This article describes how to create rate limiting policy based on custom HTTP header on NetScaler.

Background

The rate limiting feature enables you to define the maximum load for a given network entity or virtual entity on the Citrix NetScaler appliance. The feature enables you to configure the appliance to monitor the rate of traffic associated with the entity and take preventive action, in real time, based on the traffic rate. This feature is particularly useful when the network is under attack from a hostile client that is sending the appliance a flood of requests. You can mitigate the risks that affect the availability of resources to clients, and you can improve the reliability of the network and the resources that the appliance manages.

Use case

User is intending to use the rate limiting feature based on data presented in a custom HTTP header. Connections to load balanced VIP are presented through Akamai proxy. Akamai inserts a header called True-Client-IP which contains the actual source IP of the connecting client.

Prerequisite

In this case a specific header was used. However, any identifier or combination of identifiers which is unique will suffice to create an appropriate stream selector. We used the HTTP request context and chose the AFTER_REGEX expression to select the entire value of the Header data.
HTTP.REQ.HEADER(\"True-Client-IP\").AFTER_REGEX(re/(^)/)

Instructions

Complete the following steps to create rate limiting policy based on custom HTTP header on NetScaler:

1. Create a stream selector by using the following command:
   add stream selector <name> <rule>

   For example: add stream selector new_stream_selector "HTTP.REQ.HEADER(\"True-Client-IP\").AFTER_REGEX(re/(^)/)"

2. Create a limit identifier to determine the rate of traffic to be allowed by using the following command:
   add ns limitIdentifier <limitIdentifier> -threshold <positive_integer> -timeSlice <positive_integer> -mode <mode> -limitType ( BURSTY | SMOOTH ) -selectorName <string> -maxBandwidth <positive_integer> -trapsInTimeSlice<positive_integer>

   For example: add ns limitIdentifier new_limit_ID -threshold 30 -timeSlice 30000 -mode REQUEST_RATE -limitType SMOOTH -selectorName new_stream_selector

   Note: Limit type BURSTY is set by default. This will wait for the permitted number of requests to be exhausted before enacting the rate limiter. The SMOOTH limit type will spread the number of allowed request evenly over the time slice. In the above example the limit identifier will return a true value if, at any time during a 30 second sample window, more than one request per second is received. Using a limit type BURSTY, the limit identifier will return a true value if 30 requests are received during the 30 second time slice.

3. Create a rate based policy by using the following command:
   add cache|dns|rewrite|responder policy <policy_name> -rule expression && sys.check_limit("<LimitIdentifierName>") [<feature-specific information>]

   For example: add responder policy new_RL_responder  "HTTP.REQ.URL.CONTAINS(\"popularsite.html\")&&SYS.CHECK_LIMIT(\"new_limit_ID\")" DROP

4. Bind the policy either globally or to a specific virtual server.
   For information about binding a policy globally or to a virtual server, refer to Citrix Documentation - Binding Default Syntax Policies.