Top > Apacheへの同時接続数をクライアントIP毎に制限する

キーワード: Apache 制限 IP 同時接続 503 sorryページ 負荷 モジュール mod_limitipconn-0.23.tar.bz2


やりたいこと

princo.orgでは, 大きなサイズのファイルを公開している.
このファイルを分散ダウンロードソフトでダウンロード(主にCHINAのIP)されると, Apacheのプロセス数がとんでもない数に増えてしまうのでなんとかしたい.

必要なもの

  • Apache 1.3 or 2.0 (2.2でも可能かもしれない.未検証) + mod_status
  • mod_limitipconn

インストールする

# cd /usr/local/src
# wget http://wiki.princo.org/source/mod_limitipconn-0.23.tar.bz2
# tar xfvj mod_limitipconn-0.23.tar.bz2
# cd mod_limitipconn-0.23
# vi Makefile

apxsapachectlの場所をフルパスで書いてやる

APXS=/usr/local/apache2/bin/apxs
APACHECTL=/usr/local/apache2/bin/apachectl

さもないと

apxs -c    mod_limitipconn.c
make: apxs: Command not found
make: *** [mod_limitipconn.so] Error 127

と, 言われる.

# make install

httpd.confで設定する

mod_limitipconnモジュールを利用するにあたって, mod_statusが必要なので, 無効な場合は設定する必要がある.

LoadModule status_module modules/mod_status.so
LoadModule limitipconn_module modules/mod_limitipconn.so
ExtendedStatus On
<Location /server-status>
   SetHandler server-status
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
</Location>
<Location /download>
  MaxConnPerIP 3
  NoIPLimit text/*
</Location>

ここでは, 1クライアントIP毎に3セッションまで許可.
Content-Typeが text/* (text/html, text/plain等) は制御しない.

インストールドキュメント

Instructions for statically compiling mod_limitipconn into httpd:

tar xzvf httpd-2.2.9.tar.gz
tar xjvf mod_limitipconn-0.23.tar.bz2
cd httpd-2.2.9
./configure --with-module=aaa:../mod_limitipconn-0.23/mod_limitipconn.c
make
make install

-----------------------------------------------------------------------

Instructions for building as a Dynamic Shared Object (DSO):

tar xjvf mod_limitipconn-0.23.tar.bz2
cd mod_limitipconn-0.23
make install

使用ドキュメント

mod_limitipconn.c
David Jao <djao@dominia.org>

This is an Apache 2.2 C module whose purpose is to limit the maximum
number of simultaneous connections per IP address. The module allows
inclusion and exclusion of files based on MIME type.

This module _may_ work for Apache 2.0, but has not been tested in that
setting.

Example configuration:

---------------------------------------------------------------------------

# This command is always needed
ExtendedStatus On

# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so

<IfModule mod_limitipconn.c>

    # Set a server-wide limit of 10 simultaneous downloads per IP,
    # no matter what.
    MaxConnPerIP 10
    <Location /somewhere>
        # This section affects all files under http://your.server/somewhere
        MaxConnPerIP 3
        # exempting images from the connection limit is often a good
        # idea if your web page has lots of inline images, since these
        # pages often generate a flurry of concurrent image requests
        NoIPLimit image/*
    </Location>

    <Directory /home/*/public_html>
        # This section affects all files under /home/*/public_html
        MaxConnPerIP 1
        # In this case, all MIME types other than audio/mpeg and video*
        # are exempt from the limit check
        OnlyIPLimit audio/mpeg video
    </Directory>
</IfModule>

---------------------------------------------------------------------------

Notes:

1) This module will not function unless mod_status is loaded and the
   "ExtendedStatus On" directive is set.

2) Server-wide access restrictions and per-directory access restrictions
   are computed separately.  In the above example, if someone is
   downloading 11 images from http://your.server/somewhere
   simultaneously, they WILL be denied on the 11th download, because the
   server-wide limit of 10 downloads is not affected by the per-directory
   NoIPLimit.  If you want to set global settings which can be overruled
   by per-directory settings, you will need something like

        <Location />
        # global per-directory settings here

                <Location /somewhere>
                # local per-directory settings here

                </Location>

        </Location>

3) If you are using any module based upon a quick handler hook (such as
   mod_cache), mod_limitipconn will not be able to process any
   per-directory configuration directives in time to affect the return
   result of the other module.  This is a technical limitation imposed
   by Apache.  In such a situation, you will have to use server-wide
   configuration directives only.

   Note that previous versions of mod_limitipconn did not allow any
   server-wide configuration directives, and hence could not be used
   with mod_cache at all.  In other words, the present situation still
   represents an improvement over previous versions.

4) The limits defined by mod_limitipconn.c apply to all IP addresses
   connecting to your Apache server. Currently there is no way to set
   different limits for different IP addresses.

5) Connections in excess of the limit result in a stock 503 Service
   Temporarily Unavailable response. The job of returning a more useful
   error message to the client is left as an exercise for the reader.

6) mod_limitipconn sets the LIMITIP environment variable to 1 whenever a
   download is denied on the basis of too high an IP count. You can use
   this variable to distinguish accesses that have been denied by this
   module. For example, a line like

      CustomLog /var/log/httpd/access_log common env=!LIMITIP

   in httpd.conf can be used to suppress logging of denied connections
   from /var/log/httpd/access_log. (Note that, if you really want to
   suppress logging, you'll probably also want to comment out the
   ap_log_rerror lines from mod_limitipconn.c as well.)

7) By default, all clients behind a proxy are treated as coming from the
   proxy server's IP address. If you wish to alter this behavior,
   consider installing mod_extract_forwarded from
   http://web.warhound.org/mod_extract_forwarded/



コメント

コメントはありません。 コメント/Apacheへの同時接続数をクライアントIP毎に制限する?

お名前: URL B I U SIZE Black Maroon Green Olive Navy Purple Teal Gray Silver Red Lime Yellow Blue Fuchsia Aqua White


新規 編集 添付 名前変更 バックアップ   ホーム バックアップ リンク元   最終更新のRSS