每个主机名的 AWS WAF 速率限制
[英]AWS WAF Rate-limit per hostname
问题描述
So far we've been using rate limit rule for a single host - 300 requests per 5 minutes for foo.dev.com (entry resolves to ALB)
到目前为止,我们一直在对单个主机使用速率限制规则 - foo.dev.com每 5 分钟 300 个请求(条目解析为 ALB)
Now we want to split a bit more the rule so that we have different rules for different hostnames (all resolving same ALB) so that we achieve for example:现在我们想进一步拆分规则,以便我们对不同的主机名有不同的规则(都解析相同的 ALB),以便我们实现例如:
-
aaa-foo.dev.com- 100 requests per 5 minutesaaa-foo.dev.com- 每 5 分钟 100 个请求 bbb-foo.dev.com- 200 requests per 5 minutesbbb-foo.dev.com- 每 5 分钟 200 个请求
aaa and bbb will be different clients that our app will serve aaa和bbb将是我们的应用程序将服务的不同客户
Please help out with some hints !请帮忙提供一些提示!
1 个解决方案
解决方案1
0 2022-06-29 13:14:15
Here is how I managed to solve this, used ByteMatchStatement comparing if the host header STARTS_WITH '{clientname}', hope it helps someone:这是我设法解决这个问题的方法,使用ByteMatchStatement比较主机头STARTS_WITH '{clientname}',希望它对某人有所帮助:
{
"Name": "foobar-acl",
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "rate-limit-main",
"Priority": 0,
"Statement": {
"RateBasedStatement": {
"Limit": 3000,
"AggregateKeyType": "IP"
}
},
"Action": {
"Block": {
"CustomResponse": {
"ResponseCode": 429,
"CustomResponseBodyKey": "html_responce"
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": false,
"MetricName": "foobar-rate-limit-main"
}
},
{
"Name": "rate-limit-clientname",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "clientname",
"FieldToMatch": {
"SingleHeader": {
"Name": "host"
}
},
"TextTransformations": [
{
"Priority": 1,
"Type": "NONE"
}
],
"PositionalConstraint": "STARTS_WITH"
}
}
}
},
"Action": {
"Block": {
"CustomResponse": {
"ResponseCode": 409,
"CustomResponseBodyKey": "html_responce"
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": true,
"MetricName": "foobar-clientname"
}
},
{
"Name": "rate-limit-clientname2",
"Priority":21,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "clientname2",
"FieldToMatch": {
"SingleHeader": {
"Name": "host"
}
},
"TextTransformations": [
{
"Priority": 2,
"Type": "NONE"
}
],
"PositionalConstraint": "STARTS_WITH"
}
}
}
},
"Action": {
"Block": {
"CustomResponse": {
"ResponseCode": 409,
"CustomResponseBodyKey": "html_responce"
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": true,
"MetricName": "foobar-clientname2"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": false,
"CloudWatchMetricsEnabled": true,
"MetricName": "foobar-acl"
},
"Capacity": 6,
"ManagedByFirewallManager": false,
"CustomResponseBodies": {
"html_responce": {
"ContentType": "TEXT_HTML",
"Content": "<div>You exceeded the maximum number of requests !</div>"
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.