.htaccess rules to stop DDoS POST flooding

ddos .htaccess

Apache is really, really bad at filtering any kind of requests due to its design (by the time it can learn about the request and drop it or respond with an error, it already used a lot of resources and stuff). What I did and had a big success with was this:

  1. Install mod_rpaf or similar in Apache and set it to accept proxy from localhost.

  2. Install haproxy on some port like 8080, configure it in HTTP mode to proxy to Apache.

  3. Put an ACL to drop POST requests to the URL or whatever you need to drop, acls are pretty powerful in haproxy.

  4. Set haproxy to put the client IP in a header and configure mod_rpaf to get it from there.

  5. Add a NAT rule to redirect the traffic from 80 to the haproxy port.

With haproxy 1.5 you can achieve the same for SSL sites too. I truly find haproxy really powerful for Layer 7 filtering like this. You could probably use nginx too but it is a bit slower, however, you have an advantage that you can use tools like naxsi for it and get a true web application firewall.

Related

KVM with one host IP and a different subnet for machines
LAMP Staging Server with linux users
No longer have to enter a password to SSH into another server?
10,000 entries in iptables on CentOS 4GB Ran, dual core 2.3ghz?
Unable to change user in security context of symlink
Cisco ASA 5520 Unable to access external IP on Internal Network
Outlook SSL Error after New Certificate Installation
Am I getting DDoSed, and what should I about it?
How to block Skype using Squid?
Linux EC2 Instance Security Consideration
Windows 2003 DC to Windows 2008 R2 DC with same name and same IP
Apache Dynamic Virtual Host with SSL [duplicate]