Apache Connections – Limit Max Number of Simultaneous Connections from an External IP in Apache

apache-2.2

I would like to set a maximum limit for the number of connections that can be made to Apache from a single external IP address.

What would be the best way to achieve this?

Thanks

Best Answer

I believe that mod_qos is probably going to be the answer to your prayers. I can't provide any specific configuration or recommendations, because I've never actually used it, but it comes with all the knobs you're likely to need.

More generally, iptables is more than capable of handling this sort of thing itself, and it's a far better solution (do networky stuff at the networky level). This is especially true if you want to deal with other protocols as well as HTTP, or only want to apply the limits to a subset of connections.

The iptables command you want is something like

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name http --update --seconds 1 --hitcount 5 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --name http --set

This will limit incoming connections to 5 per second.

Note, however, that connection limiting can be a real pain for legitimate users who just happen to be heavy users of the site, and it'll only slow down attackers that really aren't a concern anyway. Use with caution.

Related Solutions

Linux Server Performance – What Limits Maximum Number of Connections?

I finally found the setting that was really limiting the number of connections: net.ipv4.netfilter.ip_conntrack_max. This was set to 11,776 and whatever I set it to is the number of requests I can serve in my test before having to wait tcp_fin_timeout seconds for more connections to become available. The conntrack table is what the kernel uses to track the state of connections so once it's full, the kernel starts dropping packets and printing this in the log:

Jun  2 20:39:14 XXXX-XXX kernel: ip_conntrack: table full, dropping packet.

The next step was getting the kernel to recycle all those connections in the TIME_WAIT state rather than dropping packets. I could get that to happen either by turning on tcp_tw_recycle or increasing ip_conntrack_max to be larger than the number of local ports made available for connections by ip_local_port_range. I guess once the kernel is out of local ports it starts recycling connections. This uses more memory tracking connections but it seems like the better solution than turning on tcp_tw_recycle since the docs imply that that is dangerous.

With this configuration I can run ab all day and never run out of connections:

net.ipv4.netfilter.ip_conntrack_max = 32768
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_orphan_retries = 1
net.ipv4.tcp_fin_timeout = 25
net.ipv4.tcp_max_orphans = 8192
net.ipv4.ip_local_port_range = 32768    61000

The tcp_max_orphans setting didn't have any effect on my tests and I don't know why. I would think it would close the connections in TIME_WAIT state once there were 8192 of them but it doesn't do that for me.

Apache: Limit the Number of Requests/Traffic per IP

This is my iptables solution for this kind of issue. Adjust --seconds --hitcount as you need, also iptables table.

iptables -A FORWARD -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 5 --name ATACK --rsource -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -d 192.168.0.113/32 -o eth1 -p tcp -m tcp --dport 80 -m recent --set --name ATACK --rsource -j ACCEPT

Explained:

iptables check if source IP is listed on /proc/net/ipt_recent/ATACK file for 5 or more times in 600 seconds interval and if it's a NEW request. If it is, do a reject; else
iptables check if request is destinated to port 80. If so, print IP and timestamp to /proc/net/ipt_recent/ATACK and forward packet.

It's working fine for my needs.

Best Answer

Related Solutions

Linux Server Performance – What Limits Maximum Number of Connections?

Apache: Limit the Number of Requests/Traffic per IP

Related Topic