Skip to content

Phases in Peakhour.IO#

Peakhour.IO uses phases to adjust the runtime behaviour of requests and responses. These phases alter the platform's behaviour at specific points in the request/response cycle.

Phases#

Request Rewrite#

Modifies the URI for the current request.

Actions: - http.request.uri.set

Use: Convert all requests to lowercase.

URL Configuration#

Modifies request parameters when evaluating a URL.

Actions: - vconf.set - vconf.set.continue - vconf.set.stop

Use: Redirect old product URLs to new ones.

Firewall#

Blocks requests based on specified conditions.

Actions: - firewall.allow - firewall.deny - firewall.challenge - firewall.log

Use: Block IP addresses known for malicious activities.

Rate Limit Request#

Assesses the request's rate limiting.

Actions: - rate_limit.add_zone - rate_limit.check_zone

Use: Limit the number of login attempts within a minute.

Rate Limit Request Late#

Allows rate limiting based on WAF results.

Actions: - rate_limit.add_zone - rate_limit.check_zone

Use: Rate limit requests that trigger specific WAF rules.

WAF#

Analyses requests for potential security threats.

Actions: - waf.block - waf.log

Use: Block requests that match known attack patterns.

Rate Limit Response#

Places clients in a specific rate limiting zone based on the initial response.

Actions: - rate_limit.add_zone

Use: Restrict bandwidth for users who download large files.

Request Headers#

Modifies request headers.

Actions: - http.request.headers.set - http.request.headers.remove

Use: Add a custom header to track the origin of a request.

Load Balance#

Distributes incoming network traffic across multiple servers.

Actions: - lb.origin_pool.set

Use: Distribute incoming user requests across multiple servers.

Response Headers#

Modifies headers in the response phase.

Actions: - http.response.headers.set - http.response.headers.remove - cache.add_tags

Use: Set security-related headers like Strict-Transport-Security.

Rate Limiting Examples#

  1. Limit requests per IP:

Filter: 

true

This filter always evaluates to true, applying the rate limit to all requests.

Configuration: 

rate_limit.add_zone:
  zone: "per_ip"
  key: 
    - type: "ip"
rate_limit.check_zone:
  zone: "per_ip"
  action:
    type: "block"
    status_code: 429

This configuration adds a rate limit zone based on the client's IP address and blocks requests that exceed the limit with a 429 status code.

  1. Limit API requests per authenticated user:

Filter: 

starts_with(http.request.uri.path, "/api/")

This filter checks if the request path starts with "/api/".

Configuration: 

rate_limit.add_zone:
  zone: "api_per_user"
  key: 
    - type: "header"
      header: "Authorization"
rate_limit.check_zone:
  zone: "api_per_user"
  action:
    type: "block"
    status_code: 429

This configuration adds a rate limit zone based on the "Authorization" header and blocks requests that exceed the limit with a 429 status code.

  1. Rate limit based on WAF results:

Filter: 

peakhour.waf.exposed_password

This filter checks if the WAF detected an exposed password in the request.

Configuration: 

rate_limit.add_zone:
  zone: "exposed_password"
  key: 
    - type: "ip"
rate_limit.check_zone:
  zone: "exposed_password"
  action:
    type: "challenge"
    status_code: 403

This configuration adds a rate limit zone based on the client's IP address when an exposed password is detected and challenges requests that exceed the limit with a 403 status code.