如何使用 Apache 实现速率限制? (每秒请求数)

发布于 2024-07-06 14:58:43 字数 55 浏览 11 评论 0原文

有哪些技术和/或模块可用于在 apache 中实现强大的速率限制(请求|字节/ip/单位时间)?

What techniques and/or modules are available to implement robust rate limiting (requests|bytes/ip/unit time) in apache?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

记忆之渊 2024-07-13 14:58:43

最好的

和其余

The best

  • mod_evasive (Focused more on reducing DoS exposure)
  • mod_cband (Best featured for 'normal' bandwidth control)

and the rest

指尖上的星空 2024-07-13 14:58:43

正如此博客中所述似乎可以使用 mod_security 来实现每秒的速率限制。

配置是这样的:

SecRuleEngine On

<LocationMatch "^/somepath">
  SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog
  SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
  SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
  SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>

ErrorDocument 509 "Rate Limit Exceeded"

As stated in this blog post it seems possible to use mod_security to implement a rate limit per second.

The configuration is something like this:

SecRuleEngine On

<LocationMatch "^/somepath">
  SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog
  SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
  SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
  SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>

ErrorDocument 509 "Rate Limit Exceeded"
摘星┃星的人 2024-07-13 14:58:43

有很多方法,包括 Web 应用程序防火墙,但如果使用 Apache mod,则最容易实现。

我想推荐的一个这样的模组是 mod_qos。 它是一个免费模块,可以非常有效地抵御某些 DOS、Bruteforce 和 Slowloris 类型的攻击。 这将大大减轻您的服务器负载。

它非常强大

当前版本的 mod_qos 模块实现了控制机制来管理:

  • 对位置/资源的最大并发请求数
    (URL) 或虚拟主机。

  • 带宽限制,例如
    每秒允许的 URL 最大请求数或每秒下载的最大/最小千字节数。

  • 限制每秒请求事件的数量(特殊请求
    限制

  • 限制定义的时间段内请求事件的数量。
  • 它还可以检测可能访问的非常重要的人(VIP)
    没有或更少限制的 Web 服务器。
  • 用于拒绝未经授权的通用请求行和标头过滤器
    操作。

  • 请求正文数据限制和过滤(需要 mod_parp)。

  • 限制单个客户端 (IP) 的请求事件数量。

  • TCP 连接级别的限制,例如最大连接数
    允许来自单个 IP 源地址或动态的连接
    keep-alive 控制。

  • 当服务器耗尽可用 TCP 时,首选已知 IP 地址
    连接。

这是您可以使用它的示例配置。 有数百种可能的配置可以满足您的需求。 访问该网站以获取有关控件的更多信息。

Sample configuration:
# minimum request rate (bytes/sec at request reading):
QS_SrvRequestRate                                 120

# limits the connections for this virtual host:
QS_SrvMaxConn                                     800

# allows keep-alive support till the server reaches 600 connections:
QS_SrvMaxConnClose                                600

# allows max 50 connections from a single ip address:
QS_SrvMaxConnPerIP                                 50

# disables connection restrictions for certain clients:
QS_SrvMaxConnExcludeIP                    172.18.3.32
QS_SrvMaxConnExcludeIP                    192.168.10.

http://opensource.adnovum.ch/mod_qos/

There are numerous way including web application firewalls but the easiest thing to implement if using an Apache mod.

One such mod I like to recommend is mod_qos. It's a free module that is veryf effective against certin DOS, Bruteforce and Slowloris type attacks. This will ease up your server load quite a bit.

It is very powerful.

The current release of the mod_qos module implements control mechanisms to manage:

  • The maximum number of concurrent requests to a location/resource
    (URL) or virtual host.

  • Limitation of the bandwidth such as the
    maximum allowed number of requests per second to an URL or the maximum/minimum of downloaded kbytes per second.

  • Limits the number of request events per second (special request
    conditions).

  • Limits the number of request events within a defined period of time.
  • It can also detect very important persons (VIP) which may access the
    web server without or with fewer restrictions.
  • Generic request line and header filter to deny unauthorized
    operations.

  • Request body data limitation and filtering (requires mod_parp).

  • Limits the number of request events for individual clients (IP).

  • Limitations on the TCP connection level, e.g., the maximum number of
    allowed connections from a single IP source address or dynamic
    keep-alive control.

  • Prefers known IP addresses when server runs out of free TCP
    connections.

This is a sample config of what you can use it for. There are hundreds of possible configurations to suit your needs. Visit the site for more info on controls.

Sample configuration:
# minimum request rate (bytes/sec at request reading):
QS_SrvRequestRate                                 120

# limits the connections for this virtual host:
QS_SrvMaxConn                                     800

# allows keep-alive support till the server reaches 600 connections:
QS_SrvMaxConnClose                                600

# allows max 50 connections from a single ip address:
QS_SrvMaxConnPerIP                                 50

# disables connection restrictions for certain clients:
QS_SrvMaxConnExcludeIP                    172.18.3.32
QS_SrvMaxConnExcludeIP                    192.168.10.

http://opensource.adnovum.ch/mod_qos/

疯到世界奔溃 2024-07-13 14:58:43

在 Apache 2.4 中,有一个名为 mod_ratelimit< 的新库存模块/a>. 要模拟调制解调器速度,您可以使用 mod_dialup。 虽然我不明白为什么你不能对所有事情使用 mod_ratelimit 。

In Apache 2.4, there's a new stock module called mod_ratelimit. For emulating modem speeds, you can use mod_dialup. Though I don't see why you just couldn't use mod_ratelimit for everything.

跨年 2024-07-13 14:58:43

遗憾的是,在非 prefork 配置中使用时,mod_evasive 将无法按预期工作(最近的 apache 设置主要是 MPM)

Sadly, mod_evasive won't work as expected when used in non-prefork configurations (recent apache setups are mainly MPM)

木落 2024-07-13 14:58:43

取决于您想要速率限制的原因。

如果是为了防止服务器过载,实际上将 NGINX 放在它前面是有意义的,并配置 速率限制那里。 这是有道理的,因为 NGINX 使用的资源少得多,比如每万个连接几 MB。 因此,如果服务器被淹没,NGINX 将进行速率限制(使用少量资源)并仅将允许的流量传递给 Apache。

如果您追求的是简单性,那么请使用 mod_evasive 之类的东西。

与往常一样,如果要防止 DDoS 或 DoS 攻击,请使用 Cloudflare 等也有速率限制的服务。

Depends on why you want to rate limit.

If it's to protect against overloading the server, it actually makes sense to put NGINX in front of it, and configure rate limiting there. It makes sense because NGINX uses much less resources, something like a few MB per ten thousand connections. So, if the server is flooded, NGINX will do the rate limiting(using an insignificant amount of resources) and only pass the allowed traffic to Apache.

If all you're after is simplicity, then use something like mod_evasive.

As usual, if it's to protect against DDoS or DoS attacks, use a service like Cloudflare which also has rate limiting.

情释 2024-07-13 14:58:43

另一种选择 - mod_qos

配置并不简单 - 但功能强大。

http://opensource.adnovum.ch/mod_qos/

One more option - mod_qos

Not simple to configure - but powerful.

http://opensource.adnovum.ch/mod_qos/

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文