The OpenNET Project / Index page

[ новости /+++ | форум | wiki | теги | ]

[Apache] Патч для ограничения максимального числа запросов с одного IP (patch apache limit)


<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>
Ключевые слова: patch, apache, limit,  (найти похожие документы)
Date: Sat, 19 Jan 2002 13:40:39 +0300 Subject: [Apache] Патч для ограничения максимального числа запросов с одного IP diff -ur src/include/http_conf_globals.h.orig src/include/http_conf_globals.h --- src/include/http_conf_globals.h.orig Sat Oct 14 13:10:59 2000 +++ src/include/http_conf_globals.h Tue Nov 28 18:24:51 2000 @@ -89,6 +89,8 @@ extern API_VAR_EXPORT int ap_daemons_limit; extern API_VAR_EXPORT int ap_suexec_enabled; extern int ap_listenbacklog; +extern int ap_daemons_max_by_ip; +extern int ap_daemons_max_by_ip_read; extern int ap_dump_settings; extern API_VAR_EXPORT int ap_extended_status; diff -ur src/include/http_main.h.orig src/include/http_main.h --- src/include/http_main.h.orig Sat Oct 14 13:11:00 2000 +++ src/include/http_main.h Tue Nov 28 18:24:51 2000 @@ -129,6 +129,9 @@ void setup_signal_names(char *prefix); +void update_child_status_remote_ip (int, conn_rec *); +int count_connections (conn_rec *, int); + #ifndef NO_OTHER_CHILD /* * register an other_child -- a child which the main loop keeps track of diff -ur src/include/httpd.h.orig src/include/httpd.h --- src/include/httpd.h.orig Sat Oct 14 18:16:51 2000 +++ src/include/httpd.h Tue Nov 28 18:24:51 2000 @@ -299,6 +299,12 @@ #define DEFAULT_MIN_FREE_DAEMON 5 #endif +/* Define default limits for MaxDaemons serving a single address */ + +#define DEFAULT_MAX_DAEMONS_BY_IP 150 +#define DEFAULT_MAX_DAEMONS_BY_IP_READ 75 +#define LIMIT_CONNECTIONS_BY_IP_ERROR HTTP_SERVICE_UNAVAILABLE + /* Limit on the total --- clients will be locked out if more servers than * this are needed. It is intended solely to keep the server from crashing * when things get out of hand. diff -ur src/include/scoreboard.h.orig src/include/scoreboard.h --- src/include/scoreboard.h.orig Sat Oct 14 12:56:05 2000 +++ src/include/scoreboard.h Tue Nov 28 18:24:51 2000 @@ -160,6 +160,7 @@ char request[64]; /* We just want an idea... */ server_rec *vhostrec; /* What virtual host is being accessed? */ /* SEE ABOVE FOR SAFE USAGE! */ + unsigned long remoteip; } short_score; typedef struct { diff -ur src/main/http_config.c.orig src/main/http_config.c --- src/main/http_config.c.orig Sat Oct 14 13:11:04 2000 +++ src/main/http_config.c Tue Nov 28 18:24:51 2000 @@ -1498,6 +1498,8 @@ ap_daemons_to_start = DEFAULT_START_DAEMON; ap_daemons_min_free = DEFAULT_MIN_FREE_DAEMON; ap_daemons_max_free = DEFAULT_MAX_FREE_DAEMON; + ap_daemons_max_by_ip = DEFAULT_MAX_DAEMONS_BY_IP; + ap_daemons_max_by_ip_read = DEFAULT_MAX_DAEMONS_BY_IP_READ; ap_daemons_limit = HARD_SERVER_LIMIT; ap_pid_fname = DEFAULT_PIDLOG; ap_scoreboard_fname = DEFAULT_SCOREBOARD; diff -ur src/main/http_core.c.orig src/main/http_core.c --- src/main/http_core.c.orig Sat Oct 14 13:11:05 2000 +++ src/main/http_core.c Tue Nov 28 18:24:52 2000 @@ -2237,6 +2237,16 @@ return NULL; } +const char * set_max_servers_by_ip (cmd_parms *cmd, void *dummy, char *arg) { + ap_daemons_max_by_ip = atoi (arg); + return NULL; +} + +const char * set_max_servers_by_ip_read (cmd_parms *cmd,void *dummy,char *arg) { + ap_daemons_max_by_ip_read = atoi (arg); + return NULL; +} + static const char *set_min_free_servers(cmd_parms *cmd, void *dummy, char *arg) { const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); @@ -2931,6 +2941,10 @@ "Maximum number of idle children" }, { "MaxServers", set_max_free_servers, NULL, RSRC_CONF, TAKE1, "Deprecated equivalent to MaxSpareServers" }, +{ "MaxServersPerIP", set_max_servers_by_ip, NULL, RSRC_CONF, TAKE1, + "Maximum number of connections from a single IP address" }, +{ "MaxServersPerIPRead", set_max_servers_by_ip_read, NULL, RSRC_CONF, TAKE1, + "Maximum number of connection from a single IP address in read state at any time." }, { "ServersSafetyLimit", set_server_limit, NULL, RSRC_CONF, TAKE1, "Deprecated equivalent to MaxClients" }, { "MaxClients", set_server_limit, NULL, RSRC_CONF, TAKE1, diff -ur src/main/http_main.c.orig src/main/http_main.c --- src/main/http_main.c.orig Sat Oct 14 13:11:06 2000 +++ src/main/http_main.c Tue Nov 28 18:31:51 2000 @@ -253,6 +253,8 @@ API_VAR_EXPORT int ap_daemons_to_start=0; API_VAR_EXPORT int ap_daemons_min_free=0; API_VAR_EXPORT int ap_daemons_max_free=0; +API_VAR_EXPORT int ap_daemons_max_by_ip; +API_VAR_EXPORT int ap_daemons_max_by_ip_read; API_VAR_EXPORT int ap_daemons_limit=0; time_t ap_restart_time=0; API_VAR_EXPORT int ap_suexec_enabled = 0; @@ -2303,6 +2305,38 @@ return old_status; } +void update_child_status_remote_ip (int child_num, conn_rec * current_conn) +{ + int slot_size; + short_score new_score_rec; + + if (child_num < 0) { return; } + + + ap_sync_scoreboard_image(); + new_score_rec = ap_scoreboard_image->servers[child_num]; + + slot_size = sizeof(new_score_rec.remoteip) - 1; + + if (current_conn) + { + new_score_rec.remoteip = current_conn->remote_addr.sin_addr.s_addr; + } + else + { + new_score_rec.remoteip = 0; + } +#if defined(HAVE_MMAP) || defined(HAVE_SHMGET) + memcpy(&ap_scoreboard_image->servers[child_num], &new_score_rec, sizeof new_score_rec); +#else + lseek (scoreboard_fd, (long)child_num * sizeof(short_score), 0); + force_write (scoreboard_fd, (char*)&new_score_rec, sizeof(short_score)); +#endif + + ap_sync_scoreboard_image(); +} + + static void update_scoreboard_global(void) { #ifdef SCOREBOARD_FILE @@ -2313,6 +2347,26 @@ #endif } +int count_connections (conn_rec * current_conn, int state) +{ + unsigned long remote_ip = current_conn->remote_addr.sin_addr.s_addr; + int res = 0, i; + + for (i = 0; i < HARD_SERVER_LIMIT; i++) + { + if ((ap_scoreboard_image->servers[i].status == SERVER_DEAD) || + (state > 0 && ap_scoreboard_image->servers[i].status != state)) + { + continue; + } + if (ap_scoreboard_image->servers[i].remoteip == remote_ip) + { + res++; + } + } + return res; +} + void ap_time_process_request(int child_num, int status) { short_score *ss; @@ -4189,12 +4243,15 @@ * until no requests are left or we decide to close. */ - while ((r = ap_read_request(current_conn)) != NULL) { + for (;;){ + if (ap_daemons_max_by_ip || ap_daemons_max_by_ip_read) + update_child_status_remote_ip (my_child_num, (conn_rec *)current_conn); + + if ((r = ap_read_request(current_conn)) == NULL) break; /* read_request_line has already done a * signal (SIGUSR1, SIG_IGN); */ - (void) ap_update_child_status(my_child_num, SERVER_BUSY_WRITE, r); /* process the request if it was read without error */ @@ -5463,6 +5520,10 @@ * client has ACKed our FIN and/or has stopped sending us data. */ ap_kill_cleanups_for_socket(ptrans, csd); + + if (daemons_max_by_ip || daemons_max_by_ip_read) + update_child_status_remote_ip (child_num, (conn_rec *)NULL); + #ifdef NO_LINGCLOSE ap_bclose(conn_io); /* just close it */ diff -ur src/main/http_protocol.c.orig src/main/http_protocol.c --- src/main/http_protocol.c.orig Sat Oct 14 18:16:51 2000 +++ src/main/http_protocol.c Tue Nov 28 18:24:52 2000 @@ -73,6 +73,15 @@ #include "http_log.h" /* For errors detected in basic auth common * support code... */ #include "util_date.h" /* For parseHTTPdate and BAD_DATE */ + +#include "scoreboard.h" /* for limiting connections by IP */ +#ifndef LONG_STRING_LEN +#define LONG_STRING_LEN 2048 +#endif /* LONG_STRING_LEN */ +extern int ap_daemons_max_by_ip; +extern int ap_daemons_max_by_ip_read; +extern void ap_die(); + #include <stdarg.h> #include "http_conf_globals.h" @@ -1039,6 +1048,8 @@ pool *p; const char *expect; int access_status; + int current_connections; + char *reject_state = NULL; p = ap_make_sub_pool(conn->pool); r = ap_pcalloc(p, sizeof(request_rec)); @@ -1070,6 +1081,33 @@ r->read_length = 0; r->read_body = REQUEST_NO_BODY; + if (ap_daemons_max_by_ip && ((current_connections = count_connections(conn,0)) + > ap_daemons_max_by_ip)) + { + r->request_time=time(NULL); + reject_state = "total"; + } + else if (ap_daemons_max_by_ip_read && + ((current_connections = count_connections(conn,SERVER_BUSY_READ)) + > ap_daemons_max_by_ip_read)) + { + reject_state = "read state"; + } + if (reject_state) { + r->status = HTTP_OK; + r->request_time = time(NULL); + r->proto_num = 1000; /* or something */ + r->assbackwards = 0; /* who knows... */ + r->protocol = "HTTP/1.0"; /* just not empty */ + r->the_request = NULL; + r->method = NULL; + r->method_number = M_INVALID; + ap_die(LIMIT_CONNECTIONS_BY_IP_ERROR, r); + ap_log_transaction(r); + ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, conn->server, "Client at %s for %s with %d %s current connections", conn->remote_ip, conn->server->server_hostname, current_connections, reject_state); + return NULL; + } + r->status = HTTP_REQUEST_TIME_OUT; /* Until we get a request */ r->the_request = NULL;

<< Предыдущая ИНДЕКС Поиск в статьях src Установить закладку Перейти на закладку Следующая >>

Обсуждение [ RSS ]
  • 1, Andrei (?), 18:19, 24/02/2004 [ответить]  
  • +/
    Курите гугл или debian на предмет limitipconn apache

    т.к.
    libapache-mod-limitipconn - Module for Apache which limits simultaneous connections per IP

    Andrei.

     

     Добавить комментарий
    Имя:
    E-Mail:
    Заголовок:
    Текст:




    Спонсоры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2023 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру