. . . . "VAL_HttpRestrictions" . "%META:TOPICPARENT{name=\"ValQuickStartGuide\"}%\n\n---+ HTTP Restrictions\n\n%TOC%\n\n---++ Virtuoso Restriction Hook\n\nVirtuoso provides a hook procedure called DB.DBA.DBEV_RESTRICTIONS which, given a map of restriction names to their requested value (\"min\" or \"max\"), will return a set of mappings from restriction name to a vector containing the restriction type (\"min\" or \"max\"), the restriction value, and the optional service ID which triggered the restriction. If the latter is null then the restriction was triggered by the client IP address.\n\nSince March 19th, 2014 Virtuoso provides a second restrictions hook DB.DBA.DBEV_GET_CONNECTION_RESTRICTION which supports restriction parameters. Restriction parameters simply allow to divide one restricted resource into several restrictions. This is very useful in terms of HTTP as it allows to define different restrictions for different urls or virtual dirs.\n\nThis hook is implemented in VAL and uses the ACL restriction system by prefixing every restriction name with urn:virtuoso:restrictions:.\n\nVAL's implementation will always choose the least restrictive value. That means given two max values, one via the IP address and one via the authenticated user, VAL will choose the higher value.\n\nThe Restrictions can be controlled via the [[http://docs.openlinksw.com/val/group__val__acl__module__http__api.html][VAL ACL RESTful API]] or the [[http://docs.openlinksw.com/val/group__val__acl__module__internal__api.html#ga89b2c77c10c82186ddc0e7b46093123c][Internal VAL API]]. Alternatively one can directly add the restrictions to the private graph matching the realm in which the restrictions should apply. Given the default realm http://www.openlinksw.com/ontology/acl#DefaultRealm and default hostname \"HOST\" the graph IRI would be http://HOST/acl/graph/restrictions/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm and the groups will be stored in named graph http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm. Be aware that [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][these graphs can be customized]] for better readability.\n\n---++ HTTP Restriction Names\n\nVirtuoso uses two restrictions which can be controlled on an IP address level or via service IDs. These restrictions define \"global\" limits on all virtual dirs.\n 1 urn:virtuoso:restrictions:http-request-rate restricts the maximum request rate per second.\n 1 urn:virtuoso:restrictions:http-content-size restricts the maximum content size for requests\n\nIf one wants to define restrictions only for a specific virtual dir or a specific URL then the above URNs need to be used as restriction parameters in restrictions on the url in question. See below for examples.\n\n---+++ HTTP Restriction Examples\n\n---++++ Global Http Restrictions\n---+++++ Restrict the requests per second to 10 for everyone for every http request\n\nSPARQL\n\nPREFIX oplres: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <{REST-IRI}> a oplres:Restriction ;\n foaf:maker <{PERSON-WEBID}> ; \n foaf:name \"Base line is 10 requests per second\" ;\n oplres:hasMaxValue \"10\"^^xsd:decimal ;\n oplres:hasRestrictedResource ;\n oplres:hasAgentClass foaf:Agent ;\n oplres:hasRealm oplacl:DefaultRealm .\n};\n\n\n\n---+++++ Restrict the requests per second to 1000 for the intranet for every http request\nIP Address ranges are defined via conditional groups. Thus, we first define the conditional group which includes all IP addresses with a certain pattern:\n\nSPARQL\n\nPREFIX oplres: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <{GROUP-IRI}> a oplacl:ConditionalGroup ;\n foaf:maker <{PERSON-WEBID}> ; \n foaf:name \"Internal Network\" ;\n oplacl:hasCondition [\n a oplacl:IPAddressCondition ;\n oplacl:hasIPAddressPattern \"198.168..*\"\n ] .\n};\n\n\nAnd then we use this group in our restriction:\n\n\nSPARQL\n\nPREFIX oplres: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <{REST-IRI}> a oplres:Restriction ;\n foaf:maker <{PERSON-WEBID}> ; \n foaf:name \"Intranet HTTP requests per second\" ;\n oplres:hasMaxValue \"1000\"^^xsd:decimal ;\n oplres:hasRestrictedResource ;\n oplres:hasAgent <{GROUP-IRI}> ;\n oplres:hasRealm oplacl:DefaultRealm .\n};\n\n\n\n---++++ Virtual-Dir or URL-specific Http Restrictions\n\n---+++++ Restrict the requests per second to 10 for everyone on one virtual dir\nThe following restriction is scoped to all http requests on one virtual dir, i.e. /sparql. This means any request to pages in that virtual dir will be subject to the same restriction. This means that one client can make 10 requests in total on that virtual dir.\n\n\nSPARQL\n\nPREFIX oplres: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <{REST-IRI}> a oplres:Restriction ;\n foaf:maker <{PERSON-WEBID}> ; \n foaf:name \"Base line is 10 requests per second\" ;\n oplres:hasMaxValue \"10\"^^xsd:decimal ;\n oplres:hasRestrictedResource ;\n oplres:hasRestrictedParameter ;\n oplres:hasAgentClass foaf:Agent ;\n oplres:hasRealm oplacl:DefaultRealm .\n};\n\n\n---+++++ Restrict the requests per second on one specific URL\nThe following restriction allows 1000 requests per second on one specific URL (given that there is no virtual dir which matches that URL). It uses the same conditional group as above. So in practice this restriction limits the rate on one specific ODS API call:\n\n\nSPARQL\n\nPREFIX oplres: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <{REST-IRI}> a oplres:Restriction ;\n foaf:maker <{PERSON-WEBID}> ; \n foaf:name \"Intranet HTTP requests per second\" ;\n oplres:hasMaxValue \"1000\"^^xsd:decimal ;\n oplres:hasRestrictedResource ;\n oplres:hasRestrictedParameter ;\n oplres:hasAgent <{GROUP-IRI}> ;\n oplres:hasRealm oplacl:DefaultRealm .\n};\n" . . . "270a6aff46a414fb713484b1e4e43c10" . . . . "2017-06-13T05:40:56Z" . . "2017-06-13T05:40:56Z" . . . "VAL_HttpRestrictions" . "2017-06-13T05:40:56.344566"^^ . . . . "2017-06-13T05:40:56.344566"^^ . "VAL_HttpRestrictions" . .