How can I implement rate limiting with Apache? (requests per second)

apache ddos apache2

What techniques and/or modules are available to implement robust rate limiting (requests|bytes/ip/unit time) in apache?


Solution 1:

The best

  • mod_evasive (Focused more on reducing DoS exposure)
  • mod_cband (Best featured for 'normal' bandwidth control)

and the rest

  • mod_limitipconn
  • mod_bw
  • mod_bwshare

Solution 2:

As stated in this blog post it seems possible to use mod_security to implement a rate limit per second.

The configuration is something like this:

SecRuleEngine On

<LocationMatch "^/somepath">
  SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog
  SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
  SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
  SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>

ErrorDocument 509 "Rate Limit Exceeded"

Related

Get current location of user in Android without using GPS or internet
What is difference between @RequestBody and @RequestParam?
Does ARC support dispatch queues?
Listing available com ports with Python
Android. WebView and loadData
Get Base64 encode file-data from Input Form
Can HTML be embedded inside PHP "if" statement?
Remove first element from $@ in bash [duplicate]
How to remove a newline from a string in Bash
glob exclude pattern
ImportError: no module named win32api
List directory tree structure in python?