I’m trying to understand the HttpLimitReqModule, the wiki is a bit
unverbose about the terminology.
I’m trying to mimic Apache’s mod_evasive module, specifically there is
an annoying user that likes to request the same image once every
second for hours at a time. I would like to log this and then use
fail2ban to block the IP for a specific time. The problem is that the
image in question is a legitimate request that shows up on every page
of the site in question. What I had in mind:
The problem is the low rate with which the offending requests are
made. mod_evasive lets you set up a timespan in which a specific
number of requests are made, while nginx checks “online” if a second
request is made after 1/rate. In my case (1 offending request per
second), legitimate users would be blocked if they load 2 pages in one
second, which of course happens frequently.
On Fri, Feb 25, 2011 at 11:04:34AM +0100, Adrian von Stechow wrote:
made. mod_evasive lets you set up a timespan in which a specific
number of requests are made, while nginx checks “online” if a second
request is made after 1/rate. In my case (1 offending request per
second), legitimate users would be blocked if they load 2 pages in one
second, which of course happens frequently.
Any suggestions?
Set burst= to be high enough to accomodate occasional request
bursts from legitimate users, and rate= to be somewhere between
typical one for legitimate users (on average during relatively
long time period) and offending one.
If you just want to block offending user which does 60 requests
per minute, and your typical users do about 1 requests per
minute, but occasinally may produce something like 100 requests in
short time frame, you may set something like:
This will allow legitimate users to do 10r/m on average and up to
100 requests in the very same second. On the other hand,
offending user with 60 r/m will start getting 503’s after about 2
minutes: 120 requests with 20 allowed by rate will overflow
burst.