I find myself needing to limit the number of requests a particular IP can send for a particular URI (e.g. www.foo.com/somewhere/special) while leaving the rest of the site unregulated.
How would I configure that using the HttpLimitReqModule built into Nginx?
I work for a privately held SaaS company and we are reviewing some of our architectural decisions around database and storage. Knowing that others have gone before us, I am wondering if I might "stand on the shoulders of giants" by hearing what other SaaS companies are using for their DB and storage platforms.
We have the obvious requirements of 99.9%+ availability, sub second page renders and elastic scaling, but as an IT Ops guy, I also want it to be lightweight to manage.
I am very interested to hear from people on both coasts to see what others in this space are doing.
I just updated my servers from CentOS 5.5 to CentOS 5.6, and now when I run ldconfig, I get these:
ldconfig: libraries libdchtvm32.so.5 and libdchtvm64.so in directory /usr/lib have same soname but different type.
ldconfig: libraries libdchcfl32.so and libdchcfl64.so.5 in directory /usr/lib have same soname but different type.
ldconfig: libraries libdchbas32.so.5 and libdchbas64.so.5 in directory /usr/lib have same soname but different type.
ldconfig: libraries libdchtvm64.so and libdchtvm64.so.5 in directory /usr/lib have same soname but different type.
I would like to know two things... should I care about this, and if so, what should I do about it?
I have a web farm that uses Apache 2.2.15 and mod_perl-2.0.4. I need to know if there is a comparable perl module to Apache::GTopLimit for mod_perl-2.x.
I have searched Google and other sites, and have not found anything yet. What I need to do is limit the amount of memory any one worker can consume. If it exceeds the threshold, then I want the worker to die.
I have already set the MaxRequestsPerChild value, but that does not prevent a worker from eating up all the memory on the box.
I am setting up a mongoDB replica set and one of the first things I am suppose to do is turn off atime on the file system. After researching this a bit, I am not opposed to doing this, but I have to ask, what uses atime? I have searched the interwebs and found very little in the way of "this applciaiton or this process uses atime and you would be stupid if you turned it off" kinds of warnings, but being a paranoid person by nature, I have to wonder.
So, what uses atime and if I turn it off, what could break?
I need to perform QA testing for Windows based applications on a Windows desktop client and I would like to know if EC2 supports Windows images that are NOT server based (e.g. Server 2003). I have searched and found many posts that suggest that Amazon does not have desktop clients on their roadmap, but nothing definitive from Amazon themselves.
If EC2 does not support desktop installations of Windows, is there a service out that that does?
Thanks
Okay, it may be because I am dense or maybe just not finding the right source, but I can't understand why one of these IPTABLES setups would be better than the other.
Here is my setup:
I have a box that is serving as a transparent proxy and a router or sorts. It has two interfaces on it, ETH0 and ETH1, and the following address scheme:
ETH0 = DHCP ETH1 = 192.168.5.1/24 serving up DHCP for the 192.168.5.0/24 network to clients behind it in the LAN
I have privoxy installed and listening on port 8080 as a transparent proxy. What I am accomplishing with this setup is to be able to drop this box into an existing network with minimal configuration and attached clients to the proxy.
Here is my original IPTABLES file
*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 8080
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
COMMIT
This configuration works fine and traffic is flowing back and forth without issue. I get the originating clients IP address in the privoxy logfiles, and life is good.
My confusion comes in when I start looking at other people's configurations and see that they are using DNAT instead of REDIRECT, and I am trying to understand the real beneift of one over the other. Here is a sample config:
*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to 192.168.5.1:8080
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
COMMIT
Again, this configuration works too, and gives me all I need from a logging perspective...
Which is is right, or maybe MORE right, than the other one?
Thanks for taking time to read this far...
I have a situation I need some assistance with. I have clients that need to have traffic rerouted to a specific port on a remote server, and I would like to use iptables to redirect it for me.
Here is the config:
Clients use smtpout.secureserver.net for SMTP traffic. The server will accept SMTP traffic on port 80 or port 3535. The issue is that I am already redirecting traffic destined for port 80 outbound to a tranparent proxy on port 8080. When the clients try to send email outbound, the connection times out.
What I would like to do is construct a iptables rule that redirects traffic destined to smtpout.secureserver.net:80 to smtpout.secureserver.net:3535.
Here is what I have so far, but it does not seem to work the way I expect:
-A PREROUTING -i eth1 -d 72.167.82.80/32 -p tcp --dport 80 -j DNAT --to-destination 72.167.82.80:3535
-A POSTROUTING -j MASQUERADE
I am using PRIVOXY as a transparent proxy on a Fedora Core 11 box. The machine has one interface (eth0) and here is the configuration of the network:
10.0.1.1 - router.foobar.com (connected to ISP) 10.0.1.2 - proxy.foobar.com (proxy) 10.0.1.199 - DHCP server
I have set the default gateway option in DHCP to be 10.0.1.2 so ALL TRAFFIC destined for 0.0.0.0/0 SHOULD pass through it (and 10.0.1.1) on it's way out to the internet.
Here is my problem.... How do I ensure that traffic that is coming in/out of the network follows the correct path and does not create weird routing issues. I see some delays when using the proxy, but when I do a "straight shot" out to the net by changing my default gateway, I see no delays.
Here is my current iptables conf file:
# Generated by iptables-save v1.4.3.1 on Fri Jul 30 17:02:45 2010
*nat
:PREROUTING ACCEPT [1565:151406]
:POSTROUTING ACCEPT [1467:94514]
:OUTPUT ACCEPT [768:48101]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Fri Jul 30 17:02:45 2010
# Generated by iptables-save v1.4.3.1 on Fri Jul 30 17:02:45 2010
*filter
:INPUT ACCEPT [12764:10577001]
:FORWARD ACCEPT [3755:525228]
:OUTPUT ACCEPT [14364:12738086]
-A INPUT -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
COMMIT
I know that I am missing something, I just don't know what... I think that I need to do something like:
-A POSTROUTING -i eth0 -o eth0 -d 10.0.1.0/24 --SNAT 10.0.1.1
I am using Apache as a load balancer and would like to log the server to which the load balancer is forwarding the request to. For example, if I had three webservers, called:
I would like the log to show me to which server the request was forwared to (denoted by bold):
10.1.0.1 192.168.0.1 - - [20/Jul/2010:10:52:01 -0600] "GET /js/shared/kobj-static.js HTTP/1.1" 302 236 "http://www.google.com/search?q=baked+bbq+rib+recipes&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 (.NET CLR 3.5.30729) infoCard/AzigoLite/0.0.12"
Any help would be appreciated.
I need to know what the best lightweight, multithreaded Windows web server is for running Ruby on Rails applications. I am currenlty using thin, but it is not multithreaded (by design).
So, what are people using on Windows?
I have a wildcard SSL certificate from GoDaddy that has three files:
wildcard.crt gd_bundle.crt wildcard.key
In setting up mod_gnutls to be used with Apache, I can get the site to come up, but it throws a warning that the SSL certificate has not been validated by a CA.
When I use mod_ssl, I can stipulate a SSLCertificateChainFile directive and point it at the bd_bundle.crt file. I do not see how to do this with mod_gnutls.
Any help is appreciated. I also know that mod_ssl supports SNI, so if there is not an easy answer, I will just try that.
Thanks,
QWade