Refer to the sections below for details on the client limiting options.

Maximum Client Concurrent Connection Limit

In the Maximum Client Concurrent Connection Limit section, you must configure the global Client Concurrent Connection Limit before you get options to configure concurrent connection limits for particular addresses or networks. The Client Concurrent Connection Limit limits the default maximum number of concurrent connection attempts (per second) from a specific host. Setting the limit to 0 disables this option. Valid values range from 0 - 1000000.

When you set a Client Concurrent Connection Limit, each client has this limit unless you have a specific entry for that client. If there is a specific limit entry for a client, the client-specific limit is applied. The options allow you to specify addresses or networks with particular limits for the concurrent connection attempts (per second) from that specific host/network. If you specify a subnet, all clients in the subnet get the same limit.

Note: The global Maximum Concurrent Connection value takes precedence over the client concurrent connection limits. If you try to set a client concurrent connection limit to a value greater than what is currently configured as the Maximum Concurrent Connections limit, you will get an error message.
Note: If you attempt to set a new specific concurrent connection limit for a particular address or network that has a limit that is greater than the Client Concurrent Connection Limit, you will get a warning message and will be asked if you want to continue and confirm the change.

Client Connections/sec Limit

In the Client Connections/sec Limit section, you must configure the global Client Connection Limit before you get options to configure the CPS limits for particular addresses or networks. The Client Connection Limit limits the default maximum number of connection attempts (per second) from a specific host. Setting the limit to 0 disables this option. Valid values range from 0 - 1000000.

When you set a Client Connection Limit, each client has this limit unless you have a specific entry for that client. If there is a specific limit entry for a client, the client-specific limit is applied. The options allow you to specify addresses or networks with particular limits for connection attempts (per second) from that specific host/network. If you specify a subnet, all clients in the subnet get the same limit. When there are multiple subnets, the lower limit applies.

Note: The Global Connections/s Limit value takes precedence over the client CPS limits. If you try to set a client CPS limit to a value greater than what is currently configured as the Global Connections/s Limit, you will get an error message.
Note: If you attempt to set a new specific CPS limit for a particular address or network that has a limit that is greater than the Client Connection Limit, you will get a warning message and will be asked if you want to continue and confirm the change.

Client Requests/sec Limit

In the Client RPS Limit section, you must configure the global Client HTTP Request Limit before you get options to configure the RPS limits for particular addresses or networks. The Client HTTP Request Limit limits the default maximum number of HTTP request attempts (per second) from a specific host. This has no effect on non-HTTP traffic. Setting the limit to 0 disables this option. Valid values range from 0 - 1000000.

When you set a Client HTTP Request Limit, each client has this limit unless you have a specific entry for that client. If there is a specific limit entry for a client, the client-specific limit is applied. The options allow you to specify addresses or networks with particular limits for HTTP request attempts (per second) from that specific host/network. If you specify a subnet, all clients in the subnet get the same limit. When there are multiple subnets, the lower limit applies.

Note: The Global HTTP Requests/s Limit value takes precedence over the client RPS limits. If you try to set a client RPS limit to a value greater than what is currently configured as the Global HTTP Requests/s Limit, you will get an error message.
Note: If you attempt to set a new specific RPS limit for a particular address or network that has a limit that is greater than the Client HTTP Request Limit, you will get a warning message and will be asked if you want to continue and confirm the change.

Client Bandwidth Limit

In the Client Bandwidth Limit section, you must configure the global Client Bandwidth Limit before you get options to configure the bandwidth limits for particular addresses or networks. The Client Bandwidth Limit limits the default maximum number of bandwidth attempts (per second) from a specific host. Setting the limit to 0 disables this option. Units are in kilobits/second. The minimum value is 16 kilobits/second (2 kilobytes/second). The maximum is the value configured in the Global Bandwidth Limit. When calculating bandwidth, data in both directions is tracked and used. This means both the client and server-side data is tracked and used as part of the calculation.

When you set a Client Bandwidth Limit, each client has this limit unless you have a specific entry for that client. If there is a specific limit entry for a client, the client-specific limit is applied. The options allow you to specify addresses or networks with particular limits for bandwidth used by that specific host/network If you specify a subnet, all clients in the subnet get the same limit. When there are multiple subnets, the lower limit applies.

Note: The Global Bandwidth Limit value takes precedence over the client bandwidth limits. If you try to set a client bandwidth limit to a value greater than what is currently configured as the Global Bandwidth Limit, you will get an error message.
Note: If you attempt to set a new specific bandwidth limit for a particular address or network that has a limit that is greater than the Client Bandwidth Limit, you will get a warning message and will be asked if you want to continue and confirm the change.
Note: You can also configure per-Virtual Service bandwidth limiting. For further details, refer to the Per-Virtual Service Bandwidth Limiting section. The lowest of the three possible limits (global, client, and Virtual Service) that is reached first is enforced. Note that the global limit is for all Virtual Services, the Virtual Service limit is for the current Virtual Service with multiple clients, and the client limit is for a single client.

