CloudFront速率限制规则不起作用 [英] CloudFront rate limit rule doesn't work

问题描述

我有一个用于EC2 HTTP服务器的CloudFront发行版。我使用WAF为我的CloudFront发行版

但尚未发生IP阻止：

我的EC2服务器注册了所有10,000个匹配项。

我是否缺少一些配置方面的技巧？还是在CloudFront注册流量尖峰和实施IP块之间会有很长的延迟？

编辑：
配置图：

解决方案

您可能已经知道了，但是...您必须专门选择 AWS WAF Web ACL ，其中包含CloudFront发行版中的速率限制规则。您可以在CloudFront分布的分布设置 -页面中执行此操作（第二项-带有标签 AWS WAF Web ACL ）。

如果您不这样做，那么这两个对象就不会连接在一起，这也许可以解释为什么您希望您的请求不会被阻止封锁。

I have a CloudFront distribution for an EC2 HTTP server. I created a rate limit for my CloudFront distribution using WAF. In theory no IP address should be able to send more than 2,000 requests in any 5 minute period. But this just doesn't seem to work. I fired off 10,000 concurrent requests from my laptop (using a Go program) in <1 minute and all of them got through. I know they are reaching the EC2 origin because my HTTP server keeps a counter for requests.

Strangely, the WAF dashboard even recognizes that traffic exceeded the 5 minute limit:

Yet no IP blocking took place:

And my EC2 server registered all 10,000 hits.

Am I missing some configuration subtlety? Or is there meant to be a long delay between when CloudFront registers the traffic spike and when it implements the IP block?

EDIT: A config picture:

解决方案

You probably already figured this out, but... you have to specifically select the AWS WAF Web ACL that contains the rate-limit-rule in your CloudFront distribution. You can do this in the Distribution Settings-page of your CloudFront distribution (second item - a dropdown with the label AWS WAF Web ACL).

If you don't, the two aren't connected together, which might explain why your request aren't blocked when you expect them to be blocked.

这篇关于CloudFront速率限制规则不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！