How can I implement rate limiting with Apache? (requests per second)
The best
- mod_evasive (Focused more on reducing DoS exposure)
- mod_cband (Best featured for 'normal' bandwidth control)
and the rest
As stated in this blog post it seems possible to use mod_security to implement a rate limit per second.
The configuration is something like this:
SecRuleEngine On<LocationMatch "^/somepath"> SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog" SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog" SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog" Header always set Retry-After "10" env=RATELIMITED</LocationMatch>ErrorDocument 509 "Rate Limit Exceeded"
There are numerous way including web application firewalls but the easiest thing to implement if using an Apache mod.
One such mod I like to recommend is mod_qos. It's a free module that is veryf effective against certin DOS, Bruteforce and Slowloris type attacks. This will ease up your server load quite a bit.
It is very powerful.
The current release of the mod_qos module implements control mechanisms to manage:
The maximum number of concurrent requests to a location/resource(URL) or virtual host.
Limitation of the bandwidth such as themaximum allowed number of requests per second to an URL or the maximum/minimum of downloaded kbytes per second.
Limits the number of request events per second (special requestconditions).
- Limits the number of request events within a defined period of time.
- It can also detect very important persons (VIP) which may access theweb server without or with fewer restrictions.
Generic request line and header filter to deny unauthorizedoperations.
Request body data limitation and filtering (requires mod_parp).
Limits the number of request events for individual clients (IP).
Limitations on the TCP connection level, e.g., the maximum number ofallowed connections from a single IP source address or dynamickeep-alive control.
- Prefers known IP addresses when server runs out of free TCPconnections.
This is a sample config of what you can use it for. There are hundreds of possible configurations to suit your needs. Visit the site for more info on controls.
Sample configuration:# minimum request rate (bytes/sec at request reading):QS_SrvRequestRate 120# limits the connections for this virtual host:QS_SrvMaxConn 800# allows keep-alive support till the server reaches 600 connections:QS_SrvMaxConnClose 600# allows max 50 connections from a single ip address:QS_SrvMaxConnPerIP 50# disables connection restrictions for certain clients:QS_SrvMaxConnExcludeIP 172.18.3.32QS_SrvMaxConnExcludeIP 192.168.10.