We have a Java app I'm serving from Apache 2.2 + mod_proxy_ajp + Tomcat 6 that is a REST API and end users tend to like to totally slam it as fast as they can. I'd like to be able to throttle the hits per second, ideally by user/IP, to it. Like how Amazon, Twitter, etc. rate limits hits to their APIs.
- Preferably in Apache or Tomcat itself, but in the OS (Fedora) is ok, although I don't want to affect the other Tomcat apps on the same box (so just doing iptables on port 80 isn't the best solution)
- I don't want to limit bandwidth, this app doesn't produce more than 1k of output per hit, just the raw number of hits to the app to protect Tomcat from being overwhelmed
- I'm running on Amazon AWS EC2 so no multiple IPs per box or other complicated networking solutions
- I'm open to solutions I can tell the developers to put into their code, but would like it to be something I can control from an admin point of view (like I can change log levels using their log4j config files).
Seems like all the Apache modules to do stuff like that are all abandoned and not Apache 2.2 compatible. Ideas?
Take a look at mod_limitipconn2, it might be what you're after:
http://dominia.org/djao/limitipconn2.html
This would allow you to limit it to one connection per IP, effectively turning the user's browser into a synchronous connection instead of it opening the usual 4-6 (thinking Firefox) by default.