97

What techniques and/or modules are available to implement robust rate limiting (requests|bytes/ip/unit time) in apache?

cwd
  • 53,018
  • 53
  • 161
  • 198
bd808
  • 1,781
  • 1
  • 22
  • 31
  • I am using Linux's [tc](http://www.lartc.org/howto/lartc.qdisc.classless.html#AEN690) on the web server, because Red Hat 6 has only Apache 2.2. – ceving May 19 '14 at 12:17

7 Answers7

59

The best

  • mod_evasive (Focused more on reducing DoS exposure)
  • mod_cband (Best featured for 'normal' bandwidth control)

and the rest

bd808
  • 1,781
  • 1
  • 22
  • 31
Vinko Vrsalovic
  • 330,807
  • 53
  • 334
  • 373
  • 10
    I couldn't find anything to limit connections per day by IP address. I spent all night searching, that's a shame. – Greg Jun 08 '09 at 12:56
  • 1
    Does anyone know if there's a way to get mod_evasive to look at a header instead of the IP, for when running behind a reverse proxy? – Stavros Korokithakis Nov 15 '10 at 17:57
  • 1
    @StavrosKorokithakis Maybe this will help? http://stderr.net/apache/rpaf/ I believe it will make the X-Forwarded IP appear as if it were the source IP to all apache modules loaded after it. – Eli Oct 25 '11 at 21:32
  • The homepage for mod_cband seems to be down, but there's a GitHub for 0.9.7.5: https://github.com/maiha/mod_cband – sp00n Jun 05 '13 at 10:06
  • according to this http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463789 mod_cband is buggy – Ray S. Jan 27 '14 at 22:15
  • 6
    4 years later, is mod_evasive still "the best"? – Zac Thompson Feb 15 '14 at 07:38
  • It could be important information for some, that mod_cband is not possible to use on Windows. http://www.apachelounge.com/viewtopic.php?t=4804 – TondaCZE Feb 23 '14 at 12:46
  • 10
    Back up your claim. Why are _evasive and _cband the best? – Reed Mar 18 '15 at 17:52
  • 9
    `mod_evasive` gets a lot of online recommendations but, as of mid-2017, it seems to have been abandoned by its author, [Jonathan Zdziarski](https://www.zdziarski.com/blog/?page_id=202) who has strangely deleted all references to it from his blog – though the source code is still available as an [upload](https://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz). None of the other projects have been updated in the last 6 years (or 15 years in the case of `mod_limitipconn`). – Anthony Geoghegan Jul 07 '17 at 14:50
28

As stated in this blog post it seems possible to use mod_security to implement a rate limit per second.

The configuration is something like this:

SecRuleEngine On

<LocationMatch "^/somepath">
  SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog
  SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
  SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
  SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>

ErrorDocument 509 "Rate Limit Exceeded"
Bobby Jack
  • 15,689
  • 15
  • 65
  • 97
Diego Fernández Durán
  • 2,502
  • 23
  • 32
  • 3
    This was perfect for me, with modsec2 already running. Just had to add ids to the rules to match the modsec version, like so: SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:10000001 SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog,id:10000002" SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog,id:10000003" SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog,id:10000004" Header always set Retry-After "10" env=RATELIMITED – Nathan Stretch Feb 05 '14 at 07:42
  • 2
    Also note that you can change how many initial burst requests are allowed by editing the "@gt 60", as well as how quickly it "recharges" the limit by editing the ip.somepathcounter=1/1 bit. 1/1 allows one additional request per second. 1/2 allows one additional request every 2 seconds, etc. – Nathan Stretch Feb 05 '14 at 07:44
  • 3
    Apache 2.4 will complain about the 509 in ErrorDocument, an option is changing it to 429 (which is -of course- not supported in Apache 2.2). Also, all SecAction and SecRule-s need an id since mod_security 2.7. – Mrten Jul 07 '15 at 12:51
  • 1
    FYI `mod_security` is not an Apache project. – Christopher Schultz Jan 22 '19 at 17:34
14

There are numerous way including web application firewalls but the easiest thing to implement if using an Apache mod.

