2010/10/03

Apache 限制下載流量與連線數 in debian

這個模組不是官方釋出的模組,所以如果要用的話請自行衡量
開發者的網站:http://dominia.org/djao/limitipconn2.html

debian 的安裝擋下載
http://elonen.iki.fi/code/unofficial-debs/mod-limitipconn/

安裝:
# 抓檔案
$ wget http://elonen.iki.fi/code/unofficial-debs/mod-limitipconn/apache2-mod-
limitipconn_0.22-2_amd64.deb

# 安裝
$ sudo dpkg -i apache2-mod-limitipconn_0.22-2_amd64.deb

# 進入模組目錄
$ cd /etc/apache2/mods-available/

# 啓動模組
$ sudo a2enmod limitipconn

# 重新載入模組
$ sudo /etc/init.d/apache2 restart

# 修改設定檔
$ sudo vim /etc/apache2/sites-enabled/jangmt
# jangmt是我的virtualhost設定檔請在設定檔內加入類似下面的限制


MaxConnPerIP 3




# 底下是模組的預設值,無須更動可以參考修改
$ cat /etc/apache2/mods-available/limitipconn.load
ExtendedStatus On
LoadModule limitipconn_module /usr/lib/apache2/modules/mod_limitipconn.so

$ cat /etc/apache2/mods-available/limitipconn.conf
# Example config for limitipconn


MaxConnPerIP 5
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
NoIPLimit image/*




* 置於有沒有有用可以看紀錄檔的變化
$ netstat -an | grep EST
tcp 0 0 140.117.69.15:22 140.117.69.182:3349 ESTABLISHED
tcp 0 0 140.117.69.15:22 115.165.192.55:61735 ESTABLISHED
tcp6 0 36400 140.117.69.15:80 123.4.205.188:50018 ESTABLISHED
tcp6 0 0 140.117.69.15:445 140.117.69.183:1047 ESTABLISHED
tcp6 0 12726 140.117.69.15:80 114.243.88.195:65100 ESTABLISHED
tcp6 0 0 140.117.69.15:445 140.117.69.182:3311 ESTABLISHED
tcp6 0 51800 140.117.69.15:80 123.4.205.188:50120 ESTABLISHED
tcp6 0 12960 140.117.69.15:80 175.17.194.177:36633 ESTABLISHED

$ sudo tail /var/log/apache2/access.log
.... skip

$ sudo tail /var/log/apache2/error.log
[Sun Oct 03 16:35:54 2010] [error] [client 175.17.194.177] Rejecting client at 175.17.194.177
[Sun Oct 03 16:35:55 2010] [error] [client 114.243.88.195] Rejecting client at 114.243.88.195
[Sun Oct 03 16:36:04 2010] [error] [client 175.17.194.177] Rejecting client at 175.17.194.177
[Sun Oct 03 16:36:05 2010] [error] [client 175.17.194.177] Rejecting client at 175.17.194.177
[Sun Oct 03 16:36:10 2010] [error] [client 175.17.194.177] Rejecting client at 175.17.194.177
[Sun Oct 03 16:36:27 2010] [error] [client 175.17.194.177] Rejecting client at 175.17.194.177
[Sun Oct 03 16:36:29 2010] [error] [client 175.17.194.177] Rejecting client at 175.17.194.177
[Sun Oct 03 16:36:29 2010] [error] [client 175.17.194.177] Rejecting client at 175.17.194.177



* 更多請參考官方的說明
http://dominia.org/djao/limitipconn-README
mod_limitipconn.c
David Jao
Proxy tracking by Jonathan J. Miner

Apache C module to limit the maximum number of simultaneous connections
per IP address. Allows inclusion and exclusion of files based on MIME
type.

Example configuration:

---------------------------------------------------------------------------

ExtendedStatus On

# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so
AddModule mod_limitipconn.c



MaxConnPerIP 3
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
NoIPLimit image/*



MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video



---------------------------------------------------------------------------

Notes:

This module will not function unless mod_status is loaded and the
"ExtendedStatus On" directive is set.

The limits defined by mod_limitipconn.c apply to all IP addresses
connecting to your Apache server. Currently there is no way to set
different limits for different IP addresses.

Connections in excess of the limit result in a stock 503 Service
Temporarily Unavailable response. The job of returning a more useful
error message to the client is left as an exercise for the reader.

mod_limitipconn sets the LIMITIP environment variable to 1 whenever a
download is denied on the basis of too high an IP count. You can use
this variable to distinguish accesses that have been denied by this
module. For example, a line like

CustomLog /var/log/httpd/access_log common env=!LIMITIP

in httpd.conf can be used to suppress logging of denied connections
from /var/log/httpd/access_log. (Note that, if you want to do this,
you'll probably also want to comment out the ap_log lines from
mod_limitipconn.c to suppress error_log lines as well.)

Proxy client tracking

By default, all clients behind a proxy are treated as coming from the
proxy server's IP address. If you patch Apache with the included patch
and configure with --with-forward and rebuild, the real IP addresses
of clients behind proxies are correctly detected. You will need to
either compile statically or compile with -DRECORD_FORWARD.

If you don't patch the server, DO NOT compile with RECORD_FORWARD
defined. The module will still function, but it will not recognize
clients behind proxies.


張貼留言