Using Web Controls for Rate Limiting

Use address sets and Web Controls to create rate limits

Web Controls enable site administrators to use pre-defined, pre-tested security, and performance rule sets. Rule sets minimize the need to discover, define, and maintain a large number of individual rules. Instead, you can create rule sets that match individual request conditions and execute a set of actions predefined in the Webscale Control Panel.

You can realize the true power of Web Controls by combining multiple Web Controls to create a different experience for site visitors depending upon criteria that you specify. Rate-limiting access to a page on your website is one way that you can combine multiple Web Controls.

The following example illustrates how to rate-limit access to your site’s checkout page by using Address Sets and Web Controls. It includes testing the Web Controls to make sure that they are correctly rate-limiting.

It explains how to rate limit IP addresses if the customer attempts to make five or more requests to the checkout page within one minute. Review Using Traffic Viewer to understand the normal request rate for your application’s checkout page and adjust the Web Control accordingly. If you are unsure what rate you might want to choose, you can also Contact Support for assistance.

Address Sets

This examples uses dynamic and manual address sets. A Dynamic Address Set is a set of IP addresses that can change over time. In this example, you will create a Web Control that adds addresses to a dynamic address set. You will name it “Rate-limited Addresses.”

A Manual Address Set is a set of static IP addresses. A manual address set requires you to manually add addresses. In this example, you will add addresses that usually should not be rate-limited, such as your web developer’s IP address. You will name it “Rate-limited Address Exceptions.”

For instructions on how to create dynamic and manual address sets, see Working with Address Sets.

Create the Web Controls

After you create the address sets, you can can create Web Controls that use them. For this example, you will create three Web Controls:

After you create the Web Controls, you will test them.

Access Web controls

  1. Click the three vertical dots menu icon on the upper right corner of the application box and select Edit.

    Select Edit from application box

    -or-

    On your application page, click the Actions menu icon and select Start maintenance.

    Select Edit from Action menu

Create the Allow rate limit exceptions Web Control

  1. Click Web Controls on the sidebar menu. On the Web Controls page, click Add A Web Control.
  2. Enter “Allow rate limit exceptions” as the name of the Web Control. Optionally, add a description.
  3. Choose the Condition - Click Add condition, and from the dropdown choose IP address in set. In the Select address set… dropdown, choose the Rate-limited Address Exceptions address set. Click Done.
  4. Choose the Action - Click Add action. From the drop-down menu, choose Discontinue under the Final Actions section. Click Done.

Create the Rate limit checkout access Web Control

  1. Click Web Controls on the sidebar menu. On the Web Controls page, click Add A Web Control.
  2. Enter “Rate limit checkout access” as the name of the Web Control. Optionally, add a description.
  3. Choose the Condition by clicking Add condition. From the drop-down menu, choose URL matches.
  4. Choose the Scheme, Domain, Path, and Query. Enter “checkout” as the path. Click Add, then Done.
  5. Choose the second Condition by clicking Add condition. From the drop-down menu, choose Rate limit. Next, choose a Threshold, Duration, and Unit. For Threshold, enter 5. For Duration. enter 1. For Unit, choose Minutes. Click Done.
  6. Choose the Action by clicking Add action. From the drop-down menu, choose Add Address to Set. From the second drop-down menu, choose the Rate-limited Addresses address set. Make sure to set an expiration date. You can use the slider or click the toggle for a custom time. For this example, choose one hour. Click Doneß.

Create the Block rate-limited addresses Web Control

  1. Click Web Controls on the sidebar menu. On the Web Controls page, click Add A Web Control.
  2. Enter “Block rate-limited addresses” as the name of the Web Control. Optionally, add a description.
  3. Choose the Condition by clicking Add condition. From the drop-down menu, choose IP address in set. In the Select address set… dropdown, choose the Rate-limited Addresses address set. Click Done.
  4. Choose the second Condition by clicking Add condition. From the drop-down menu, choose URL matches.
  5. Choose the Scheme, Domain, Path, and Query. Enter “checkout” as the Path. Click Add, then Done.
  6. Choose the Action by clicking Add action. From the drop-down menu, choose Deny Request under the Final Actions section. In the HTTP Status Code field, enter “403.” In the Response Body field, enter “Forbidden.“ß Click Done.

Set Web Controls order and enable Web Controls

After you create all three Web Controls, you will set their order and enable them.

To set the order of the Web Controls, click the three vertical dots next to Web Controls at the top of the Web Controls list, and choose Unlock order from the list. Then, click on the Web Control you wish to move in the list. The “Allow rate limit exceptions” Web Control should be first, followed by “Rate limit checkout access” and ending with “Block rate-limited addresses”. When done, click the 3 vertical dots next to Web Controls at the top of the Web Controls list, and choose Lock order from the list.

To enable the Web Controls, click the checkbox next to Enabled. When enabled, there is a checkmark in the box. To disable a Web Control, click the checkbox again. This will empty the checkbox. When done, they should look like the following screenshot:

Completed Web Controls

Testing

To test, attempt to load the URL specified in the Web Control condition, i.e. “https://example.com/checkout.php”. Do this at least 5 times within 1 minute - you should then see the behavior specified in the Web Control. In the example we used here, the Web Control will cause a 403 error to occur and the text Forbidden should be displayed in the web browser. You can also review Traffic Viewer to see if the Web Control executed as expected. Try filtering with delivery_status>-1 and status_code>403.

Summary

For this scenario, you used Address Sets and Web Controls to rate-limit the checkout page of a website. This can help reduce load on the checkout page of your application, ensuring that only legitimate and productive activity is happening on this crucial area of the application, without permanently blocking traffic that may not actually be harmful. Using multiple Web Controls in this manner allows for great flexibility and powerful control over your web applications.

Further reading

Have questions not answered here? Please Contact Support to get more help.


Last modified January 28, 2021