5

I read a lot of threads now, still my problem could not be solved sufficiently:

If running a tomcat webserver with a spring rest backend, there should must be a way to limit the possible requests per seconds/minute/... based on, lets say, the IP of a requestor. My investigations led to the following possibilites so far:

  1. Use Guava RateLimiter or https://github.com/weddini/spring-boot-throttling and check all requests in the preHandle. But since this does not take into account, which IPs at what time requested, something like a REDIS store would make more sense to check against (IP/Last access timestamp)
  2. Put a more advanced web server in front of tomcat which offers this functionality (e.g. apache2 or nginx)

Now I don't like the first solution, since the requests already hit the application itself and the second solution builds up an additional layer, which I can't really believe is necessary for such a basic problem..

So my question is, what methods and solutions am I missing here? I read something about tomcat valve semaphore, but it seems to just limit the overall rate of requests. Would it be most efficiently/possible to already filter with some basic functionality like iptables or fail2ban on the 8443 port and simply drop requests by the same ip in a give time frame?

Codehai
  • 524
  • 1
  • 7
  • 27
  • 1
    https://serverfault.com/questions/177742 – Robert Harvey Jan 21 '19 at 23:50
  • 1
    https://stackoverflow.com/q/131681 – Robert Harvey Jan 21 '19 at 23:51
  • I saw those too, however the mods the answers suggests are for apache2 as far as I know. Or is it possble to add these mod_xxx plugins to a tomcat instance as well? – Codehai Jan 21 '19 at 23:52
  • Aren't Apache and Tomcat the same thing? – Robert Harvey Jan 22 '19 at 00:10
  • I don't know for sure, but since Tomcat is integrated in spring boot, I have no idea where to activate and place the mod_xxx.c files. Since I was unsure about that as well I looked it up, but could not find anything. https://stackoverflow.com/questions/30632/difference-between-the-apache-http-server-and-apache-tomcat?rq=1 – Codehai Jan 22 '19 at 00:18
  • 1
    @RobertHarvey No. Apache is a webserver compiled from c source, Apache Tomcat is a servlet container running with Java. – Eugène Adell Jan 22 '19 at 08:12
  • Rate limiting through iptables is a question for ServerFault. The two links from @RobertHarvey suggest to configure an Apache in front of Tomcat, as you suggested yourself in point 2. It's probably the most simple way to go, as Tomcat connectors will only discard traffic when overloaded. – Eugène Adell Jan 22 '19 at 08:18
  • You might want to consider using a reverse proxy anyway, for e.g. fail-over, etc. and most reverse-proxies implement these kinds of features. It can be done in Java but IMHO there are better alternatives. – Christopher Schultz Jan 22 '19 at 17:36

0 Answers0