当前位置: 文江博客话题详情

AWS WAF率限制每个主机名

发布于 2025-02-10 12:19:33 字数 355 浏览 3 评论 0原文

到目前为止,我们一直在为一个主机使用速率限制规则-300个每5分钟的请求foo.dev.com(输入回复到ALB)

,现在我们想将更多规则拆分,所以我们对不同的主机名(all veral asl Same Alb)有不同的规则,因此我们可以实现:

  • aaa-foo.dev.com - 每5分钟100个请求
  • bbb-foo.dev。 com - 每5分钟的200个请求

aaabbb将是我们的应用程序将服务的不同客户端,

请提供一些提示!

原文

So far we've been using rate limit rule for a single host - 300 requests per 5 minutes for foo.dev.com (entry resolves to ALB)

Now we want to split a bit more the rule so that we have different rules for different hostnames (all resolving same ALB) so that we achieve for example:

  • aaa-foo.dev.com - 100 requests per 5 minutes
  • bbb-foo.dev.com - 200 requests per 5 minutes

aaa and bbb will be different clients that our app will serve

Please help out with some hints !

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

执手闯天涯 2025-02-17 12:19:33

这是我设法解决此问题的方式,使用bytematchstatement比较主机标头starts_with'{clientname}',希望它可以帮助某人:

{
  "Name": "foobar-acl",
  "DefaultAction": {
    "Allow": {}
  },
  "Description": "",
  "Rules": [
    {
      "Name": "rate-limit-main",
      "Priority": 0,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 3000,
          "AggregateKeyType": "IP"
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 429,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": false,
        "MetricName": "foobar-rate-limit-main"
      }
    },
    {
      "Name": "rate-limit-clientname",
      "Priority": 1,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 100,
          "AggregateKeyType": "IP",
          "ScopeDownStatement": {
            "ByteMatchStatement": {
              "SearchString": "clientname",
              "FieldToMatch": {
                "SingleHeader": {
                  "Name": "host"
                }
              },
              "TextTransformations": [
                {
                  "Priority": 1,
                  "Type": "NONE"
                }
              ],
              "PositionalConstraint": "STARTS_WITH"
            }
          }
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 409,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "foobar-clientname"
      }
    },
    {
      "Name": "rate-limit-clientname2",
      "Priority":21,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 100,
          "AggregateKeyType": "IP",
          "ScopeDownStatement": {
            "ByteMatchStatement": {
              "SearchString": "clientname2",
              "FieldToMatch": {
                "SingleHeader": {
                  "Name": "host"
                }
              },
              "TextTransformations": [
                {
                  "Priority": 2,
                  "Type": "NONE"
                }
              ],
              "PositionalConstraint": "STARTS_WITH"
            }
          }
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 409,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "foobar-clientname2"
      }
    }
  ],
  "VisibilityConfig": {
    "SampledRequestsEnabled": false,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "foobar-acl"
  },
  "Capacity": 6,
  "ManagedByFirewallManager": false,
  "CustomResponseBodies": {
    "html_responce": {
      "ContentType": "TEXT_HTML",
      "Content": "<div>You exceeded the maximum number of requests !</div>"
    }
  }
}

Here is how I managed to solve this, used ByteMatchStatement comparing if the host header STARTS_WITH '{clientname}', hope it helps someone:

{
  "Name": "foobar-acl",
  "DefaultAction": {
    "Allow": {}
  },
  "Description": "",
  "Rules": [
    {
      "Name": "rate-limit-main",
      "Priority": 0,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 3000,
          "AggregateKeyType": "IP"
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 429,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": false,
        "MetricName": "foobar-rate-limit-main"
      }
    },
    {
      "Name": "rate-limit-clientname",
      "Priority": 1,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 100,
          "AggregateKeyType": "IP",
          "ScopeDownStatement": {
            "ByteMatchStatement": {
              "SearchString": "clientname",
              "FieldToMatch": {
                "SingleHeader": {
                  "Name": "host"
                }
              },
              "TextTransformations": [
                {
                  "Priority": 1,
                  "Type": "NONE"
                }
              ],
              "PositionalConstraint": "STARTS_WITH"
            }
          }
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 409,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "foobar-clientname"
      }
    },
    {
      "Name": "rate-limit-clientname2",
      "Priority":21,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 100,
          "AggregateKeyType": "IP",
          "ScopeDownStatement": {
            "ByteMatchStatement": {
              "SearchString": "clientname2",
              "FieldToMatch": {
                "SingleHeader": {
                  "Name": "host"
                }
              },
              "TextTransformations": [
                {
                  "Priority": 2,
                  "Type": "NONE"
                }
              ],
              "PositionalConstraint": "STARTS_WITH"
            }
          }
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 409,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "foobar-clientname2"
      }
    }
  ],
  "VisibilityConfig": {
    "SampledRequestsEnabled": false,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "foobar-acl"
  },
  "Capacity": 6,
  "ManagedByFirewallManager": false,
  "CustomResponseBodies": {
    "html_responce": {
      "ContentType": "TEXT_HTML",
      "Content": "<div>You exceeded the maximum number of requests !</div>"
    }
  }
}
回复 原文
~没有更多了~

关于作者

死开点丶别碍眼

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文