Apache: Limit the Number of Requests/Traffic per IP

apache-2.2bandwidthiprequests

I would like to only allow one IP to use up to, say 1GB, of traffic per day, and if that limit is exceeded, all requests from that IP are then dropped until the next day. However, a more simple solution where the connection is dropped after a certain amount of requests would suffice.

Is there already some sort of module that can do this? Or perhaps I can achieve this through something like iptables?

Thanks

Best Answer

This is my iptables solution for this kind of issue. Adjust --seconds --hitcount as you need, also iptables table.

iptables -A FORWARD -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 5 --name ATACK --rsource -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -d 192.168.0.113/32 -o eth1 -p tcp -m tcp --dport 80 -m recent --set --name ATACK --rsource -j ACCEPT

Explained:

iptables check if source IP is listed on /proc/net/ipt_recent/ATACK file for 5 or more times in 600 seconds interval and if it's a NEW request. If it is, do a reject; else
iptables check if request is destinated to port 80. If so, print IP and timestamp to /proc/net/ipt_recent/ATACK and forward packet.

It's working fine for my needs.

Related Solutions

Limit number of requests to a specific set of URLs by IP address

I don't think it exists a module to limit connections per time per IP. But you should play a little bit with limitipconn and mod_cband ... probably together can do that. Or you can use limitipconn with iptables.

To do that probably you should use iptables:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 1/minute -j ACCEPT

I didn't test this rule, is just a hint for what you should look.

If you use iptables you should have 2 ip's and different virtual hosts for your main site and your document section, to limit only the ip(virtual host) for documents.

Regards

Nginx – How to redirect users with certain IP to special page

The Geo module is made to match client addresses. You can use it to define a variable to test like so:

geo $bad_user {
  default 0;
  1.2.3.4/32 1;
  4.3.2.1/32 1;
}

server {
  if ($bad_user) {
    rewrite ^ http://www.example.com/noscrape.html;
  }
}

This is more efficient than running a regex against $remote_addr, and easier to maintain.

Best Answer

Related Solutions

Limit number of requests to a specific set of URLs by IP address

Nginx – How to redirect users with certain IP to special page

Related Topic