Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Configuration and logging

puneet
2013-03-20
2013-05-23
  • puneet
    puneet
    2013-03-20

    Can you please help me with the following questions

    1. How do we log mod qos variables ? For example QS_Block. I am using %{QS_Block}e but this is not working.
    2. If I want to exclude QS_ClientEventBlockCount for some conditions what should be the order for the following
          QS_ClientEventBlockCount 20 300 
          QS_SetEnvIfStatus        400               QS_Block
          SetEnvIf Remote_Addr 199.59.162.168 IgnoreIP=yes
         QS_SetEnvIf IgnoreIP QS_Block !QS_Block
    3. I want to use QS_ClientGeoCountryPriv. Do I need to have geographical database file and is it necessary to mention QS_ClientGeoCountryDB <path>
    4. If I want to log QS_Country, from where I can get  geographical database file. The one in mod_qos configuration seems to be test file.
    5. If I have rule QS_ClientEventBlockCount, is there any way I can know why ip was blocked, what were the individual QS_Block event which were triggered. Currently the information which is logged is not that useful as it just
          QS_ClientEventBlockCount rule: max=50, current=51

     
  • 1: mod_qos uses Apache's per request event table to store events and you may log them within the custom or transfer log using the syntax you mentioned above (%{<variable>}e).

    2: Your proposal looks fine. Check http://opensource.adnovum.ch/mod_qos/mod_qos_seq.gif to verify when a variable may be set/unset/processed.

    3+4: Yes, you need to download a database file, e.g. Maxmind's GeoLite Country CSV database file. Maxmind distributes the GeoLite databases under the "Creative Commons Attribution-ShareAlike 3.0 Unported" license.

    5: mod_qos uses a single counter which is incremented for each QS_Block event. There is no additional information about the reason stored (the module does not know what has set the QS_Block variable).

     
  • puneet
    puneet
    2013-03-25

    Thanks a lot for your detailed response.

    I still have problem with 2. I don't want to block any internal IP. So my config is as follow

    QS_SetEnvIfStatus        400               QS_Block
    QS_SetEnvIfStatus        401               QS_Block
    QS_SetEnvIfStatus        403               QS_Block
    QS_SetEnvIfStatus        405               QS_Block
    QS_SetEnvIfStatus        406               QS_Block
    QS_SetEnvIfStatus        408               QS_Block
    QS_SetEnvIfStatus        411               QS_Block
    QS_SetEnvIfStatus        413               QS_Block
    QS_SetEnvIfStatus        414               QS_Block
    QS_SetEnvIfStatus        417               QS_Block
    QS_SetEnvIfStatus        505               QS_Block
    QS_SetEnvIfStatus        QS_SrvMinDataRate QS_Block
    QS_SetEnvIfStatus        NullConnection    QS_Block
    BrowserMatch             "curl"           QS_Block

    SetEnvIf Remote_Addr  192.168. IgnoreIP=yes

    # unset the QS_Block variable
    QS_SetEnvIf IgnoreIP QS_Block !QS_Block

    QS_ClientEventBlockCount 50 300

    But it is still blocking internal Ip's. Error Logs
    mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=50, current=53, c=192.168.11.33

    And for some cases it seems to work
    If write a script to make curl command more than 50 times, it is not blocking. Can you please help me with that.

    Also, can you please explain me about NullConnection. The explanation in Mod Qos is not ver clear. It states

    "  the special code NullConnection detects connections which are closed event no HTTP request has been received. "

     
  • NullConnection

    indicates TCP connections without HTTP requests. It may be used to detect and deny SSL DoS attacks. You can't exclude an IP from this counter since the

    SetEnvIf Remote_Addr 192.168. IgnoreIP=yes
    

    directive won't be executed without any HTTP request data.

     
  • puneet
    puneet
    2013-04-02

    Hi,

    Your response was very helpful.

    I am trying to use QS_ClientIpFromHeader as I am using X-Forwarded-Ip. But I think  QS_ClientEventBlockCount is not using x-forwarded IP from the header.
    Can you tell with what all directives can it be used.

    Will it work in conjunction with folllowing
    1. Connection level rules
    QS_ClientEventBlockCount (as blocks request at connection level)
    QS_SrvMaxConnPerIP
    QS_SrvMaxConnClose
    QS_SrvMinDataRate
    P.S. :- As per my understanding QS_ClientIpFromHeader will not be useful in conjunction with it, as it's at connection level.

     
  • QS_ClientEventLimitCount and QS_Country can be used in conjunction with QS_ClientIpFromHeader.