On 27 September 2007 at 14:06, Christian Folini wrote: > On Thu, Sep 27, 2007 at 01:57:35PM +0100, Oliver wrote: > > So my question in simple terms is this: is there a way of limiting > > simultaneous connections per IP without having to launch additional > > processes to handle the rejections? > > You may want to have a look into mod_qos: > http://sourceforge.net/projects/mod-qos/ > It gives you just that.
Thanks for the pointer towards mod-qos. It did seem to be very suitable, but I've done some testing with ab and it seems to trigger the MaxClients setting just as mod_limitipconn and mod_cband do, even when I set QS_SrvMaxConnPerIP to 6. I have checked my settings are configured correctly using mod_info. The module was rejecting connections over 6, but not before a new process was launched to handle the http rejection. > Otherwise you can also try mod_security2 and play around with > the guardian_log, which is meant to help you deal with DoS > attacks and your problem seems similar to a small DoS. :) I read the manual and it seems more aimed towards x requests in y seconds, rather than x simultaneous connections. I was thinking about xinetd to limit simultaneous connections, but it's not supported anymore for apache, and would probably hit performance badly anyway. I'm starting to wonder whether limiting the number of simultaneous connections is technically possible using apache modules without launching a process for each connection before rejecting it? Oliver. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]