AWS WAF Rate-limit per hostname

Question

So far we've been using rate limit rule for a single host - 300 requests per 5 minutes for foo.dev.com (entry resolves to ALB)

Now we want to split a bit more the rule so that we have different rules for different hostnames (all resolving same ALB) so that we achieve for example:

aaa-foo.dev.com - 100 requests per 5 minutes
bbb-foo.dev.com - 200 requests per 5 minutes

aaa and bbb will be different clients that our app will serve

Please help out with some hints !

score 0 · Answer 1 · answered Jun 29 '22 at 13:14

Here is how I managed to solve this, used ByteMatchStatement comparing if the host header STARTS_WITH '{clientname}', hope it helps someone:

{
  "Name": "foobar-acl",
  "DefaultAction": {
    "Allow": {}
  },
  "Description": "",
  "Rules": [
    {
      "Name": "rate-limit-main",
      "Priority": 0,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 3000,
          "AggregateKeyType": "IP"
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 429,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": false,
        "MetricName": "foobar-rate-limit-main"
      }
    },
    {
      "Name": "rate-limit-clientname",
      "Priority": 1,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 100,
          "AggregateKeyType": "IP",
          "ScopeDownStatement": {
            "ByteMatchStatement": {
              "SearchString": "clientname",
              "FieldToMatch": {
                "SingleHeader": {
                  "Name": "host"
                }
              },
              "TextTransformations": [
                {
                  "Priority": 1,
                  "Type": "NONE"
                }
              ],
              "PositionalConstraint": "STARTS_WITH"
            }
          }
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 409,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "foobar-clientname"
      }
    },
    {
      "Name": "rate-limit-clientname2",
      "Priority":21,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 100,
          "AggregateKeyType": "IP",
          "ScopeDownStatement": {
            "ByteMatchStatement": {
              "SearchString": "clientname2",
              "FieldToMatch": {
                "SingleHeader": {
                  "Name": "host"
                }
              },
              "TextTransformations": [
                {
                  "Priority": 2,
                  "Type": "NONE"
                }
              ],
              "PositionalConstraint": "STARTS_WITH"
            }
          }
        }
      },
      "Action": {
        "Block": {
          "CustomResponse": {
            "ResponseCode": 409,
            "CustomResponseBodyKey": "html_responce"
          }
        }
      },
      "VisibilityConfig": {
        "SampledRequestsEnabled": false,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "foobar-clientname2"
      }
    }
  ],
  "VisibilityConfig": {
    "SampledRequestsEnabled": false,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "foobar-acl"
  },
  "Capacity": 6,
  "ManagedByFirewallManager": false,
  "CustomResponseBodies": {
    "html_responce": {
      "ContentType": "TEXT_HTML",
      "Content": "<div>You exceeded the maximum number of requests !</div>"
    }
  }
}

AWS WAF Rate-limit per hostname

1 Answers1