Squid rate-limiting

squid

I want to limit the number of requests that we get from single IPs, using squid (assume I have to use squid for political reasons), blocking those that make too many requests in a set period of time.

I was considering writing a short Perl script and an external_acl_type, with a delay pool, but I am unsure as to what parameters I can pass to the helper function.

something like:

external_acl_type rate_limit /usr/bin/squid-access-control dst

but I am not sure if that would work?

Best Answer

So the solution I came up with, which I think is quite worth documenting, is as follows:

Squid logs all of the requests it receives
For CDN requests, squid follows the X-forwarded-For header, leaving the actual client IP in the logs
Fail2ban checks the logs, recording how many requests are being made by clients per minute etc
When a client makes X number of requests, it is put into the squirm IP list, which has the request rewritten to point to a webserver on the loadbalancer.
Squid picks this up, denies this request access to the actual webservers and allows them access to a thttpd server running on the loadbalancer, which hosts a webpage of "you're banned!"

Best Answer

Related Solutions

Limiting bandwidth dynamically in Squid

Squid reply_header_access configuration

Related Topic