URL Based Limiting

The URL Based Limiting is based on options in a HTTP request. A request consists of a URL, Method, and request headers. Host and User-Agent are request headers. The LoadMaster URL-based limiting rules inspect based on what is selected in the Match drop-down list (Request URL, Host, User Agent, Method, !Request URL, !Host, !User Agent, or !Method. If the limit is hit the LoadMaster sends a response code (as set in the Error Responses drop-down list in the Limiter Options section).

Note: The values with an exclamation mark (!) before them matches the inverse, for example, not a specific request or not a specific user agent.

The above screenshot shows a simple example. If a request comes into the LoadMaster with a host header of abc.com this rule gets triggered and if the requests per second is greater than the limit set on the rule, the LoadMaster limits the request and sends out the response depending on what is selected in the Error Responses drop-down list.

Here is a further breakdown of this example:

  • A rule exists for a host abc.com with a Limit of 5 RPS

  • The Error Responses drop-down list is set to Send 429 Too Many Requests

  • Requests or traffic with the specified host header is hitting the RPS limit (sending 10 RPS)

  • For the requests breaching the limit, a 429 Rate Limited Rate Limit exceeded response is sent

The request should have the host header as abc.com, for example:

GET /a.html HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
host: abc.com

Here is the example response when the limit is not hit:

HTTP/1.1 200 OK
Date: Tue, 08 Sep 2020 15:15:33 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Fri, 15 Feb 2019 07:40:17 GMT
ETag: "1d-581e9e2e8d033"
Accept-Ranges: bytes
Content-Length: 29
Accept: */*
User-Agent: qa-agen
Accept-Encoding: gzip, deflate
Connection: keep-alive, Keep-Alive
host: abc.com
Via: 1.1 172.16.178.55:80
X-Forwarded-For: 172.16.128.217
X-Forwarded-For-Port: 54385
MyHeader1: D=138 t=1599578133851755
Keep-Alive: timeout=150, max=100
Content-Type: text/html

Here is the example response when the RPS limit is hit:

HTTP/1.1 429 Rate Limited
Date: Tue, 08 Sep 2020 15:15:33 GMT
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Connection: close
Content-Length: 84
Content-Type: text/html
<html><head><title>429 Rate Limited</title></head><body>Rate limit exceeded</body>

The User-Agent header works similarly to the Host example provided above.

In the URL Based Limiting section, you can configure the following options for a specific URL-based limiting rule:

  • Name: The name of the new request limit. This must be unique, alpha-numeric (underscores are also allowed) and it must not start with a number.
  • Limit: Limit the number of attempts (per second) to a specific request/URL. Valid values range from 0 - 1000000. Setting the value to 0 disables the rule (but does not delete it). This can be useful when testing, for example, if a rule has a limit of 0 it does not incur an performance impact on the system.
  • Match: The request field/URL to match. This drop-down list contains the following values:
    • Request URL
    • Host
    • User Agent
    • !Request URL
    • !Host
    • !User Agent
  • Match String: The pattern (regular expression) to use to match the request field/URL.

When processing HTTP traffic (non-HTTP traffic is not affected), the URL is matched against the set of rules that contain regular expressions. Each rule has a limit associated with it. If the number of requests per second exceeds the specified limit, the request is blocked and the connection is closed (an error response can be sent if an appropriate selection is made in the Error Responses drop-down list).

If a specific request could match more than one rule, the limit is applied to the first rule that matches in the list. You can change the order of the rules using the Move option.

You can also modify or delete any existing rules.

URL Based Limiting Rule Examples

Some examples of URL-based limiting rules that are common for ECS deployments are provided below.

ECS Namespace: https://s3.kemp.ax

This example limits client access to an entire application and all of its buckets. This example uses the Host matching method:

/^s3\.kemp\.ax$/

ECS Bucket (Path Style Addressing): https://s3.kemp.ax/bucket1

This example limits client access to a specific bucket. This example uses the Request URL matching method:

/^\/bucket1$/

You can limit client access to multiple buckets, if needed. For example, you could limit client traffic to both bucket1 and bucket2 with the following example:

/^\/bucket[12]$/

ECS Bucket (Virtual Hosted Addressing): https://bucket1.s3.kemp.ax

This example limits client access to a specific bucket. This example uses the Host matching method:

/^bucket1\.s3\.kemp\.ax$/