Re: mod_limitipconn for httpd 2.2 and mod_cache
I don't quite understand... Niklas Edmundsson wrote: The main problem with mod_limitipconn-0.22 was that since mod_cache runs as a quick handler, mod_limitipconn also must run as a quick handler with all those benefits and drawbacks. ... MIME types exempt from limit checking ... hashes are still in the config code. This gets resolved how, exactly, at the quick-handler phase? Without that code (and knowing it goes before quick handler) it seems like connection oriented hooks make more sense. It's nice (for performance) that it runs earlier than the hooks, but doesn't help to the extent that the server is still waiting on all the headers to be received. We might not be able to do much about that anyways but it should probably be documented that it doesn't limit connections or assist in preventing DoS attacks. This is a summary of the changes made: * Configuration directives are now set per VHost (Directory/Location are available after the Quick Handler has been run). This means that any Location containers has to be deleted in existing configs. * Fixed configuration merging, so per-vhost settings use defaults set at the server level. * By running as a Quick Handler we don't go through the entire lookup phase (resolve path, stat file, etc) before we get the possibility to block a request. This gives a clear performance enhancement. * Don't do subrequest to lookup MIME type if we don't have mime-type specific config. So as mentioned above, there's only mime type to use if using the usual handler chain. Since we aren't there's no point in retaining this at all. * Count connections in closing and logging state too, we don't want to be DOS'd by clients behind buggy firewalls and so on. It isn't counting 'reading' connections, so no point in this IMHO. If the user-perceived experience is that they are limited to two connection streams, they should not be penalized while closing or at close_wait. That's a matter of using correct KeepaliveTimeout values.
Re: mod_limitipconn for httpd 2.2 and mod_cache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 William A. Rowe, Jr. wrote: We might not be able to do much about that anyways but it should probably be documented that it doesn't limit connections or assist in preventing DoS attacks. Are you talking about mod_limitipconn? If you are, then rename it to something entirely different like mod_null. - -- Arturo Buanzo Busleiman Independent Linux and Security Consultant - SANS - OISSG - OWASP http://www.buanzo.com.ar/pro/eng.html Mailing List Archives at http://archiver.mailfighter.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIrtd/AlpOsGhXcE0RCi3AAJ4nKe4J3Dt30G9M89RZVrD8p2VqswCeMR2b eSbN1pVwDqvqfkQycQ0eQPc= =faX2 -END PGP SIGNATURE-
Re: mod_limitipconn for httpd 2.2 and mod_cache
Arturo 'Buanzo' Busleiman wrote: William A. Rowe, Jr. wrote: We might not be able to do much about that anyways but it should probably be documented that it doesn't limit connections or assist in preventing DoS attacks. Are you talking about mod_limitipconn? If you are, then rename it to something entirely different like mod_null. If our understanding is correct, these are one in the same, and mod_limitipconn before submission to httpd behaved the same way (worse, in that before Niklas' patch there was not only no DoS protection from opening connections, but also no regular checking of cached content.) Sarcasm aside, it does seem that MaxConnPerIP and mod_limitipconn are slightly misnomers. These are limits on concurrent requests (as was the original mod_limitipconn). Bill
Re: mod_limitipconn for httpd 2.2 and mod_cache
On Fri, 22 Aug 2008, William A. Rowe, Jr. wrote:
I don't quite understand...
Niklas Edmundsson wrote:
The main problem with mod_limitipconn-0.22 was that since mod_cache runs as
a quick handler, mod_limitipconn also must run as a quick handler with all
those benefits and drawbacks.
... MIME types exempt from limit checking ...
hashes are still in the config code. This gets resolved how, exactly,
at the quick-handler phase?
Without that code (and knowing it goes before quick handler) it seems like
connection oriented hooks make more sense. It's nice (for performance)
that it runs earlier than the hooks, but doesn't help to the extent that
the server is still waiting on all the headers to be received.
We might not be able to do much about that anyways but it should probably
be documented that it doesn't limit connections or assist in preventing
DoS attacks.
For added confusion, I think that you're reading my old changelog
before David merged my patch and fixed things.
http://dominia.org/djao/limit/ChangeLog is more correct on describing
how it currently works.
* Count connections in closing and logging state too, we don't want to
be DOS'd by clients behind buggy firewalls and so on.
It isn't counting 'reading' connections, so no point in this IMHO. If the
user-perceived experience is that they are limited to two connection
streams, they should not be penalized while closing or at close_wait.
That's a matter of using correct KeepaliveTimeout values.
Our main use is for http://ftp.acc.umu.se/ which is a file archive.
The problem is the following (yes, moronic download agents):
- Client connects from some kind of broken firewall or something.
- Client gets hit by connection limit.
- Client drops connection, but firewall causes it to get stuck in
closing state.
- Client immediately retries, causing one more connection to get stuck
in closing state.
We've seen clients using up close to a thousand of slots this way.
In real-life use we have set a limit of 10 connections per IP, and
haven't heard of any complaints. We have no real problems with our
servers running out of connections, so we're happy.
