• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

ChangeLogH A D25-Apr-20121.8 KiB4839

INSTALLH A D25-Apr-2012449 1712

LICENSEH A D19-Dec-200411.1 KiB203169

MakefileH A D02-Mar-20081 KiB4618

READMEH A D25-Apr-20124.1 KiB11083

mod_limitipconn.cH A D03-May-202214.3 KiB416272

README

1mod_limitipconn.c
2David Jao <djao@dominia.org>
3
4This is an Apache 2.4/2.2/2.0 C module whose purpose is to limit the
5maximum number of simultaneous connections per IP address. It supports
6IPv4 and IPv6 connections. The module allows inclusion and exclusion of
7files based on MIME type.
8
9This module is not designed to prevent denial-of-service attacks. Its
10function is only to deny users the ability to use large numbers of
11simultaneous connections.
12
13Tested with httpd-2.4.2 and httpd-2.2.17. Should work with httpd-2.0 but
14has not been tested.
15
16Example configuration:
17
18---------------------------------------------------------------------------
19
20# This command is always needed
21ExtendedStatus On
22
23# Only needed if the module is compiled as a DSO
24LoadModule limitipconn_module lib/apache/mod_limitipconn.so
25
26<IfModule mod_limitipconn.c>
27
28    # Set a server-wide limit of 10 simultaneous downloads per IP,
29    # no matter what.
30    MaxConnPerIP 10
31    <Location /somewhere>
32	# This section affects all files under http://your.server/somewhere
33	MaxConnPerIP 3
34	# exempting images from the connection limit is often a good
35	# idea if your web page has lots of inline images, since these
36	# pages often generate a flurry of concurrent image requests
37	NoIPLimit image/*
38    </Location>
39
40    <Directory /home/*/public_html>
41	# This section affects all files under /home/*/public_html
42	MaxConnPerIP 1
43	# In this case, all MIME types other than audio/mpeg and video*
44	# are exempt from the limit check
45	OnlyIPLimit audio/mpeg video
46    </Directory>
47</IfModule>
48
49---------------------------------------------------------------------------
50
51Notes:
52
531) This module will not function unless mod_status is loaded and the
54   "ExtendedStatus On" directive is set.
55
562) Server-wide access restrictions and per-directory access restrictions
57   are computed separately.  In the above example, if someone is
58   downloading 11 images from http://your.server/somewhere
59   simultaneously, they WILL be denied on the 11th download, because the
60   server-wide limit of 10 downloads is not affected by the per-directory
61   NoIPLimit.  If you want to set global settings which can be overruled
62   by per-directory settings, you will need something like
63
64	<Location />
65	# global per-directory settings here
66
67		<Location /somewhere>
68		# local per-directory settings here
69
70		</Location>
71
72	</Location>
73
743) If you are using any module based upon a quick handler hook (such as
75   mod_cache), mod_limitipconn will not be able to process any
76   per-directory configuration directives in time to affect the return
77   result of the other module.  This is a technical limitation imposed
78   by Apache.  In such a situation, you will have to use server-wide
79   configuration directives only.
80
81   Versions of mod_limitipconn prior to 0.23 did not allow any
82   server-wide configuration directives, and hence could not be used
83   with mod_cache at all.
84
854) The limits defined by mod_limitipconn.c apply to all IP addresses
86   connecting to your Apache server. Currently there is no way to set
87   different limits for different IP addresses. One workaround is to set
88   up two different URIs for the same content and use access control to
89   restrict which IP addresses can access which URIs.
90
915) Connections in excess of the limit result in a stock 503 Service
92   Temporarily Unavailable response. The job of returning a more useful
93   error message to the client is left as an exercise for the reader.
94
956) mod_limitipconn sets the LIMITIP environment variable to 1 whenever a
96   download is denied on the basis of too high an IP count. You can use
97   this variable to distinguish accesses that have been denied by this
98   module. For example, a line like
99
100      CustomLog /var/log/httpd/access_log common env=!LIMITIP
101
102   in httpd.conf can be used to suppress logging of denied connections
103   from /var/log/httpd/access_log. (Note that, if you really want to
104   suppress logging, you'll probably also want to comment out the
105   ap_log_rerror lines from mod_limitipconn.c as well.)
106
1077) By default, all clients behind a proxy are treated as coming from the
108   proxy server's IP address. If you wish to alter this behavior,
109   use the mod_remoteip module included in Apache 2.4.
110