Limit simultaneous connections per IP with Apache2

linux apache-2.2 hosting bandwidth-control

35,821

Solution 1

From my experience it's a little more complicated than just limiting "one connection per IP" I'm afraid (isn't it always :-)).

There were however other configurable parameters such as "MinSpareServers, MaxSpareServers and StartServers" (I'm not sure if these still exist but they were certainly in Apache 2.0).

Also apparently compressing the output can improve bandwidth needs and speed up response time by up to 75% with "mod_deflate" if that helps.

"mod_bandwidth" may offer some assistance rather than trying to limit a single connection and is probably the route I'd go down after looking at compression.

Or if you can write C then you could create a module yourself to count connections per IP.

The thing to watch to out for is what happens when an IP has been served a single connection. Let's just say that usually it's not a pretty sight ! You can drop to a "Server Busy" page or similar but I'd go down the route of optimising your Server so it's a good as it can be than frustrating visitors.

Solution 2

I'm not sure about apache module, but you could use iptables for it. Here is the howto about connlimit module: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/

In your situation something like following would work:

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

However, as mentioned in other questions, be carefull: this rule might block some legimitive robots (like google crawler) or ISPs/organisations that use NAT and shares single ip address for large number of users.

Solution 3

You can use mod_qos httpd module.

QS_SrvMaxConnPerIP <number> [<connections>]

Defines the maximum number of connections per source IP address for this server (virtual host). The "connections" argument defines the number of busy connections of the server (all virtual hosts) to enable this limitation, default is 0 (which means that the limitation is always enabled, even the server is idle).

More details in http://mod-qos.sourceforge.net.

Example:

LoadModule qos_module path_to_module/mod_qos.so
<IfModule mod_qos.c>
        # max connection per IP is
        QS_SrvMaxConnPerIP 15 
</IfModule>

<VirtualHost *:80>
...
</VirtualHost>

Solution 4

I just had the opposite need - apache2 was only serving one page at a time per IP. If that took a long time, another page load in another tab would not start loading until any others to that server I had since requested were completed.

I knew it was related to sessions and found the full answer here and here.

Solution 5

One connection per IP address is not going to work. A web browser will use one connection to download the web page, then 10+ simultaneous connections to get all the images, css, javacripts, etc. So if you do limit by IP, the user will get the main page, and maybe a few images and that is all.

The only use case that limit by IP works for is if you have a dedicated download server you don't want people using download accelerators on. Aka, RapidShare.

You need to look into how the website abusers are abusing your services and target them. If you limit everyone, then everyone is going to hurt.

If it's case of just too much traffic, then you need to optimize the site or add some more cpu cycles with more/faster hardware.

View more solutions

35,821

Jeroen Ooms

#rstats developer and staff RSE for @ropensci at UC Berkeley.

Updated on September 18, 2022

Comments

Jeroen Ooms almost 2 years

I am hosting a public heavy CPU web service, and I would like to configure Apache2 to only allow 1 simultaneous connection per IP address to the location at hand, to prevent single clients from using too much resources.

Is there a neat apache2 solution to do this? I have looked into mod_bw but this does not seem to do the trick (the MaxConnections only applies for all users, not per IP). There also is a module called apache2-mod-limitipconn, but this one has no precompiled packages and I think is longer maintained as the website is dead. I would prefer something that I can include as a formal dependency in Ubuntu.
- sreimer over 13 years
  
  which part of the webservice is CPU intensive? The serving of the data (ie sending a large amount of data) or generating/processing the data?
- Jeroen Ooms about 13 years
  
  The processing the data is CPU intensive. The actual transfer (report of results) won't be that big in most cases.
Jonathan Ross over 13 years

My "mod-bandwidth" comment was put because by giving a small amount of bandwidth to each user (eg 32kbps) you're effectively limiting how much CPU and overall resource they can use.
Jeroen Ooms about 13 years

I am indeed using dedicated servers for this webservice so that is not a problem. I specifically want both restrictions on the number of connections per IP and the number of total active connections.
Jeroen Ooms about 13 years

The problem with using the firewall is that it takes a while for the firewall to notice that the connection is gone. So if the user has a couple of short jobs, which are over in a couple of seconds, the firewall will keep blocking incoming requests for e.g. 300s.
flickerfly over 10 years

I used 'sudo iptables -I INPUT 4 -p tcp --syn --dport 80 -m connlimit --connlimit-above 5 -j REJECT --reject-with tcp-reset' and then opened 8 tabs to the same page on the apache server and it failed. What am I missing?