Home / server / Questions / 131364
In Process
Ian Kern
Asked: 2010-04-12 02:57:09 +0800 CST

Apache: Limit the Number of Requests/Traffic per IP?

  • 772

I would like to only allow one IP to use up to, say 1GB, of traffic per day, and if that limit is exceeded, all requests from that IP are then dropped until the next day. However, a more simple solution where the connection is dropped after a certain amount of requests would suffice.

Is there already some sort of module that can do this? Or perhaps I can achieve this through something like iptables?

Thanks

apache-2.2 ip bandwidth requests

4 Answers

  1. This is my iptables solution for this kind of issue. Adjust --seconds --hitcount as you need, also iptables table.

    iptables -A FORWARD -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 5 --name ATACK --rsource -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -d 192.168.0.113/32 -o eth1 -p tcp -m tcp --dport 80 -m recent --set --name ATACK --rsource -j ACCEPT

    Explained:

    1. iptables check if source IP is listed on /proc/net/ipt_recent/ATACK file for 5 or more times in 600 seconds interval and if it's a NEW request. If it is, do a reject; else

    2. iptables check if request is destinated to port 80. If so, print IP and timestamp to /proc/net/ipt_recent/ATACK and forward packet.

    It's working fine for my needs.

    • 6

  2. If you want a pure Apache solution bw_mod for Apache 2.0 and mod_bandwidth for Apache 1.3. They can throttle the bandwidth of your server to limit bandwidth usage.

    There is also mod_limitipconn, which prevents one user from making lots of connections to your server. mod_cband is another option, but I have never used it.

    If you don't want to mess with your Apache installation you can put a squid proxy in front of Apache. It gives you more control also over the throttling.

    However, in most cases the problem is a few large objects when you want to limit bandwidth per IP, and you want to give a sane error message when a user pulls too much data and you block him. In that case it might be easier to write a PHP script and store the access information in a temporary table in a database.

    • 5

  3. Have you looked at a tool like fail2ban? If might be a bit heavy handed for you, but it would let you limit the number of requests any given IP is allowed. It works by looking at the logs, and you set rules for how many violations per time are allowed, so for you that might be requests per day. Once they go over that it can do things like block them using ipchains.

    I've used it to block DDoS attacks against a mail server very successfully. It can consume a significant amount of processor power though.

    • 3

  4. try mod_dosevasive or mod_security

    mod_dosevasive can be configured to ban an IP after a specified number or page requests to a site in specified time frame.

    • 1