1mod_limitipconn.c 2David Jao <djao@dominia.org> 3 4This is an Apache 2.4/2.2/2.0 C module whose purpose is to limit the 5maximum number of simultaneous connections per IP address. It supports 6IPv4 and IPv6 connections. The module allows inclusion and exclusion of 7files based on MIME type. 8 9This module is not designed to prevent denial-of-service attacks. Its 10function is only to deny users the ability to use large numbers of 11simultaneous connections. 12 13Tested with httpd-2.4.2 and httpd-2.2.17. Should work with httpd-2.0 but 14has not been tested. 15 16Example configuration: 17 18--------------------------------------------------------------------------- 19 20# This command is always needed 21ExtendedStatus On 22 23# Only needed if the module is compiled as a DSO 24LoadModule limitipconn_module lib/apache/mod_limitipconn.so 25 26<IfModule mod_limitipconn.c> 27 28 # Set a server-wide limit of 10 simultaneous downloads per IP, 29 # no matter what. 30 MaxConnPerIP 10 31 <Location /somewhere> 32 # This section affects all files under http://your.server/somewhere 33 MaxConnPerIP 3 34 # exempting images from the connection limit is often a good 35 # idea if your web page has lots of inline images, since these 36 # pages often generate a flurry of concurrent image requests 37 NoIPLimit image/* 38 </Location> 39 40 <Directory /home/*/public_html> 41 # This section affects all files under /home/*/public_html 42 MaxConnPerIP 1 43 # In this case, all MIME types other than audio/mpeg and video* 44 # are exempt from the limit check 45 OnlyIPLimit audio/mpeg video 46 </Directory> 47</IfModule> 48 49--------------------------------------------------------------------------- 50 51Notes: 52 531) This module will not function unless mod_status is loaded and the 54 "ExtendedStatus On" directive is set. 55 562) Server-wide access restrictions and per-directory access restrictions 57 are computed separately. In the above example, if someone is 58 downloading 11 images from http://your.server/somewhere 59 simultaneously, they WILL be denied on the 11th download, because the 60 server-wide limit of 10 downloads is not affected by the per-directory 61 NoIPLimit. If you want to set global settings which can be overruled 62 by per-directory settings, you will need something like 63 64 <Location /> 65 # global per-directory settings here 66 67 <Location /somewhere> 68 # local per-directory settings here 69 70 </Location> 71 72 </Location> 73 743) If you are using any module based upon a quick handler hook (such as 75 mod_cache), mod_limitipconn will not be able to process any 76 per-directory configuration directives in time to affect the return 77 result of the other module. This is a technical limitation imposed 78 by Apache. In such a situation, you will have to use server-wide 79 configuration directives only. 80 81 Versions of mod_limitipconn prior to 0.23 did not allow any 82 server-wide configuration directives, and hence could not be used 83 with mod_cache at all. 84 854) The limits defined by mod_limitipconn.c apply to all IP addresses 86 connecting to your Apache server. Currently there is no way to set 87 different limits for different IP addresses. One workaround is to set 88 up two different URIs for the same content and use access control to 89 restrict which IP addresses can access which URIs. 90 915) Connections in excess of the limit result in a stock 503 Service 92 Temporarily Unavailable response. The job of returning a more useful 93 error message to the client is left as an exercise for the reader. 94 956) mod_limitipconn sets the LIMITIP environment variable to 1 whenever a 96 download is denied on the basis of too high an IP count. You can use 97 this variable to distinguish accesses that have been denied by this 98 module. For example, a line like 99 100 CustomLog /var/log/httpd/access_log common env=!LIMITIP 101 102 in httpd.conf can be used to suppress logging of denied connections 103 from /var/log/httpd/access_log. (Note that, if you really want to 104 suppress logging, you'll probably also want to comment out the 105 ap_log_rerror lines from mod_limitipconn.c as well.) 106 1077) By default, all clients behind a proxy are treated as coming from the 108 proxy server's IP address. If you wish to alter this behavior, 109 use the mod_remoteip module included in Apache 2.4. 110