Saturday, July 14, 2012

Apache's mod_qos - Your savior

I've posted about Apache's mod_qos before, but I wanted to post about it again. The sheer number of features this module offers are astounding. You can limit connections per IP, give higher priority to certain clients or applications, and generally control the workload of the server. It is what Apache always needed - indeed, what any web browser needed. I won't bore you with the details, but after you've either statically linked to this module in your build, or loaded it up dynamically, you can use configurations like below, as seen on the mod_qos documentation page.

Feature set:

  • The maximum number of concurrent requests to a location/resource (URL) or virtual host.
  • Limitation of the bandwidth such as the maximum allowed number of requests per second to an URL or the maximum/minimum of downloaded kbytes per second.
  • Limits the number of request events per second (special request conditions).
  • It can also "detect" very important persons (VIP) which may access the web server without or with fewer restrictions.
  • Generic request line and header filter to deny unauthorized operations.
  • Request body data limitation and filtering (requires mod_parp).
  • Limitations on the TCP connection level, e.g., the maximum number of allowed connections from a single IP source address or dynamic keep-alive control.
  • Prefers known IP addresses when server runs out of free TCP connections.


# maximum number of active TCP connections is limited to 896 (limited
# by the available memory, adjust the settings according to the used
# hardware):
MaxClients               256
# idle timeout:
Timeout                  60

# keep alive disabled after we start to fill up
KeepAlive                on
MaxKeepAliveRequests     60
KeepAliveTimeout         3
QS_SrvMaxConnClose       196
# don't allow more than 30 TCP connections per client source address:
QS_SrvMaxConnPerIP       30
# name of the HTTP response header which marks preferred clients (this # may be used to let the application decide which clients are "good" and # have higher privileges, e.g. authenticated users. you may also use # the QS_VipUser directive when using an Apache authentication module such # as mod_auth_basic or mod_auth_oid): QS_VipIPHeaderName mod-qos-login # enables the known client prefer mode (server allows new TCP connections # from known/good clients only when is has more than 716 open TCP connections): QS_ClientPrefer 80 # minimum request/response speed (deny slow clients blocking the server, # e.g. defending slowloris): QS_SrvMinDataRate 120 1500 400 # and limit request line, header and body: LimitRequestLine 7168 LimitRequestFields 30 QS_LimitRequestBody 102400
# block clients violating some basic rules frequently (don't allows more than 20
# violations within 5 minutes):
QS_ClientEventBlockCount 20 300
QS_SetEnvIfStatus        400               QS_Block
QS_SetEnvIfStatus        401               QS_Block
QS_SetEnvIfStatus        403               QS_Block
QS_SetEnvIfStatus        404               QS_Block
QS_SetEnvIfStatus        405               QS_Block
QS_SetEnvIfStatus        406               QS_Block
QS_SetEnvIfStatus        408               QS_Block
QS_SetEnvIfStatus        411               QS_Block
QS_SetEnvIfStatus        413               QS_Block
QS_SetEnvIfStatus        414               QS_Block
QS_SetEnvIfStatus        417               QS_Block
QS_SetEnvIfStatus        500               QS_Block
QS_SetEnvIfStatus        503               QS_Block
QS_SetEnvIfStatus        505               QS_Block
QS_SetEnvIfStatus        QS_SrvMinDataRate QS_Block
QS_SetEnvIfStatus        NullConnection    QS_Block
# even a little anti-SQL injection ... 

# don't allow a certain string pattern within the request query or
# use location or directory tags, probably not good for whole server
QS_DenyQueryBody              on
QS_DenyQuery       +s01       deny "(EXEC|SELECT|INSERT|UPDATE|DELETE)"

1 comment:

  1. Hi, I would love to use most of your rules

    Do you think it is safe to use for a site that is crawled by Google literally every few seconds?

    I added this to make sure Google is a VIP, but is it a good solution?

    BrowserMatch "googlebot" QS_VipRequest=yes
    SetEnvIf Remote_Addr ^66\.249\. QS_VipRequest=yes