I have set up mod_evasive and mod_remoteip to change the proxy headers from the load balancer's to the client's actual ip.
But I am running into problems when using mod evasive. at the moment, my configuration for mod evasive is:
DOSHashTableSize 3097
DOSPageCount 1
DOSSiteCount 2
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 100
From what I understand, the above config will allow at the most 1 request to a page per second , or at the most 2 pages anywhere in the website per second.
However, the problem is , the ip address of the load balancer is not static, and so when it tries to perform a health check , mod evasive blocks the load balancer. This results in the ELB thinking that the ec2 instance is not healthy.
What should I do to prevent this problem ? Is it possible to whitelist ip addresses by dns name ? My ELB DNS name is:
something-experimental-lb-123411.ap-northeast-1.elb.amazonaws.com If not, what other options do I have ?
The way i (think) solved it is to create a reverse proxy that does firewalling and pre-filtering (iptables, ipset & mod_evasive), then point that to an internal load balancer that actually serves the content. If you are going to use this solution make sure to stress test the proxy for the total amount of requests you are expecting to serve.