Other online diaries:
Wed, 06 Apr 2011
Connection limiting in Apache2 - 16:01
Looking at the logs it was interesting to note the User-Agent was identical for each request even though it was coming from so many different ip addresses. So I had the situation of needing to limit connections to a certain type of file or an area on disk via apache so as not to have resource starvation and no download blow outs.
Looking around for ways to do this in apache2 there was not a whole lot of options already implemented, some per ip connection limits in one module, some rate limiting in another module, but no way to limit connections to a given Directory, Vhost or Location immediately turned up. Fortunately a few different searches eventually turned up the libapache2-mod-bw package in Debian.
As it says in the package description
This module allows you to limit bandwidth usage on every virtual host or directory or to restrict the number of simultaneous connections.This was the solution it seemed, so I read the documentation in the text file in the package, enabled it on the server and got it working.
To get it working pay attention to the bit that says ExtendedStatus needs to be enabled before the LoadModule line. Then you can simply place it in a Directory section in your main config file for a given vhost.
I configured it with the following section
ForceBandWidthModule On BandWidthModule On <Directory "/on/disk/location"> BandWidth "u:BLAHBLAH" 200 BandWidth all 2000000 MaxConnection "u:BLAHBLAH" 1 MaxConnection all 10 </Directory>Which says if the user agent has the string "BLAHBLAH" in it anywhere limit to 200 bytes per second and later 1 connection allowed from that user agent to this directory. I thought it worth while to put in a limit on all connections to the directory of 10 just in case the user agent changes and it will not starve the machine or max out the link.
Initially I had the limit of 10 without limiting the user agent more and the DOS was simply using up all 10 and thus no one else could connect to and download these items. Fortunately so far this seems to be working and I can monitor it for a few days to see the resultant behaviour of the attack.
Thanks to the module author this seems to work fairly well and was easier than writing a mechanism inside apache2 myself to limit the connections in the manner required.