Reference Guide
...
Session Manager
HTTP Proxy

Brute Force Protection

Against brute force attacks, you can restrict user authentication attempts on HTTP Proxy with the following parameters:

  • http.proxy.max.failed.logins
  • http.proxy.max.failed.login.wait.seconds

You must set the above parameters with the desired values under the u01/http-proxy/conf/http_proxy.properties file. The values you assign determine when and for how long the IP address will be blocked if authentication attempts from the same IP address fail.

  • http.proxy.max.failed.logins: Maximum number of failed login attempts to block the client IP. The client can try to authenticate again after http.proxy.max.failed.login.wait.seconds elapse. Defaults to 10.
  • http.proxy.max.failed.login.wait.seconds: Duration in seconds to wait before retrying login after the http.proxy.max.failed.logins value is reached. Defaults to 600 seconds (10 minutes).
  • http.proxy.max.requests.per.second: You can determine how many requests can be made per second from the same IP address Value <= 0 means no limit. Defaults to 0.
  • http.proxy.max.requests.action: You can determine the HTTP Proxy action after the maximum request limit is exceeded with this parameter as follows: o WAIT: Pages will be loaded gradually whenever an available request slot is found from http.proxy.max.requests.per.second. It might slow down the page’s loading time, but the pages will load eventually. This might be useful in limiting the bandwidth to be used per IP. o BLOCK: Block is the default value. Pages will stop loading immediately as soon as the http.proxy.max.requests.per.second threshold is reached. This may cause the page to be partially loaded.