mod_limitipconn模块限制
时间:2009-07-01 来源:nianzong
这个模块对于连接数的限制,我在linux下测试结果显示:
是统计跟某个IP建立的连接数作为限制依据,其实就是ESTABLISHED状态数,如果限制为2,则只能建立2个ESTABLISHED状态的连接。对于资源下载限制的线程数即为2线程。
参考文档、下载:
http://dominia.org/djao/limitipconn2.html
limitipconn-README:http://dominia.org/djao/limitipconn2-README
# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so
<IfModule mod_limitipconn.c>
# Set a server-wide limit of 10 simultaneous downloads per IP,
# no matter what.
MaxConnPerIP 10
<Location /somewhere>
# This section affects all files under http://your.server/somewhere
MaxConnPerIP 3
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
NoIPLimit image/*
</Location>
<Directory /home/*/public_html>
# This section affects all files under /home/*/public_html
MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video
</Directory>
</IfModule>
---------------------------------------------------------------------------
Notes:
1) This module will not function unless mod_status is loaded and the
"ExtendedStatus On" directive is set.
2) Server-wide access restrictions and per-directory access restrictions
are computed separately. In the above example, if someone is
downloading 11 images from http://your.server/somewhere
simultaneously, they WILL be denied on the 11th download, because the
server-wide limit of 10 downloads is not affected by the per-directory
NoIPLimit. If you want to set global settings which can be overruled
by per-directory settings, you will need something like
<Location />
# global per-directory settings here
<Location /somewhere>
# local per-directory settings here
</Location>
</Location>
3) If you are using any module based upon a quick handler hook (such as
mod_cache), mod_limitipconn will not be able to process any
per-directory configuration directives in time to affect the return
result of the other module. This is a technical limitation imposed
by Apache. In such a situation, you will have to use server-wide
configuration directives only.
Note that previous versions of mod_limitipconn did not allow any
server-wide configuration directives, and hence could not be used
with mod_cache at all. In other words, the present situation still
represents an improvement over previous versions.
4) The limits defined by mod_limitipconn.c apply to all IP addresses
connecting to your Apache server. Currently there is no way to set
different limits for different IP addresses.
5) Connections in excess of the limit result in a stock 503 Service
Temporarily Unavailable response. The job of returning a more useful
error message to the client is left as an exercise for the reader.
6) mod_limitipconn sets the LIMITIP environment variable to 1 whenever a
download is denied on the basis of too high an IP count. You can use
this variable to distinguish accesses that have been denied by this
module. For example, a line like
CustomLog /var/log/httpd/access_log common env=!LIMITIP
in httpd.conf can be used to suppress logging of denied connections
from /var/log/httpd/access_log. (Note that, if you really want to
suppress logging, you'll probably also want to comment out the
ap_log_rerror lines from mod_limitipconn.c as well.)
7) By default, all clients behind a proxy are treated as coming from the
proxy server's IP address. If you wish to alter this behavior,
consider installing mod_extract_forwarded from
http://web.warhound.org/mod_extract_forwarded/
测试举例:
[root@node02 ~]# cat /etc/httpd/conf.d/limitipconn.conf
LoadModule limitipconn_module modules/mod_limitipconn.so
ExtendedStatus On
<IfModule mod_limitipconn.c>
<Location />
##--/这个地方请使用相对路径,因为我测试时如果使用了绝对路径/var/www/html/便不生效了。
MaxConnPerIP 2
NoIPLimit image/*
</Location>
<Location /mp3>
MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video
</Location>
</IfModule>
配好好放了大文件到/var/www/html/目录下,用迅雷下载,只能2线程,此时你在去打开网页会提示服务不可用。Service Temporarily Unavailable
但是用浏览器来测试线程数限制的话,效果难以看出,因为你刷新一下页面,在服务器端看不到ESTABLISHED
是统计跟某个IP建立的连接数作为限制依据,其实就是ESTABLISHED状态数,如果限制为2,则只能建立2个ESTABLISHED状态的连接。对于资源下载限制的线程数即为2线程。
参考文档、下载:
http://dominia.org/djao/limitipconn2.html
limitipconn-README:http://dominia.org/djao/limitipconn2-README
# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so
<IfModule mod_limitipconn.c>
# Set a server-wide limit of 10 simultaneous downloads per IP,
# no matter what.
MaxConnPerIP 10
<Location /somewhere>
# This section affects all files under http://your.server/somewhere
MaxConnPerIP 3
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
NoIPLimit image/*
</Location>
<Directory /home/*/public_html>
# This section affects all files under /home/*/public_html
MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video
</Directory>
</IfModule>
---------------------------------------------------------------------------
Notes:
1) This module will not function unless mod_status is loaded and the
"ExtendedStatus On" directive is set.
2) Server-wide access restrictions and per-directory access restrictions
are computed separately. In the above example, if someone is
downloading 11 images from http://your.server/somewhere
simultaneously, they WILL be denied on the 11th download, because the
server-wide limit of 10 downloads is not affected by the per-directory
NoIPLimit. If you want to set global settings which can be overruled
by per-directory settings, you will need something like
<Location />
# global per-directory settings here
<Location /somewhere>
# local per-directory settings here
</Location>
</Location>
3) If you are using any module based upon a quick handler hook (such as
mod_cache), mod_limitipconn will not be able to process any
per-directory configuration directives in time to affect the return
result of the other module. This is a technical limitation imposed
by Apache. In such a situation, you will have to use server-wide
configuration directives only.
Note that previous versions of mod_limitipconn did not allow any
server-wide configuration directives, and hence could not be used
with mod_cache at all. In other words, the present situation still
represents an improvement over previous versions.
4) The limits defined by mod_limitipconn.c apply to all IP addresses
connecting to your Apache server. Currently there is no way to set
different limits for different IP addresses.
5) Connections in excess of the limit result in a stock 503 Service
Temporarily Unavailable response. The job of returning a more useful
error message to the client is left as an exercise for the reader.
6) mod_limitipconn sets the LIMITIP environment variable to 1 whenever a
download is denied on the basis of too high an IP count. You can use
this variable to distinguish accesses that have been denied by this
module. For example, a line like
CustomLog /var/log/httpd/access_log common env=!LIMITIP
in httpd.conf can be used to suppress logging of denied connections
from /var/log/httpd/access_log. (Note that, if you really want to
suppress logging, you'll probably also want to comment out the
ap_log_rerror lines from mod_limitipconn.c as well.)
7) By default, all clients behind a proxy are treated as coming from the
proxy server's IP address. If you wish to alter this behavior,
consider installing mod_extract_forwarded from
http://web.warhound.org/mod_extract_forwarded/
测试举例:
[root@node02 ~]# cat /etc/httpd/conf.d/limitipconn.conf
LoadModule limitipconn_module modules/mod_limitipconn.so
ExtendedStatus On
<IfModule mod_limitipconn.c>
<Location />
##--/这个地方请使用相对路径,因为我测试时如果使用了绝对路径/var/www/html/便不生效了。
MaxConnPerIP 2
NoIPLimit image/*
</Location>
<Location /mp3>
MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video
</Location>
</IfModule>
配好好放了大文件到/var/www/html/目录下,用迅雷下载,只能2线程,此时你在去打开网页会提示服务不可用。Service Temporarily Unavailable
但是用浏览器来测试线程数限制的话,效果难以看出,因为你刷新一下页面,在服务器端看不到ESTABLISHED
相关阅读 更多 +
