[olug] Limiting connections to Apache server based on IP address?

Kevin sharpestmarble at gmail.com
Sat Sep 25 01:51:03 UTC 2010


If Jay's settings fall through(I'd be looking at the first set primarily),
then you could do so with iptables

    iptables -I INPUT -p tcp --dport 80 -m connlimit --conlimit-above 100
--connlimit-mask 24 -j REJECT --reject-with icmp-port-unreachable

This will cause iptables to reject the connection if there are more than 100
connections per /24 address block.

On Fri, Sep 24, 2010 at 17:28, Jay Hannah <jhannah at mutationgrid.com> wrote:

> On Sep 24, 2010, at 4:58 PM, Dan Linder wrote:
> > I'm looking for a way to limit the number of active users/connections
> > connecting into an Apache server.
>
> Usually taking an educated guess at these settings:
>
> http://httpd.apache.org/docs/current/mod/prefork.html
>   MaxClients
>   MaxSpareServers
>   MinSpareServers
>
> And then using ab to simulate floods while watching your memory consumption
> is sufficient. Tune as high as possible without swapping.
>
> http://httpd.apache.org/docs/2.0/programs/ab.html
>
> > From Googling, I see that there are some Apache modules that limit based
> on
> > the directory on the Apache server, but I'd like to limit it based on IP
> > address/subnet.
>
> Why? What behavior are you trying to block?
>
> I've never heard of anyone doing that. My Googling leads to
>
>   http://lartc.org/
>   http://www.tek-tips.com/viewthread.cfm?qid=1265508&page=2
>   http://ask.slashdot.org/article.pl?sid=04/01/31/204204
>   http://www.topology.org/src/bwshare/README.html
>
> But I'd be surprised if you actually want to try to play that game.
>
> > Any suggestions?  (Aside from "buy a bigger/faster server" -- already
> went
> > that route and we were shot down.)
>
> You'll always have finite capacity. All you can do is tune for what you
> have / budget, monitor, react.
>
> HTH,
>
> Jay Hannah
> Software Architect
> jhannah at mutationgrid.com | http://mutationgrid.com | 1-402-598-7782
>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



More information about the OLUG mailing list