Flow Control
Last updated
Last updated
Flow Control is a new feature that allows users to define a sequence (flow) of submitted requests which, if followed, will be permitted. In cases where the conditions of the sequence are violated, a user-defined Action is initiated.
Use case: A simple example of a scenario where Flow Control can be used is blocking a POST to /login if no GET to /login was made within the past 60 seconds. This will prevent requestors from logging in without viewing the login page first.
Each Flow Control rule consists of:
Name and Description of Flow Control Policy
A user-defined Key by which the requests will be grouped and counted (for example, the IP address of a single user); multiple keys per rule are possible
Timeframe parameters specifying the timeframe within which request sequences can be submitted. For legitimate requestors, Retry Timeframe specifies the timeframe within which the final request of a sequence can be re-submitted without repeating the entire sequence.
Sequence definitions (identified by method, path); specifies a minimum two-step sequence which can increase to a multiple-step sequence
Include and Exclude conditions, starting from none to multiple conditions
Action to be taken when sequence conditions are not met
If the Threshold of the Timeframe is surpassed, the specified action is triggered
When the system identifies a request which matches the final one in the sequence specified, it checks whether the conditions of the preceding requests in the sequence were sent by the same key group within the timeframe. If not, it executes the defined action.
Flow Control Rule Administration
The Main screen (shown above) lists all current Flow Control Rules.
To edit an existing Rule, select the Edit icon at the end of its entry in the list.
To add a new Rule, select the "+" button on the Main screen. The Add/Edit Rule screen below will appear.
Defining a Flow Control Rule: Basic Information
The first steps in creating a Flow Policy rule is to name it in the Name field and describe it concisely in the Description field.
The Name will be used within the Reblaze interface, and used to create a Tag assigned to requests which trigger the Flow Control rule.
Proceed to Timeframe and specify the time period (the number of seconds) within which the flow control rule is enforced.
In the Threshold section, specify the number of failed attempts allowed before the action is triggered.
In Retry Timeframe, for a requestor that has successfully passed the sequence, specify the number of seconds within which the final request of the defined sequence (the destination url) can be re-submitted, without starting the entire sequence from the beginning.
Defining the Key(s)
Build a Key to define all the requests made by a requestor. Use one of the four fields below. More than one key can be defined per rule.
Field | Result |
Header | All requests with the same value for the specified header will be counted together toward the Limit. |
Cookie
| All requests with the same value for the specified cookie will be counted together toward the Limit. |
Argument
| All requests with the same value for the specified argument will be counted together toward the Limit. |
Attribute
| All requests with the same value for the specified attribute will be counted together toward the Limit. |
Multiple Keys can be defined within the same Rule. To create a new Key and open it for editing, select the "+" button next to the Key label.
If multiple Keys are defined, they are evaluated by combining them together with a logical AND. In other words, the cumulative count toward the Limit will be incremented whenever a request is seen that matches all of the Keys simultaneously. Different combinations of Keys will have separate Limit counts maintained for them.
Defining the Action
The Action section enables a user to choose from among seven actions triggered in response to violation of a specified sequence. The actions appear in a dropdown box and include: 503 Service Unavailable, Challenge, Tag Only, Redirect, Request Header, Response, and Ban. They are described in the documentation for the Action Response dropdown.
For more about the Ban action, see the detailed description under Rate Limiting.
Note that when setting up a Ban, the most common choices for its Action are to deny the violator's requests (by specifying a 503 Service Unavailable, Response, or Redirect type of Ban). However, one of the following can be selected: Tag Only (to observe the violator's actions during the ban period), Challenge (to verify that the violating activity is not being done by bots), or Request Header (to mark the requests for further scrutiny by the backend).
To delete an Action, select the Trash icon.
The Include and Exclude filters allow special conditions to be specified for the request sequences against which this Flow Control Rule will be checked.
By default, the rule defined will be enforced upon all incoming requests. Specifying an Include and/or an Exclude filter will set limits to this enforcement.
The Include filter limits enforcement to requests matching its parameters only. All other requests in the traffic stream will not be checked with respect to this Flow Control rule.
The Exclude filter exempts specified requests from being checked against the Flow Control rule. These requests will not have the Flow Control Rule applied to them.
Exclude filters are examined first, followed by the Include filters.
To add an Include or an Exclude filter, click on the “+” sign that appears under “Include” or “Exclude.” The same dropdown box options as appeared in the Key section appear here. Assign a name and value for the option selected. (For example: Attribute -> Remote Address -> 1.2.3.4)
Multiple Include and Exclude filters can be specified. Add another filter by clicking the “+” that appears directly below the newly added filter. To delete a filter, click the Trash icon.
Specifying the Sequences
The Sequences segment is where the user defines the sequences that will trigger the Action specified.
In section A of the sequence, in the Methods field, select one or more methods from the dropdown box by clicking their checkbox(es).
In the Sites field, select the site(s) attached to the Method(s).
Next, in the Path field, type in the path URL.
If needed, apply additional conditions to section A of the sequence by clicking the “Add new row” button, found directly underneath the Path row.
A row will appear with the same dropdown box of options as in the Key section (Cookie, Header, Argument, Attribute). Select one and assign it a name and a value. Click Add to save the new row or Cancel to delete it.
Additional conditions can be applied by clicking the “Add new row” button which appears directly beneath the newly added row.
Alternatively, you can delete the entire section by clicking the “Remove entire section” button which appears to the right of the “Add new row” button.
Specify section B of the sequence following the same steps as for section A. Specify additional conditions following the same steps as for section A: Methods, Sites, Path
Additional steps in the sequence can be specified by clicking the “Create new sequence section” button. The same fields and options will appear as for sections A and B.
Note: Only the final step in the sequence will trigger the Action specified.
When the parameters of the Flow Control rule are all in place, click Save.
Flow Control rules can only be created on the Add/Edit Rule screen of the Flow Control feature. Unlike other Security features, they cannot be added quickly via the Web Proxy screen. Following rule creation and Save, the Web Proxy screen will show only the rule for the sites relevant to the final request in the Flow Control sequence.