Route Configurations

The following steps will enable you to attach Service Policies to your configured Load Balancer. It will also help you understand additional approaches for Service Policies.

  1. Within Web App & API Protection in the F5 Distributed Cloud Console, Manage >

    Load Balancer > HTTP Load Balancers and use the Action Dots and click Manage

    Configuration.

  2. Click Edit Configuration in the top right-hand corner.

lab063

lab064

  1. Click Routes in the left-hand navigation and the click Configure as shown.

  2. In Routes window, click the Add Item link.

lab065

lab066

End of Lab 3: This concludes Lab 3, feel free to review and test the configuration.

A Q&A session will begin shortly to conclude the overall lab.

labend