Layer7 API Management

Expand all | Collapse all

Explain Limit Each property in Rate Limit Assertion.

  • 1.  Explain Limit Each property in Rate Limit Assertion.

    Posted 07-21-2021 08:28 AM

    Hello,

    Does anyone have experience using different 'Limit Each' settings in the rate limit assertion?
    Is it clear what the occurance is when you limit each;
    [id]-${request.clientid} (User or client IP),
    [id]-${request.authenticateduser} (Authenticated User),
    [id]-${request.tcp.remoteAddress} (ClientIP),

    Because, using the service debugger I see allways the same request.clientid and so authenticateduser, but different request.tcp.remoteAddress.

    Thanks for helping.



    ------------------------------
    Greetings,
    Sebastian van Voorn.
    SR. System Engineer
    RDW
    ------------------------------


  • 2.  RE: Explain Limit Each property in Rate Limit Assertion.

    Broadcom Employee
    Posted 07-21-2021 06:36 PM

    ${request.clientid}

    If the user has been authenticated: Returns "AuthUser:" followed by the identity provider OID, followed by a user identifier.

    • For internal users, the user identifier is the user OID. Example: internal user Alice has an OID = 83727238, with identity provider OID = -2. What is returned: AuthUser:-2:83727238.
    • For LDAP users, the user identifier is the same as the context variable ${request.authenticateduser}. Example: AuthUser:3:cn=John Smith,

    o=AcmeTech LLC, where the identity provider OID = 3, and user identifier = cn=John Smith, o=AcmeTech LLC.

    If the user has not been authenticated: Returns "ClientIp:$request.tcp.remoteAddress}", assuming the client IP is known. Example: clientIp:10.77.33.21.

    If the client IP is unknown: Returns "ProtocolID:" followed by the protocol name, followed by a client endpoint identifier from the request's transport protocol.

    Example: ProtocolId:johnsmith@acmetech.com" target="_blank">XMPP:johnsmith@acmetech.com.

    If the client endpoint identifier is unknown: Returns "Protocol:" followed by the name of the transport protocol.

    Example: Protocol:JMS. If the protocol is unknown: Returns "ClientId:Unknown"


    ${<message>.authenticateduser}

    The name the user authenticated by the ssg (DN in case of ldap user) in the target message (request, response or message context variable).


    ${request or response or <message context variable>.tcp.remoteAddress}

    Returns the remote IP address of the message






  • 3.  RE: Explain Limit Each property in Rate Limit Assertion.

    Posted 07-22-2021 03:50 AM

    Hello Zhijun He.
    Your reply brings me to 3 more questions:
    We do authenticate the user to the federated identity provider, by the client certificate they use out of our CA.
    But we allways see this:

    • request.clientid = {String} "AuthUser:fc8b21b432e5fa8aaa503a4c2ced9a65:0000000000000000ffffffffffffffff"
    • request.authenticateduser = {String} "0000000000000000ffffffffffffffff"
    Question 1: why do we always see the same?
    Question 2: what is the occurance of the rate limit when we limit each clientid?
    Question 3: what is the occurance of the rate limit when we limit each client IP?
    Thank You.


    ------------------------------
    Greetings,
    Sebastian van Voorn.
    SR. System Engineer
    RDW
    ------------------------------



  • 4.  RE: Explain Limit Each property in Rate Limit Assertion.

    Broadcom Employee
    Posted 07-22-2021 05:54 PM
    Dear Sebastian,
    For client cert authentication, one client cert represent a user.
    1. that indicates the all the clients use the same client cert for authentication
    2.3. assume that all the clients use same client cert, limit by clientid will restrict traffic for all incoming requests; if limit by client ip, the limit is for each client ip.

    Regards,
    Mark


  • 5.  RE: Explain Limit Each property in Rate Limit Assertion.

    Posted 07-23-2021 04:16 AM

    Hello,
    Thank you for your reply.
    I don't understand why we allways see the same clientid. I am very shure all clients use different client certificates. I captured some using the service debugger:

    request.clientid = {String} "AuthUser:fc8b21b432e5fa8aaa503a4c2ced9a65:0000000000000000ffffffffffffffff"
    request.ssl.clientcertificate.subject.rfc2253 = {String} "CN=RDW Diensten -,O=0000163880,C=NL"

    request.clientid = {String} "AuthUser:fc8b21b432e5fa8aaa503a4c2ced9a65:0000000000000000ffffffffffffffff"
    request.ssl.clientcertificate.subject.rfc2253 = {String} "CN=RDW Diensten - 32928,O=0000106035,C=NL"

    request.clientid = {String} "AuthUser:fc8b21b432e5fa8aaa503a4c2ced9a65:0000000000000000ffffffffffffffff"
    request.ssl.clientcertificate.subject.rfc2253 = {String} "CN=RDW Diensten -,O=0000145024,C=NL"

    request.clientid = {String} "AuthUser:fc8b21b432e5fa8aaa503a4c2ced9a65:0000000000000000ffffffffffffffff"
    request.ssl.clientcertificate.subject.rfc2253 = {String} "CN=RDW Service,OU=OVI-Zakelijk,O=Independer.nl N.V.,2.5.4.5=#130538392d3437,C=NL"

    request.clientid = {String} "AuthUser:fc8b21b432e5fa8aaa503a4c2ced9a65:0000000000000000ffffffffffffffff"
    request.ssl.clientcertificate.subject.rfc2253 = {String} "CN=RDW Diensten -,O=0000166205,C=NL"

    We just use 2 assertions to authenticate; Require SSL with client authentication, Request: Authenticate against Identity provider:

    <?xml version="1.0" encoding="UTF-8"?>
    <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
    <wsp:All wsp:Usage="Required">
    <L7p:SslAssertion>
    <L7p:RequireClientAuthentication booleanValue="true"/>
    </L7p:SslAssertion>
    <L7p:Authentication>
    <L7p:IdentityProviderOid goidValue="fc8b21b432e5fa8aaa503a4c2ced9a65"/>
    </L7p:Authentication>
    </wsp:All>
    </wsp:Policy>

    I don't see why this results to 1 clientid. Do you?



    ------------------------------
    Greetings,
    Sebastian van Voorn.
    SR. System Engineer
    RDW
    ------------------------------