One such mod I like to recommend is mod_qos. It's a free module that is veryf effective against certin DOS, Bruteforce and Slowloris type attacks. This will ease up your server load quite a bit.

It is very powerful.

The current release of the mod_qos module implements control mechanisms to manage:

  • The maximum number of concurrent requests to a location/resource (URL) or virtual host.

  • Limitation of the bandwidth such as the maximum allowed number of requests per second to an URL or the maximum/minimum of downloaded kbytes per second.

  • Limits the number of request events per second (special request conditions).

  • Limits the number of request events within a defined period of time.
  • It can also detect very important persons (VIP) which may access the web server without or with fewer restrictions.

  • Generic request line and header filter to deny unauthorized operations.

  • Request body data limitation and filtering (requires mod_parp).

  • Limits the number of request events for individual clients (IP).

  • Limitations on the TCP connection level, e.g., the maximum number of allowed connections from a single IP source address or dynamic keep-alive control.

  • Prefers known IP addresses when server runs out of free TCP connections.

This is a sample config of what you can use it for. There are hundreds of possible configurations to suit your needs. Visit the site for more info on controls.

Sample configuration:
# minimum request rate (bytes/sec at request reading):
QS_SrvRequestRate                                 120

# limits the connections for this virtual host:
QS_SrvMaxConn                                     800

# allows keep-alive support till the server reaches 600 connections:
QS_SrvMaxConnClose                                600

# allows max 50 connections from a single ip address:
QS_SrvMaxConnPerIP                                 50

# disables connection restrictions for certain clients:
QS_SrvMaxConnExcludeIP                    172.18.3.32
QS_SrvMaxConnExcludeIP                    192.168.10.

http://opensource.adnovum.ch/mod_qos/

Panama Jack
  • 24,158
  • 10
  • 63
  • 95
  • this one only works in old apache2.2 not work in apache2.4 + , is it? – infiniteloop May 18 '17 at 03:52
  • @infiniteloop the mod_quos sourceforge page says it works fine with apache2.4. But there is a specific discussion about a couple of features that don't work here:https://stackoverflow.com/a/15726540/1402498 – JamesHoux Jun 05 '19 at 01:59
9

In Apache 2.4, there's a new stock module called mod_ratelimit. For emulating modem speeds, you can use mod_dialup. Though I don't see why you just couldn't use mod_ratelimit for everything.

Janus Troelsen
  • 20,267
  • 14
  • 135
  • 196
  • Note that mod_dialup uses an asynchronous `SUSPENDED` state, not wasting threads on waiting, whereas mod_ratelimit, as of now, is strictly thread-per-connection. cf. http://thread.gmane.org/gmane.comp.apache.cvs/20490 – ArtemGr Jul 31 '13 at 15:47
6

Sadly, mod_evasive won't work as expected when used in non-prefork configurations (recent apache setups are mainly MPM)

Josh Crozier
  • 233,099
  • 56
  • 391
  • 304
wuzer
  • 97
  • 1
  • 4
3

Depends on why you want to rate limit.

If it's to protect against overloading the server, it actually makes sense to put NGINX in front of it, and configure rate limiting there. It makes sense because NGINX uses much less resources, something like a few MB per ten thousand connections. So, if the server is flooded, NGINX will do the rate limiting(using an insignificant amount of resources) and only pass the allowed traffic to Apache.

If all you're after is simplicity, then use something like mod_evasive.

As usual, if it's to protect against DDoS or DoS attacks, use a service like Cloudflare which also has rate limiting.

NerdOfLinux
  • 1,017
  • 10
  • 24
  • Nginx is the way to go, stop looking around. All other suggested solutions based on apache modules are either not maintained, complex or inefficient. – redochka May 29 '21 at 21:12
2

One more option - mod_qos

Not simple to configure - but powerful.

http://opensource.adnovum.ch/mod_qos/

mrT
  • 86
  • 1
  • 7