I looked at mod_bandwidth and mod_cban but they dont seem to satisfy my requirements.
I am running a proxy server with apache 2.2 (mod_proxy, proxy_http, proxy_connect).
I want to limit the "upload speed of the client".
This is at the same time server download bandwidth, which should not limited.
I want it per connection or even better per IP.
To make it understandable: The use case is that I don't want bad people uplaoding bad data to bad places using my proxy server to "mask" themselves. Of course I have logs and everything but I want to safe the trouble and make it unattractive in the first place.
For better understanding here is a picture of my setup:
Of course the red arrow could also point to the upper left arrow.
I am currently thinking about starting apache two times on the same server on different ports and using ProxyRemote to send the request to the other proxy. So on the second proxy I can exclude localhost from the throttling. However I would still need a solution to limit incoming but not outgoing bandwidth. I could realise that with IPtables.
But honestly? There must be a better way. There just has to.
Best Answer
iptables in combination with tc should be able to do this if OP is on Linux. Iptables has a module called connbytes that can match on the number of bytes that has passed the stream so far. Use this to "mark" packets in streams that have sent too many bytes. For example, you may have one rule that marks all packets in streams between 1 MByte and 10 MBytes with mark "1" and another one that marks all packets in streams longer than 10MBytes with mark "2".
Then you set up traffic shaping classes for default (== below 1 Mbyte), for mark "1" and mark "2".
The advantage of this solution is that you need not penalize users unless they collectively consume too much bandwidth. The disadvantage is that these are somewhat complex tools that take som reading to wrap your head around.
iptables and tc is included in most distros. You may also want to look at tcng which makes it radically simpler to formulate tc rule sets.