Rate Limiting for Citrix Gateway
The rate limiting feature for Citrix Gateway enables you to define the maximum load for a given network entity or virtual entity on the Citrix Gateway appliance. Since the Citrix Gateway appliance consumes all the unauthenticated traffic, the appliance is often exposed to process requests at a high rate. The rate limiting feature enables you to configure the Citrix Gateway appliance to monitor the rate of traffic associated with an entity and take preventive action, in real time, based on the traffic. For more information about how rate limiting works in a Citrix ADC appliance, see Rate limiting.
Citrix ADC has the rate limiting feature that provides protection to back-end servers for unforeseen rate. Since the feature for Citrix ADC did not serve the unauthenticated traffic that Citrix Gateway handles, Citrix Gateway needed its own rate limiting functionality. This is needed to check an unforeseen rate of requests from various sources the Citrix Gateway appliance is exposed to. For example, unauthenticated/login/control requests and certain APIs exposed for end user or device validations.
Common use-cases for Rate limiting
Limit the number of requests per second from a URL.
Drop a connection based on cookies received in request from from a particular host if the request exceeds the rate limit.
Limit the number of HTTP requests that arrive from the same host (with a particular subnet mask) and that have the same destination IP address.
Configure Rate Limiting for Citrix Gateway
A configured authentication virtual server.
Points to note
In the configuration steps, a sample limit identifier is configured. The same can be configured with all the supported parameters like stream selector, mode. For an exhaustive description of the rate limiting capabilities, see Rate limiting.
The policy can also be bound to a VPN virtual server as follows. You need a configured VPN virtual server to bind the policies using the following command.
bind vpn vserver -policy denylogin –pri 1 –type aaa_request
AAA_REQUEST is a newly introduced bindpoint for responder policies. The policies configured at this bind point are applied to all the incoming request at the specified virtual server. The policies are processed for the unauthenticated/control traffic first before any other processing.
Binding the policy to the Citrix Gateway virtual server enables rate limiting at the AAA_REQUEST bindpoint for all the traffic consumed by Citrix Gateway including unauthenticated requests.
Binding the policy to an authentication virtual server rate limits the unauthenticated/control requests hitting the authentication virtual server.
To configure rate limiting by using the command line interface, at the command prompt, type the following commands:
add limitIdentifier <limitIdentifier name> -threshold <positive_integer> -timeslice <positive_integer> -mode <mode type>
Example: add limitIdentifier limit_one_login -threshold 10 -timeslice 4294967290 -mode REQUEST_RATE
add responderaction denylogin respondwith ‘“HTTP/1.1 200 OK\r\n\r\n” + “Request is denied due to unusual rate”’
add responder policy denylogin 'sys.check_limit("limit_one_login")' denylogin
bind authentication vserver <vserver name> -policy denylogin –pri 1 –type aaa_request
Example: bind authentication vserver authvserver -policy denylogin –pri 1 –type aaa_request
limitIdentifier - Name for a rate limit identifier. Must begin with an ASCII letter or underscore (_) character, and must consist only of ASCII alphanumeric or underscore characters. Reserved words must not be used. This is a mandatory argument. Maximum Length: 31
threshold - A maximum number of requests that are allowed in the given timeslice when requests (mode is set as REQUEST_RATE) are tracked per timeslice. When connections (mode is set as CONNECTION) are tracked, it is the total number of connections that would be let through. Default value: 1 Minimum value: 1 Maximum Value: 4294967295
timeSlice - Time interval, in milliseconds, specified in multiples of 10, during which requests are tracked to check if they cross the threshold. The argument is needed only when the mode is set to REQUEST_RATE. Default value: 1000 Minimum value: 10 Maximum Value: 4294967295
mode - Defines the type of traffic to be tracked.
- REQUEST_RATE - Tracks requests/timeslice.
- CONNECTION - Tracks active transactions.
To configure Rate Limiting using the Citrix ADC GUI:
Navigate to AppExpert > Rate Limiting > Limit Identifiers, click Add and specify the relevant details as specified in the CLI section.
Navigate to AppExpert>Responder>Policies. On the Responder Policies page, click Add.
On the Create Responder Policy page, create a responder policy with a responder action which has the limit identifier.
To create responder action, Click Add next to Action and enter a name for responder action.
Select type as Respond with from the drop-down menu, specify the following expression, “HTTP/1.1 200 OK\r\n\r\n”+ “Request is denied due to unusual rate”, and click Create.
To create a responder policy, on Create Responder Policy page, enter a name for the responder policy, specify the following expression, ‘sys.check_limit(“limit_one_login”)’, and click Create.
Bind the responder policy to the authentication virtual server.
- a. Go to Security>AAA-Application Traffic>Virtual server.
- b. Select the virtual server.
- c. Add a policy.
- d. Choose the responder policy that you want to bind to the server, set the priority.
- e. Choose the type as AAA-REQUEST and click Continue.
Note: You can also enable rate limiting at the AAA_REQUEST bind point for the VPN virtual server.
Configuration for the common use cases for applying rate limiting to Citrix Gateway
The following are the examples of commands to configure common use cases.
Limit the number of requests per second from a URL.
add stream selector ipStreamSelector http.req.url “client.ip.src” add ns limitIdentifier ipLimitIdentifier –threshold 4 –timeslice 1000 –mode request_rate –limitType smooth –selectorName ip StreamSelector add responder policy ipLimitResponderPolicy “http.req.url.contains(\”myasp.asp\”) && sys.check_limit(\”ipLimitIdentifier\”)” myWebSiteRedirectAction bind authentication virtual server authvserver -policy denylogin –pri 1 –type aaa_request
Drop a connection based on cookies received in request from www.yourcompany.com if the request exceeds the rate limit.
add stream selector cacheStreamSelector “http.req.cookie.value(\”mycookie\”)” “client.ip.src.subnet(24)” add ns limitIdentifier myLimitIdentifier –Threshold 2 –timeSlice 3000 –selectorName reqCookieStreamSelector add responder action sendRedirectURL redirect `"http://www.mycompany.com\"` + http.req.url' –bypassSafetyCheck Yes add responder policy rateLimitCookiePolicy “http.req.url.contains(\www.yourcompany.com\) && sys.check_limit(\”myLimitIdentifier\”)” sendRedirectUrl
Limit the number of HTTP requests that arrive from the same host (with a subnet mask of 32) and that have the same destination IP address.
add stream selector ipv6_sel “CLIENT.IPv6.src.subnet(32)”CLIENT.IPv6.dst Q.URL add ns limitIdentifier ipv6_id –imeSlice 20000 –selectorName ipv6_sel add lb vserver ipv6_vip HTTP 3ffe:: 209 80 –persistenceType NONE –cltTime add responder action redirect_page redirect “\”`http://redirectpage.com/\”"` add responder policy ipv6_resp_pol “SYS.CHECK_LIMIT(\”ipv6_id\”)” redirect_page bind responder global ipv6_resp_pol 5 END –type DEFAULT