How to Use Web Controls to Rate Limit

How to use address sets and Web Controls to create a rate limit.

Web Controls enable site administrators to use pre-defined, pre-tested security or performance rulesets based on their e-commerce application, minimizing the need to discover, define, and maintain the rules themselves. You can create individual rules that match request conditions and execute a set of actions you define in your Webscale Control Panel.

The true power of Web Controls can be realized by combining multiple Web Controls to create a different experience for site visitors depending upon criteria you specify. An example of this is rate-limiting access to a page on your website. In this tutorial, we will talk about rate-limiting access to your site’s checkout page using Address Sets and Web Controls. We will create two (2) Address Sets and three (3) Web Controls. Finally, we’ll test it to see if it’s working as expected.

Create a Dynamic Address Set

A Dynamic Address Set is a set of addresses that can change over time. In this tutorial we will create a Web Control that adds addresses to this set.

  1. Login to your Webscale Control Panel, and click the hamburger icon on the upper left of the screen. Select Address Sets from the menu.
  2. Click the Create set button on the upper right. In the Type dropdown, select dynamic. Give the address set a descriptive name so you can identify it later. “Rate-limited Addresses”, for example. You can also add a description (optional).
    Address Set creation dialog showing Dynamic Address Set creation
  3. Click the Save button to save the new address set.

Create a Manual Address Set

A Manual Address Set is a set of addresses that is static, and any addresses must be added to the list manually. In this tutorial, we’ll add addresses to this list that should usually not be rate-limited - for example, your web developer’s IP address.

  1. Login to your Webscale Control Panel, and click the hamburger icon on the upper left of the screen. Select Address Sets from the menu.
  2. Click the Create set button on the upper right. In the Type dropdown, select manual. Give the address set a descriptive name so you can identify it later. “Rate-limited Address Exceptions”, for example. You can also add a description (optional).
  3. You can also optionally add some addresses to the set now. In the Add an entry section, enter the IP addresses or CIDR ranges seperated by spaces or commas. Then add an optional description if you choose, and select the TTL (Time-To-Live) by adjusting the slider. In production we don’t recommend choosing “Never” here.
    Address Set creation dialog showing Manual Address Set creation
  4. Click the Save button to save the new address set.

Create the Web Controls

Once the address sets have been created, Web Controls can be created that use the address sets. In this case we will create three (3) Web Controls:

  • One (1) that handles the exceptions to the rate limiting using the Manual Address Set we created above. We’ll call this one “Allow rate limit exceptions”.
  • One (1) that adds addresses to the Dynamic Address Set we created above. We’ll call this one “Rate limit checkout access”.
  • A final one (1) that rate-limits any addresses added to the Dynamic Address Set. We’ll call this one “Block rate-limited addresses”.
  • Once done with creating the Web Controls, we’ll test them.

Create “Allow rate limit exceptions” Web Control

  1. Click Web Controls on the left-hand menu. Scroll down and click the Add A Web Control button.
  2. Name the Web Control - In this example we’ll use “Allow rate limit exceptions”. You can also add an optional description.
  3. Choose the Condition - Click Add condition, and from the dropdown choose IP address in set. In the Select address set… dropdown, choose the “Rate-limited Address Exceptions” set we created above. Click the Done button.
  4. Choose the Action - Click Add action, and from the dropdown choose Discontinue under the Final Actions section. Click the Done button.

Create “Rate limit checkout access” Web Control

  1. Click Web Controls on the left-hand menu. Scroll down and click the Add A Web Control button.
  2. Name the Web Control - In this example we’ll use “Rate limit checkout access”. You can also add an optional description.
  3. Choose the Condition - Click Add condition, and from the dropdown choose URL matches.
  4. Now choose the Scheme, Domain, Path, and Query. In this exmaple we’ll just set the Path - enter *checkout* in the text field, and leave the rest alone. Click the Add button, then the Done button.
  5. Choose the second Condition - Click Add condition, and from the dropdown choose Rate limit. Now choose a Threshold, Duration, and Unit. For Threshold, enter 5, for Duration enter 1, and for Unit choose Minutes. Click the Done button.
  6. Choose the Action - Click Add action, and from the dropdown choose Add Address to Set. From the second dropdown, choose the Address Set created above, “Rate-limited Addresses”. Make sure to set an expiry - you can choose from the slider or click the toggle for a custom time. In this example, we’ll choose 1 hour. Click the Done button.

Create “Block rate-limited addresses” Web Control

  1. Click Web Controls on the left-hand menu. Scroll down and click the Add A Web Control button.
  2. Name the Web Control - In this example we’ll use “Block rate-limited addresses”. You can also add an optional description.
  3. Choose the Condition - Click Add condition, and from the dropdown choose IP address in set. In the Select address set… dropdown, choose the “Rate-limited Addresses” set we created above. Click the Done button.
  4. Choose the second Condition - Click Add condition, and from the dropdown choose URL matches.
  5. Now choose the Scheme, Domain, Path, and Query. In this exmaple we’ll just set the Path - enter *checkout* in the text field, and leave the rest alone. Click the Add button, then the Done button.
  6. Choose the Action - Click Add action, and from the dropdown choose Deny Request under the Final Actions section. In the HTTP Status Code field, type 403, and in the Response Body field, type Forbidden. Click the Done button.

Set Web Control order and enable Web Controls

Now that all three (3) Web Controls are created, we’ll set their order and enable them.

To set the order of the Web Controls, click the 3 vertical dots next to Web Controls at the top of the Web Controls list, and choose Unlock order from the list. Then, click on the Web Control you wish to move in the list. The “Allow rate limit exceptions” Web Control should be first, followed by “Rate limit checkout access” and ending with “Block rate-limited addresses”. When done, click the 3 vertical dots next to Web Controls at the top of the Web Controls list, and choose Lock order from the list.

To enable the Web Controls, click the checkbox next to Enabled. When enabled, there is a checkmark in the box. To disable a Web Control, click the checkbox again. This will empty the checkbox. When done, they should look like the following screenshot:

Completed Web Controls

Testing

To test, attempt to load the URL specified in the Web Control condition, i.e. “https://example.com/checkout.php”. Do this at least 5 times within 1 minute - you should then see the behavior specified in the Web Control. In the example we used here, the Web Control will cause a 403 error to occur and the text Forbidden should be displayed in the web browser. You can also review Traffic Viewer to see if the Web Control executed as expected. Try filtering with delivery_status>-1 and status_code>403.

Summary

In this tutorial, we used Address Sets and Web Controls to rate-limit the checkout page of a website. This can help reduce load on the checkout page of your application, ensuring that only legitimate and productive activity is happening on this crucial area of the application, without permanently blocking traffic that may not actually be harmful. Using multiple Web Controls in this manner allows for great flexibility and powerful control over your web applications.

Further Reading

Have questions not answered here? Please Contact Support to get more help.


Last modified January 28, 2021