Skip to content

Phases in Peakhour.IO

Peakhour.IO uses phases to adjust the runtime behaviour of requests and responses. These phases alter the platform's behaviour at specific points in the request/response cycle.

Phases

Request Rewrite

Modifies the URI for the current request.

Actions:

  • http.request.uri.set

Use: Convert all requests to lowercase.

URL Configuration

Modifies request parameters when evaluating a URL.

Actions:

  • vconf.set
  • vconf.set.continue
  • vconf.set.stop

Use: Redirect old product URLs to new ones.

Firewall

Blocks requests based on specified conditions.

Actions:

  • firewall.allow
  • firewall.deny
  • firewall.challenge
  • firewall.log

Use: Block IP addresses known for malicious activities.

Rate Limit Request

Assesses the request's rate limiting.

Actions:

  • rate_limit.add_zone
  • rate_limit.check_zone

Use: Limit the number of login attempts within a minute.

WAF

Analyses requests for potential security threats. This phase has no direct actions; its behavior is controlled by vconf.set in the URL Config phase.

Use: Block requests that match known attack patterns.

Rate Limit Request Late

Allows rate limiting based on WAF results.

Actions:

  • rate_limit.add_zone
  • rate_limit.check_zone

Use: Rate limit requests that trigger specific WAF rules.

Bulk Redirect

Manages large-scale URL redirects through organized redirect lists.

Actions:

  • redirect

Use: Redirect legacy URLs during a site migration.

Request Headers

Modifies request headers.

Actions:

  • early_hints.send
  • http.request.headers.set
  • http.request.headers.remove

Use: Add a custom header to track the origin of a request.

Load Balance

Distributes incoming network traffic across multiple servers.

Actions:

  • lb.origin_pool.set

Use: Distribute incoming user requests across multiple servers.

Response Headers

Modifies headers in the response phase.

Actions:

  • http.response.headers.set
  • http.response.headers.remove
  • cache.add_tags

Use: Set security-related headers like Strict-Transport-Security.

Rate Limit Response

Places clients in a specific rate limiting zone based on the initial response.

Actions:

  • rate_limit.add_zone

Use: Restrict bandwidth for users who download large files.

Rate Limiting Examples

  1. Limit requests per IP:

Filter: 

true

This filter always evaluates to true, applying the rate limit to all requests.

Configuration: 

rate_limit.add_zone:
  zone: "per_ip"
  key: 
    - type: "ip"
rate_limit.check_zone:
  zone: "per_ip"
  action:
    type: "block"
    status_code: 429

This configuration adds a rate limit zone based on the client's IP address and blocks requests that exceed the limit with a 429 status code.

  1. Limit API requests per authenticated user:

Filter: 

starts_with(http.request.uri.path, "/api/")

This filter checks if the request path starts with "/api/".

Configuration: 

rate_limit.add_zone:
  zone: "api_per_user"
  key: 
    - type: "header"
      header: "Authorization"
rate_limit.check_zone:
  zone: "api_per_user"
  action:
    type: "block"
    status_code: 429

This configuration adds a rate limit zone based on the "Authorization" header and blocks requests that exceed the limit with a 429 status code.

  1. Rate limit based on WAF results:

Filter: 

peakhour.waf.exposed_password

This filter checks if the WAF detected an exposed password in the request.

Configuration: 

rate_limit.add_zone:
  zone: "exposed_password"
  key: 
    - type: "ip"
rate_limit.check_zone:
  zone: "exposed_password"
  action:
    type: "challenge"
    status_code: 403

This configuration adds a rate limit zone based on the client's IP address when an exposed password is detected and challenges requests that exceed the limit with a 403 status code.