[Apache] Патч для ограничения максимального числа запросов с одного IP (patch apache limit)
Ключевые слова: patch, apache, limit, (найти похожие документы)
Date: Sat, 19 Jan 2002 13:40:39 +0300
Subject: [Apache] Патч для ограничения максимального числа запросов с одного IP
diff -ur src/include/http_conf_globals.h.orig src/include/http_conf_globals.h
--- src/include/http_conf_globals.h.orig Sat Oct 14 13:10:59 2000
+++ src/include/http_conf_globals.h Tue Nov 28 18:24:51 2000
@@ -89,6 +89,8 @@
extern API_VAR_EXPORT int ap_daemons_limit;
extern API_VAR_EXPORT int ap_suexec_enabled;
extern int ap_listenbacklog;
+extern int ap_daemons_max_by_ip;
+extern int ap_daemons_max_by_ip_read;
extern int ap_dump_settings;
extern API_VAR_EXPORT int ap_extended_status;
diff -ur src/include/http_main.h.orig src/include/http_main.h
--- src/include/http_main.h.orig Sat Oct 14 13:11:00 2000
+++ src/include/http_main.h Tue Nov 28 18:24:51 2000
@@ -129,6 +129,9 @@
void setup_signal_names(char *prefix);
+void update_child_status_remote_ip (int, conn_rec *);
+int count_connections (conn_rec *, int);
+
#ifndef NO_OTHER_CHILD
/*
* register an other_child -- a child which the main loop keeps track of
diff -ur src/include/httpd.h.orig src/include/httpd.h
--- src/include/httpd.h.orig Sat Oct 14 18:16:51 2000
+++ src/include/httpd.h Tue Nov 28 18:24:51 2000
@@ -299,6 +299,12 @@
#define DEFAULT_MIN_FREE_DAEMON 5
#endif
+/* Define default limits for MaxDaemons serving a single address */
+
+#define DEFAULT_MAX_DAEMONS_BY_IP 150
+#define DEFAULT_MAX_DAEMONS_BY_IP_READ 75
+#define LIMIT_CONNECTIONS_BY_IP_ERROR HTTP_SERVICE_UNAVAILABLE
+
/* Limit on the total --- clients will be locked out if more servers than
* this are needed. It is intended solely to keep the server from crashing
* when things get out of hand.
diff -ur src/include/scoreboard.h.orig src/include/scoreboard.h
--- src/include/scoreboard.h.orig Sat Oct 14 12:56:05 2000
+++ src/include/scoreboard.h Tue Nov 28 18:24:51 2000
@@ -160,6 +160,7 @@
char request[64]; /* We just want an idea... */
server_rec *vhostrec; /* What virtual host is being accessed? */
/* SEE ABOVE FOR SAFE USAGE! */
+ unsigned long remoteip;
} short_score;
typedef struct {
diff -ur src/main/http_config.c.orig src/main/http_config.c
--- src/main/http_config.c.orig Sat Oct 14 13:11:04 2000
+++ src/main/http_config.c Tue Nov 28 18:24:51 2000
@@ -1498,6 +1498,8 @@
ap_daemons_to_start = DEFAULT_START_DAEMON;
ap_daemons_min_free = DEFAULT_MIN_FREE_DAEMON;
ap_daemons_max_free = DEFAULT_MAX_FREE_DAEMON;
+ ap_daemons_max_by_ip = DEFAULT_MAX_DAEMONS_BY_IP;
+ ap_daemons_max_by_ip_read = DEFAULT_MAX_DAEMONS_BY_IP_READ;
ap_daemons_limit = HARD_SERVER_LIMIT;
ap_pid_fname = DEFAULT_PIDLOG;
ap_scoreboard_fname = DEFAULT_SCOREBOARD;
diff -ur src/main/http_core.c.orig src/main/http_core.c
--- src/main/http_core.c.orig Sat Oct 14 13:11:05 2000
+++ src/main/http_core.c Tue Nov 28 18:24:52 2000
@@ -2237,6 +2237,16 @@
return NULL;
}
+const char * set_max_servers_by_ip (cmd_parms *cmd, void *dummy, char *arg) {
