tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: How to stop DoS attacks to my Tomcat based app? Should I use Apache HTTPD or NGINX behind Tomcat?
Date Mon, 14 Jan 2013 17:32:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Brian,

On 1/12/13 6:56 PM, Brian Braun wrote:
> I can NOT do it at the IPTables level, because the real IP address
> is in the "x_forwarded_for" header and IPTables deals with TCP/IP,
> not with HTTP. Or at least, even if there is a way to create a
> rule, it will not run in an efficient way.

What makes you think that using a bizarre iptables configuration to
check X-Forwarded-For headers would be slower in iptables than, say,
httpd or nginx?

Are you using SSL between the lb and Tomcat? If so, then iptables
almost definitely won't work (or will be a total pain, as you say).

> I will NOT be able to do it a the load balancer level, because
> Amazon doesn't allow us the stop some IPs there, not to mention a
> way to stop a DoS.

You can do it, but it's a total PITA because you have to reverse all
your inbound rules. They don't currently offer blacklisting, it seems :(

> I have been doing some reasearch, and it seems that I have two
> good options: Installing Apache HTTPD server or NGINX, before
> Tomcat. I know a lot about Tomcat, but almost nothing about Apache
> HTTPD and nothing about NGINX. Which one would you recommend me?

Don't overlook squid, which was built for HTTP proxying.

On 1/13/13 8:22 AM, André Warnier wrote:> Brian Braun wrote:
> Based on these elements, I would recommend having a look at 
> mod_evasive in Apache httpd.

I would also recommend looking at mod_qos, which is a separate package
not included with httpd.

> Note that all 3 connection methods above already include options
> for load-balancing the Tomcat back-ends, if you would see any
> advantage in suppressing the "Amazon web service Elastic Load
> balancer" layer.

NB: I've been evaluating ELB versus httpd-based lb and it turns out
that an ELB costs a bit more than a "tiny" EC2 instance that could
probably handle everything you need for an httpd-based lb. On the
other hand, ELB gives you an lb that you don't have to configure and
keep up-to-date, other than maintaining the back-end server list and
keeping the SSL certificate(s) up-to-date (if you need that kind of
thing).

> To restate the obvious : No matter at which level you do the 
> rate-limiting or DOS-protection, it is going to cost some overhead 
> somewhere. Generally-speaking however, if the point is to limit
> and discard at the request level, it is better to do it as early
> as possible.

+1

I'm actually quite surprised that Amazon doesn't offer blacklisting as
part of the ELB setup.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlD0QR4ACgkQ9CaO5/Lv0PA6KACfVuVRZvAiBj366z/zp88B6bsX
yFwAmgKgESUzgKIAgow09KgTY8hDai2P
=/3Ns
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message