最後更新: 2022-11-11

介紹

• mod_limitipconn
• ratelimit_module
• reqtimeout_module

mod_limitipconn

limit the maximum number of simultaneous connections per IP address.

The module allows inclusion and exclusion of files based on MIME type.

 * This module is not designed to prevent denial-of-service attacks.

# epel (C6, C7, R8)

yum install mod_limitipconn

# U14 上要自行 compile

aa

設定(R8)

/etc/httpd/conf.modules.d/10-limitipconn.conf

# This module will not function unless mod_status is loaded and

# the "ExtendedStatus On" directive is set.

<IfModule mod_status.c>
    ExtendedStatus On
    LoadModule limitipconn_module modules/mod_limitipconn.so
</IfModule>

vhosts.conf

excess of the limit result in a stock 503 Service

<VirtualHost *:80>

    # server-wide restrictions
    MaxConnPerIP 10

    # per-location restrictions
    <Location /somewhere>
        # exempting images from the connection limit
        MaxConnPerIP 3
        NoIPLimit images/*
    </Location>

    # per-directory restrictions
    <Directory /home/vhosts/datahunter.org/public_html>
        # This section affects all files under Directory 
        # all MIME types other than audio/mpeg and video* 
        #   are exempt from the limit check
        MaxConnPerIP 1
        OnlyIPLimit audio/mpeg video
    </Directory>

    ErrorDocument 503 "Your IP over connnection"

</VirtualHost>

 * Server-wide access restrictions and per-directory access restrictions are computed separately.

   if someone is downloading 11 images from http://your.server/somewhere

   simultaneously, they WILL be denied on the 11th download

Tuning

mod_limitipconn sets the LIMITIP environment variable to 1 whenever a download is denied on the basis of too high an IP count.

You can use this variable to distinguish accesses that have been denied by this module.

For example, a line like

# suppress logging of denied connections
CustomLog /var/log/httpd/access_log common env=!LIMITIP

# Apache 2.2

vi /etc/httpd/conf/httpd.conf

LoadModule status_module modules/mod_status.so

vi /etc/httpd/conf.d/limitipconn.conf

ratelimit_module

Provides a filter named RATE_LIMIT to limit client bandwidth.

Usage

# 載入 Module

LoadModule ratelimit_module modules/mod_ratelimit.so

# Settings

<Location "/downloads">
    SetOutputFilter RATE_LIMIT
    # Unit: KiB/s
    SetEnv rate-limit 400
</Location>

# More

An initial amount of burst data, in KiB

may be configured to be passed at full speed before throttling to the specified rate limit.

# 5 Mbytes
SetEnv rate-initial-burst 5120

P.S.

* 它是 Per connection 計的 (一粒 IP 可能有多個 connection)

reqtimeout_module

Set timeout and minimum data rate for receiving requests

LoadModule reqtimeout_module modules/mod_reqtimeout.so

Default: "reqtimeout_module header=20-40,MinRate=500 body=20,MinRate=500"

Context: server config, virtual host

它一共分 Handshake, handshakeHeader 與 Body 限速

Header

Allow at least 10 seconds to receive the request including the headers.

If the client sends data, increase the timeout by 1 second for every 500 bytes received.

But do not allow more than 30 seconds for the request headers

Body

30 seconds for receiving the request body

RequestReadTimeout header=10-30,MinRate=500 body=30

當 browser over limit =>  408 REQUEST TIME OUT error is sent.

* For SSL virtual hosts, the header timeout values include the time needed to do the initial SSL handshake.

Disable module for a vhost:

RequestReadTimeout header=0 body=0

Doc

http://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html