+ ap_daemons_max_by_ip = atoi (arg);
+ return NULL;
+}
+
+const char * set_max_servers_by_ip_read (cmd_parms *cmd,void *dummy,char *arg) {
+ ap_daemons_max_by_ip_read = atoi (arg);
+ return NULL;
+}
+
static const char *set_min_free_servers(cmd_parms *cmd, void *dummy, char *arg)
{
const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
@@ -2931,6 +2941,10 @@
"Maximum number of idle children" },
{ "MaxServers", set_max_free_servers, NULL, RSRC_CONF, TAKE1,
"Deprecated equivalent to MaxSpareServers" },
+{ "MaxServersPerIP", set_max_servers_by_ip, NULL, RSRC_CONF, TAKE1,
+ "Maximum number of connections from a single IP address" },
+{ "MaxServersPerIPRead", set_max_servers_by_ip_read, NULL, RSRC_CONF, TAKE1,
+ "Maximum number of connection from a single IP address in read state at any time." },
{ "ServersSafetyLimit", set_server_limit, NULL, RSRC_CONF, TAKE1,
"Deprecated equivalent to MaxClients" },
{ "MaxClients", set_server_limit, NULL, RSRC_CONF, TAKE1,
diff -ur src/main/http_main.c.orig src/main/http_main.c
--- src/main/http_main.c.orig Sat Oct 14 13:11:06 2000
+++ src/main/http_main.c Tue Nov 28 18:31:51 2000
@@ -253,6 +253,8 @@
API_VAR_EXPORT int ap_daemons_to_start=0;
API_VAR_EXPORT int ap_daemons_min_free=0;
API_VAR_EXPORT int ap_daemons_max_free=0;
+API_VAR_EXPORT int ap_daemons_max_by_ip;
+API_VAR_EXPORT int ap_daemons_max_by_ip_read;
API_VAR_EXPORT int ap_daemons_limit=0;
time_t ap_restart_time=0;
API_VAR_EXPORT int ap_suexec_enabled = 0;
@@ -2303,6 +2305,38 @@
return old_status;
}
+void update_child_status_remote_ip (int child_num, conn_rec * current_conn)
+{
+ int slot_size;
+ short_score new_score_rec;
+
+ if (child_num < 0) { return; }
+
+
+ ap_sync_scoreboard_image();
+ new_score_rec = ap_scoreboard_image->servers[child_num];
+
+ slot_size = sizeof(new_score_rec.remoteip) - 1;
+
+ if (current_conn)
+ {
+ new_score_rec.remoteip = current_conn->remote_addr.sin_addr.s_addr;
+ }
+ else
+ {
+ new_score_rec.remoteip = 0;
+ }
+#if defined(HAVE_MMAP) || defined(HAVE_SHMGET)
+ memcpy(&ap_scoreboard_image->servers[child_num], &new_score_rec, sizeof new_score_rec);
+#else
+ lseek (scoreboard_fd, (long)child_num * sizeof(short_score), 0);
+ force_write (scoreboard_fd, (char*)&new_score_rec, sizeof(short_score));
+#endif
+
+ ap_sync_scoreboard_image();
+}
+
+
static void update_scoreboard_global(void)
{
#ifdef SCOREBOARD_FILE
@@ -2313,6 +2347,26 @@
#endif
}
+int count_connections (conn_rec * current_conn, int state)
+{
+ unsigned long remote_ip = current_conn->remote_addr.sin_addr.s_addr;
+ int res = 0, i;
+
+ for (i = 0; i < HARD_SERVER_LIMIT; i++)
+ {
+ if ((ap_scoreboard_image->servers[i].status == SERVER_DEAD) ||
+ (state > 0 && ap_scoreboard_image->servers[i].status != state))
+ {
+ continue;
+ }
+ if (ap_scoreboard_image->servers[i].remoteip == remote_ip)
+ {
+ res++;
+ }
+ }
+ return res;
+}
+
void ap_time_process_request(int child_num, int status)
{
short_score *ss;
@@ -4189,12 +4243,15 @@
* until no requests are left or we decide to close.
