httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pete Houston <...@openstrike.co.uk>
Subject Re: [users@httpd] Re: apache service interruption
Date Fri, 02 Aug 2013 08:30:46 GMT
On Thu, Aug 01, 2013 at 10:49:59PM -0700, Grant wrote:
> Do you do this only when under DoS attack or all the time?

All the time.

> Won't you potentially prevent legitimate users from making a single
> connection if they're connecting with a shared IP from a university
> campus (for example)?

Yes. However, if you don't do it you potentially prevent legitimate
users from anywhere from making a connection because some greedy user is
using up all your server's resources.

> How is this accomplished with iptables?

With connlimit and/or one of the rate-limiting modules.

Just to bring it back on topic, the disadvantage of implementing this at
the firewall is that it is very broad-brush (unless you use DPI). You
will be limiting connections regardless of the target vhost or path or
MIME type or whatever. By doing it in apache with mod_limitipconn or
similar you can easily apply stricter limits to heavier content, for
example.

So, IMHO the best plan is to put an absolute limit in the firewall for
the worst possible scenario but then tailor the individual limits for
vhosts and content types etc. within apache.

Pete
-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107

Mime
View raw message