And yes, connection oriented hooks are probably better in the quick
handler case. But at least this works for now, and people having this
problem are probably more content with this for now than having to
wait for someone committing the Perfecttm solution to httpd :)
/Nikke
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se | [EMAIL PROTECTED]
---
It takes a lot of RAM to make your floppy spin...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Re: mod_limitipconn for httpd 2.2 and mod_cache
Niklas Edmundsson wrote: [...] are probably more content with this for now than having to wait for someone committing the Perfecttm solution to httpd :) Right; I'm not saying don't commit it (things can be fixed in trunk, that's the point), but as you mentioned you want to get the naming right on the first try. Must as I objected that the earlier mod_sed (now _substitute) wasn't 'sed', I'm pointing out this isn't a connection limit, it's a request limit, and we should probably commit it with an appropriate module name :) Bill
Re: mod_limitipconn for httpd 2.2 and mod_cache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 William A. Rowe, Jr. wrote: I'm pointing out this isn't a connection limit, it's a request limit, and we should probably commit it with an appropriate module name :) mod_req_limit or another variant thereof? - -- Arturo Buanzo Busleiman Independent Linux and Security Consultant - SANS - OISSG - OWASP http://www.buanzo.com.ar/pro/eng.html Mailing List Archives at http://archiver.mailfighter.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIrt4nAlpOsGhXcE0RCvdLAJ9mgkt1aFQwLUluU1O3UHgzwI2pUACfYLrj gvtLZvI1O10SgL3kJGaesn4= =uFsd -END PGP SIGNATURE-
mod_limitipconn for httpd 2.2 and mod_cache
Hi!
Attached is a version of mod_limitipconn.c that works in conjunction
with mod_cache and httpd-2.2. We've been using this on ftp.acc.umu.se
for some time now without any unwanted issues.
The main problem with mod_limitipconn-0.22 was that since mod_cache
runs as a quick handler, mod_limitipconn also must run as a quick
handler with all those benefits and drawbacks.
Download the tarball from http://dominia.org/djao/limitipconn2.html ,
extract it, and replace mod_limitipconn.c with this version and follow
the build instructions.
I would really wish that this was made part of httpd, it's really
needed when running a file-download site due to the scarily large
amount of demented download manager clients out there.
However, I have not received any response from the original author on
the matter. From what I have understood of the license it should be OK
to merge into httpd if you want though, but I think that you guys are
way more clued in that matter than me.
This is a summary of the changes made:
* Rewritten to run as a Quick Handler, before mod_cache.
* Configuration directives are now set per VHost (Directory/Location
are available after the Quick Handler has been run). This means that
any Location containers has to be deleted in existing configs.
* Fixed configuration merging, so per-vhost settings use defaults set
at the server level.
* By running as a Quick Handler we don't go through the entire lookup
phase (resolve path, stat file, etc) before we get the possibility
to block a request. This gives a clear performance enhancement.
* Made the handler exit as soon as possible, doing the easy checks
first.
* Don't do subrequest to lookup MIME type if we don't have mime-type
specific config.
* Count connections in closing and logging state too, we don't want to
be DOS'd by clients behind buggy firewalls and so on.
* Added debug messages for easy debugging.
* Reduced loglevel from ERR to INFO for reject-logging.
In any case, I hope that this can be of use for others than us.
/Nikke
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se | [EMAIL PROTECTED]
---
We are ATT of Borg, MCI will be assimilated
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=/*
* Copyright (C) 2000-2002 David Jao [EMAIL PROTECTED]
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the Software), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice, this permission notice, and the
* following disclaimer shall be included in all copies or substantial
* portions of the Software.
*
* THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
* HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
* DEALINGS IN THE SOFTWARE.
*
*/
#include httpd.h
#include http_config.h
#include http_request.h
#include http_protocol.h
#include http_core.h
#include http_main.h
#include http_log.h
#include ap_mpm.h
#include apr_strings.h
#include scoreboard.h
#define MODULE_NAME mod_limitipconn
#define MODULE_VERSION 0.22
module AP_MODULE_DECLARE_DATA limitipconn_module;
static int server_limit, thread_limit;
typedef struct {
signed int limit; /* max number of connections per IP */
/* array of MIME types exempt from limit checking */
apr_array_header_t *no_limit;
int no_limit_set;
/* array of MIME types to limit check; all other types are exempt */
apr_array_header_t *excl_limit;
int excl_limit_set;
} limitipconn_config;
static void *limitipconn_create_config(apr_pool_t *p, server_rec *s)
{
limitipconn_config *cfg = (limitipconn_config *)
apr_pcalloc(p, sizeof (*cfg));
/* default configuration: no limit (unset), and both arrays are empty */
cfg-limit = -1;
cfg-no_limit = apr_array_make(p, 0, sizeof(char *));
cfg-excl_limit = apr_array_make(p, 0, sizeof(char *));
return cfg;
}
/* Simple merge: Per vhost entries overrides main server entries */
static void *limitipconn_merge_config(apr_pool_t *p, void *BASE, void *ADD)
{
limitipconn_config *base = BASE;
limitipconn_config *add = ADD;
limitipconn_config *cfg =
