最後更新: 2022-06-29

 

介紹

HomePage: http://mod-qos.sourceforge.net

License: GNU

Feature:

 - Limits the number of request events per second
 - Limitation of the bandwidth
 - Limitations on the TCP connection level
 - request line and header filter dropping suspicious request URLs or HTTP headers.
 - Serialization of requests
 - Prefers known IP addresses when server runs out of free TCP connections. (VIP)

Level:

 - Request level control: the number of concurrent requests to a name space (URL)
 - Connection level control: limit the connections coming from a single client
 - Client Level Control

目錄

• Checking Status
  - server-status
  - qos-viewer
  - qos-console
•  

---

Install & Setting(centos6)

 

# Rocky 8

yum install mod_qos        # epel

獲得一堆 CMD

/usr/bin/qs*

LoadModule

/etc/httpd/conf.modules.d/10-mod_qos.conf

LoadModule qos_module modules/mod_qos.so

Testing mode

# logged only but no actions are applied to requests or connections to enforce a rule

/etc/httpd/conf.d/mod_qos.conf

QS_LogOnly on

Basic Setting

/etc/httpd/conf.d/mod_qos.conf

<IfModule mod_qos.c>
   # Allow only 5 connections per IP
   QS_SrvMaxConnPerIP 5
   
   # disables keep-alive when 80 TCP connections are occupied
   QS_SrvMaxConnClose 80
   
   # minimum request/response speed (upload/download)
   # (deny slow clients blocking the server, keeping connections open without requesting anything)
   # receiving request data (request line, header fields, or body), sending response data (header fields, body)
   QS_SrvMinDataRate 1024
</IfModule>

keep-alive

# Defines the maximum number of connections for this server (virtual host) supporting HTTP keep-alive.

QS_SrvMaxConnClose Nun / %

 

 

---

Connection Level Control (virtual hosts)

 

# Defines the maximum number of concurrent TCP connections for this server (virtual host).

QS_SrvMaxConn <number>

# Defines the maximum number of connections per source IP address for this server (virtual host).

QS_SrvMaxConnPerIP <number> [<connections>]

# Defines an IP address or address range to be excluded from connection level control restrictions.
# An address range must end with a "."

QS_SrvMaxConnExcludeIP <address>

# Defines the sampling rate used to measure the data throughput.
# Default is 5 seconds

QS_SrvSampleRate <seconds>

 

---

QS_SrvMinDataRate

 

QS_SrvMinDataRate <bytes per second> [<max bytes per second> [<connections>]]

The "max bytes per second" activates dynamic minimum throughput control:

The required minimal throughput is increased in parallel to the number of concurrent clients sending/receiving data (starts increasing when reaching the "connections" threshold).

The "max bytes per second" setting is reached when the number of sending/receiving clients is equal to the MaxClients setting.

The "connections" argument is used to specify the number of busy TCP connections a server must have to enable this feature (0 by default).

It is used to disable the QS_SrvMinDataRate rule enforcement on idle servers.

requires a minimum of 150 bytes per second per connection,
and limits the connection to 1200 bytes per second when MaxClients is reached.

 

---

Checking Status

 

server-status

<Location /server-status>
    SetHandler server-status
    Deny from All
    Allow from 192.168.88.
</Location>

http://YourServer/server-status

attacking: results to all workers being occupied ("R" (Keepalive (read)))

qos-viewer

# vhosts setting
<Location /qos>
   SetHandler qos-viewer
   Deny from All
   Allow from 192.168.88.
</Location>

Usage:

# human version

http://YourServer/qos

# Automatically every 10 seconds

http://YourServer/qos?refresh

 

# machine-readable version

http://YourServer/qos?auto

# You may use the status viewer to verify the status of the client.

http://YourServer/qos?action=search&address=194.31.217.21

 

qos-console

Example: to access the console:

# action='block'|'unblock'|'limit'|'unlimit'|'inclimit'|'setvip'|'unsetvip'|'setlowprio'|'unsetlowprio'|'search'

http://YourServer/qos/console?action=setvip&address=R.R.R.R

Notes

Use the directive "QS_DisableHandler on" to disable the qos-viewer and qos-console

for a virtual host in order to prevent accidental activation of these functions

 

---

Client Level Control (Global Setting Only)

 

# Defines the number of individual clients managed by mod_qos.
# Default is 50,000 concurrent IP addresses.

QS_ClientEntries <number>

* Each client requires about 150 bytes memory on a 64bit system

 

---

Example

 

<1> Slow Application

# Limits the maximum of concurrent requests per application to 100

MaxClients              256
QS_LocRequestLimit      /aaa                100
QS_LocRequestLimit      /bbb                100
QS_LocRequestLimitMatch "^(/dd1/|/dd2/).*$" 100

<2> HTTP Keep-Alive

# keep alive (for up to 85% of all connections):
KeepAlive                on
MaxKeepAliveRequests     60
KeepAliveTimeout         3
QS_SrvMaxConnClose       85%

<3> Client Opens Many Concurrent Connections

# maximum number of active TCP connections is limited to 896
# (limited by the available memory, adjust the settings according to the
# used hardware):
MaxClients              896

# don't allow a single client to open more than 50 TCP connections if
# the server has not more than 196 free connections:
QS_SrvMaxConnPerIP      50 700

<4> Many Requests to a Single URL

# does not allow more than 150 requests/sec:
QS_LocRequestPerSecLimit /download/mod_qos.so.gz 150

# but do not allow more than 600 concurrent requests:
QS_LocRequestLimit       /download/mod_qos.so.gz 600

<5> Bandwidth Restriction

# Limits the download bandwidth when accessing ISO images to 1 megabyte/sec
# and does not allow more then 300 clients to download such file type in
# parallel:
QS_LocKBytesPerSecLimitMatch .*iso$ 1024
QS_LocRequestLimitMatch      .*iso$  300

<6> preferred clients

# name of the HTTP response header which marks preferred clients
QS_VipIPHeaderName       mod-qos-login

# server allows new TCP connections from known/good clients only
# when is has more than 716 open TCP connections
QS_ClientPrefer          80

<7> Slow attack

# minimum request/response speed (deny slow clients blocking the server,
# e.g. defending slowloris) if the server has 500 or more open connections:
QS_SrvMinDataRate        120 1500 500

# and limit request line, header and body:
LimitRequestLine         7168
LimitRequestFields       30
QS_LimitRequestBody      102400

 

---

Utilities

 

qsexec - Command execution triggered by patterns within log files.

qslog - A real time TransferLog/CustomLog data analyzer.

qspng - Creates graphics (png images) from the output of qslog.

qstail - Shows the end of a log file beginning at a defined pattern.

....

 

---

Doc

 

http://mod-qos.sourceforge.net/dos.html

http://mod-qos.sourceforge.net/glossary.html