*/
- while ((r = ap_read_request(current_conn)) != NULL) {
+ for (;;){
+ if (ap_daemons_max_by_ip || ap_daemons_max_by_ip_read)
+ update_child_status_remote_ip (my_child_num, (conn_rec *)current_conn);
+
+ if ((r = ap_read_request(current_conn)) == NULL) break;
/* read_request_line has already done a
* signal (SIGUSR1, SIG_IGN);
*/
-
(void) ap_update_child_status(my_child_num, SERVER_BUSY_WRITE, r);
/* process the request if it was read without error */
@@ -5463,6 +5520,10 @@
* client has ACKed our FIN and/or has stopped sending us data.
*/
ap_kill_cleanups_for_socket(ptrans, csd);
+
+ if (daemons_max_by_ip || daemons_max_by_ip_read)
+ update_child_status_remote_ip (child_num, (conn_rec *)NULL);
+
#ifdef NO_LINGCLOSE
ap_bclose(conn_io); /* just close it */
diff -ur src/main/http_protocol.c.orig src/main/http_protocol.c
--- src/main/http_protocol.c.orig Sat Oct 14 18:16:51 2000
+++ src/main/http_protocol.c Tue Nov 28 18:24:52 2000
@@ -73,6 +73,15 @@
#include "http_log.h" /* For errors detected in basic auth common
* support code... */
#include "util_date.h" /* For parseHTTPdate and BAD_DATE */
+
+#include "scoreboard.h" /* for limiting connections by IP */
+#ifndef LONG_STRING_LEN
+#define LONG_STRING_LEN 2048
+#endif /* LONG_STRING_LEN */
+extern int ap_daemons_max_by_ip;
+extern int ap_daemons_max_by_ip_read;
+extern void ap_die();
+
#include <stdarg.h>
#include "http_conf_globals.h"
@@ -1039,6 +1048,8 @@
pool *p;
const char *expect;
int access_status;
+ int current_connections;
+ char *reject_state = NULL;
p = ap_make_sub_pool(conn->pool);
r = ap_pcalloc(p, sizeof(request_rec));
@@ -1070,6 +1081,33 @@
r->read_length = 0;
r->read_body = REQUEST_NO_BODY;
+ if (ap_daemons_max_by_ip && ((current_connections = count_connections(conn,0))
+ > ap_daemons_max_by_ip))
+ {
+ r->request_time=time(NULL);
+ reject_state = "total";
+ }
+ else if (ap_daemons_max_by_ip_read &&
+ ((current_connections = count_connections(conn,SERVER_BUSY_READ))
+ > ap_daemons_max_by_ip_read))
+ {
+ reject_state = "read state";
+ }
+ if (reject_state) {
+ r->status = HTTP_OK;
+ r->request_time = time(NULL);
+ r->proto_num = 1000; /* or something */
+ r->assbackwards = 0; /* who knows... */
+ r->protocol = "HTTP/1.0"; /* just not empty */
+ r->the_request = NULL;
+ r->method = NULL;
+ r->method_number = M_INVALID;
+ ap_die(LIMIT_CONNECTIONS_BY_IP_ERROR, r);
+ ap_log_transaction(r);
+ ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, conn->server, "Client at %s for %s with %d %s current connections", conn->remote_ip, conn->server->server_hostname, current_connections, reject_state);
+ return NULL;
+ }
+
r->status = HTTP_REQUEST_TIME_OUT; /* Until we get a request */
r->the_request = NULL;
| 1, Andrei (?), 18:19, 24/02/2004 [ответить]
| +/– |
 Курите гугл или debian на предмет limitipconn apache
т.к.
libapache-mod-limitipconn - Module for Apache which limits simultaneous connections per IP
Andrei. | | |
|
