tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?
Date Sun, 13 Jan 2013 13:22:18 GMT
Brian Braun wrote:
> Hi,
> This is my infrastructure, from the point of view of what my
> users/attackers are facing:
> - Amazon web service Elastic Load balancer
> - 2 or more Ubuntu Linux VPSs behind the load balancer
> - IPTables running inside Ubuntu
> - JVM 1.6.0_35-b10
> - Tomcat 7.0.33
> - My app, running inside Tomcat
> I want to stop if one person starts making an excesive amount of requests
> to my app, maybe because he needs to make all those requests but didn’t
> know there is a service limit in the RestFul service I'm providing, maybe
> because he doesn’t care about the service limits, or maybe because he wants
> to attack me with a DoS.
> I can do it at the app level using a servlet filter and I'm already
> filtering them by IPs there, but that is not the best solution because the
> http requests will go all the way to my app, causing a lot of work to the
> previous layers (from the OS to the app).
> I can also do it at the Tomcat level using valves even at the engine level,
> but the same concern applies here: too much previous effort. Besides that,
> I can not update the offending IPs registered in the valve in a
> programmatic way (as I can do using servler filters and a MySQL database
> containing the offending IPs).
> I can NOT do it at the IPTables level, because the real IP address is in
> the "x_forwarded_for" header and IPTables deals with TCP/IP, not with HTTP.
> Or at least, even if there is a way to create a rule, it will not run in an
> efficient way.
> I will NOT be able to do it a the load balancer level, because Amazon
> doesn't allow us the stop some IPs there, not to mention a way to stop a
> DoS.
> I have been doing some reasearch, and it seems that I have two good
> options: Installing Apache HTTPD server or NGINX, before Tomcat. I know a
> lot about Tomcat, but almost nothing about Apache HTTPD and nothing about
> NGINX. Which one would you recommend me? This is what I’m looking for:
> - To be able to evaluate the x_forwarded_for header to recognize the real
> IP address (because there will be a load balancer behind)
> - To be able to limit the rate of request based on the IP making it enter
> my site at a slower rate, or if that is not possible to reject the excesive
> requests.
> - To place this new layer (HTTPD or NGINX) between the load balancer and
> Tomcat, so Tomcat will still run the app. My app has been written in Java
> and I love java/Tomcat, so this will definitely existing.
> - Speed, low resources consumption (mainly CPU and RAM), stability,
> reliability.
> - Easy to learn, install and maintain.
> Which one would you recommend, Apache or NGINX? I guess it would be better
> to use Apache because of all the documentation and information out there,
> and It would not harm me to finally learn about Apache. But I read
> somewhere that NGINX is specially fast and light in doing this (stopping
> Dos). However, I read that it is easier to connect HTTPD and Tomcat while
> it is not that easy NGINX/Tomcat.
> Or is there a better solution to stop users making an excesive amount of
> requests, using just Tomcat? Is there a filter somewhere that could help
> me, or a valve I haven't heard of?

Thank you for the good description above.

Based on these elements, I would recommend having a look at mod_evasive in Apache httpd.
Google for "apache mod_security ubuntu".
(Those two are often configured together)

Connecting Apache httpd and Tomcat can be done using either
- mod_proxy and mod_proxy_http (if you want to stick to HTTP between Apache httpd and Tomcat)
- mod_proxy and mod_proxy_ajp (using the AJP protocol between Apache httpd and Tomcat)
- mod_jk (also using the AJP protocol between Apache httpd and Tomcat)
The choice between the last 2 is a matter of specific needs, convenience and preference.
There is quite of lot of previous discussion available in the list archives about this 
choice of Apache/Tomcat connectors.
All of them are easy to install in Ubuntu, as there are standard apt packages for all of them.

Note that all 3 connection methods above already include options for load-balancing the 
Tomcat back-ends, if you would see any advantage in suppressing the "Amazon web service 
Elastic Load balancer" layer.

To restate the obvious :
No matter at which level you do the rate-limiting or DOS-protection, it is going to cost 
some overhead somewhere. Generally-speaking however, if the point is to limit and discard

at the request level, it is better to do it as early as possible.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message