mod_evasive behind HAPROXY
I have a couple of Apache 2 machines behind an HAPROXY setup, I tried to setup mod_evasive on those Apache machine while also using mod_rpaf to get the real X-FORWARDED client ip.
For some reason, mod_evasive grabs and blocks some ips (testing with ApacheBench) but some can go on and open more connections and basically DOS my servers.
any idea what can exclude one ip from the other in mod_evasive? considering the fact it's behind a proxy and that the real client ips are visible on the apache logs?
mod_evasive's definitions are the defaults when the DOSWhitelist is set to our subnet mask (192.168.. for example).
the rpaf module has the RPAFproxy_ips definition with our HAPROXY ip. any ideas?
Solution 1:
The problem you've run into is likely part of the design of mod_evasive: It's stats used for blocking are saved in each child process. So, if you are using the Prefork MPM and have MaxClients is set to 50, then connections to each of these 50 clients will be tracked independently.
Further, there is the MaxRequestsPerChild setting. Once this is reached, the child will be killed, and the stats along with it. So, in some cases, mod_evasive is simply not effective.
I'm sorry I don't have a better alternative to recommend at this point. I'm searching myself. ( I have not yet confirmed if it works any better with other MPMs, either. )
References:
- Mod_evasive doesn't protect from DOS
- mod_evasive sucks as anti-DOS protection