Menu
What techniques and/or modules are available to implement robust rate limiting (requests|bytes/ip/unit time) in apache?
861
With this number of instantiated workers, Apache can handle almost 160 requests per second without increasing the number of workers. Assuming the number of requests and the CPU time are linearly dependent, this leads to CPU consumption of about 30%.
How does rate limiting work? Rate limiting runs within an application, rather than running on the web server itself. Typically, rate limiting is based on tracking the IP addresses that requests are coming from, and tracking how much time elapses between each request.
By default, Apache Request limit is 160 requests per second, that is, Apache can handle up to 160 requests per second, without any modification.
The best
and the rest
149
As stated in this blog post it seems possible to use mod_security to implement a rate limit per second.
The configuration is something like this:
SecRuleEngine On <LocationMatch "^/somepath"> SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog" SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog" Header always set Retry-After "10" env=RATELIMITED </LocationMatch> ErrorDocument 509 "Rate Limit Exceeded" If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
