tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?
Date Mon, 14 Jan 2013 17:32:14 GMT
Hash: SHA256


On 1/12/13 6:56 PM, Brian Braun wrote:
> I can NOT do it at the IPTables level, because the real IP address
> is in the "x_forwarded_for" header and IPTables deals with TCP/IP,
> not with HTTP. Or at least, even if there is a way to create a
> rule, it will not run in an efficient way.

What makes you think that using a bizarre iptables configuration to
check X-Forwarded-For headers would be slower in iptables than, say,
httpd or nginx?

Are you using SSL between the lb and Tomcat? If so, then iptables
almost definitely won't work (or will be a total pain, as you say).

> I will NOT be able to do it a the load balancer level, because
> Amazon doesn't allow us the stop some IPs there, not to mention a
> way to stop a DoS.

You can do it, but it's a total PITA because you have to reverse all
your inbound rules. They don't currently offer blacklisting, it seems :(

> I have been doing some reasearch, and it seems that I have two
> good options: Installing Apache HTTPD server or NGINX, before
> Tomcat. I know a lot about Tomcat, but almost nothing about Apache
> HTTPD and nothing about NGINX. Which one would you recommend me?

Don't overlook squid, which was built for HTTP proxying.

On 1/13/13 8:22 AM, André Warnier wrote:> Brian Braun wrote:
> Based on these elements, I would recommend having a look at 
> mod_evasive in Apache httpd.

I would also recommend looking at mod_qos, which is a separate package
not included with httpd.

> Note that all 3 connection methods above already include options
> for load-balancing the Tomcat back-ends, if you would see any
> advantage in suppressing the "Amazon web service Elastic Load
> balancer" layer.

NB: I've been evaluating ELB versus httpd-based lb and it turns out
that an ELB costs a bit more than a "tiny" EC2 instance that could
probably handle everything you need for an httpd-based lb. On the
other hand, ELB gives you an lb that you don't have to configure and
keep up-to-date, other than maintaining the back-end server list and
keeping the SSL certificate(s) up-to-date (if you need that kind of

> To restate the obvious : No matter at which level you do the 
> rate-limiting or DOS-protection, it is going to cost some overhead 
> somewhere. Generally-speaking however, if the point is to limit
> and discard at the request level, it is better to do it as early
> as possible.


I'm actually quite surprised that Amazon doesn't offer blacklisting as
part of the ELB setup.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with undefined -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message