Rate throttling with Forum Sentry is a common use case. Currently, the IDP rule for throttling can be enforced by:
- client IP
- user
- user group
If none of these values are unique across your clients, it is possible to throttle based on some other attribute of the request. Attributes can include HTTP headers, URI parameters, URI path, X.509 certificate attributes, and others.
The process involves identifying the requests to be throttled based on a specific attribute and then mapping the value to a local user to enforce the IDP rule against.
The example in this article uses the User-Agent HTTP header. Follow the steps below to configure rate throttling based on the incoming User-Agent HTTP header.
1. Create the User:
This user will be used for the purposes of enforcing the throttling IDP rule.
ACCESS--->User Policies--->Users
2. Create a User Group:
This Group will contain the above user and will be used in the IDP rule.
ACCESS--->User Policies--->User Groups
3. Create a Task List:
This Task List will use the following Tasks:
- Identify Document - Identify the request in question based on the User-Agent Header
- WS-Security Header - Adds a username token with the user to match the requests to
- User Identity & Access Control - Consumes the username token to create a "user" to throttle
- Remove WS-Security Header - Removes the WSS header to revert back to the original request
a. Identify Document:
Suppose the User Agent in question for this purpose start with "MyUserAgent", the task would be configured as in the image below.
b. WS-Security Header:
Configure the WS-Security Header task exactly as shown in the image below.
c. User Identity & Access Control:
Configure the User Identity & Access Control task as shown in the image below. This will authenticate the username token supplied in the WS-Header above.
d. Remove WS-Security Header:
This task removes the WS-Security Header added in step b above.
4. IDP Rule:
Finally, create an IDP Rule and add the IDP Rule to the appropriate IDP Group for the policy:
IDP--->IDP Policies--->IDP Rules (click New to create a new Rule)
The following image shows that the IDP rule is enforced on the user group and only allows 5 requests per minute.
With the above setup, you can send unlimited request to the policy except when the User-Agent matches/or starts with "MyUserAgent 1.1/test". After 5 requests within a minute I get:
While other request do not have such a restriction:
The attached sample FSG (Throttle-TaskList_8.3.fsg) contains the Task List detailed in this article. This FSG was build in Sentry Version 8.3 and can be imported into v8.3, 8.5, or 8.7 Sentry instances. The password to import is password.
0 Comments