Hello,
I'm trying to limit thunderbird clients with lightning calendar plugin that loop (on certain occasions) with continuous PROPFIND and OPTIONS method requests to my calendar server based on caldav protocol.
URL pattern are like: https://myserver/groupware/rpc.php/calendar/(user_name)/calendars
Unfortunately users (potentially 10.000) networks are behind NAT, so they share the same IP address.
My userbase is large (10.000 users).
Is there any chance to set a limiting rule based on a cookie whoose value is set with the username?
I would be grateful for any clue/help you could provide....
Thankyou in advance
Best regards.
Giorgio
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No, there is no "session store" in mod_qos which could count events for individual users.
mod_qos only features the "per IP store". It would be possible to use this store if we build an "IP like" (128bit, e.g. MD5) hash value for each user name but this would need an extension or a separate Apache module doing it.
Regards, Pascal
Last edit: Pascal Buchbinder 2015-06-24
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Pascal, thank for your quick feedback. Sad that your wonderful piece of software can't help me in such a situation..:(.
With ISPs doing more and more NAT with PAT, limiting users doing nasty things is becoming harder and harder.....
Thank you for your clue anyway.
Bests.
Giorgio
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello Pascal,
sorry to bother you again, but your feeedback intrigued me and I'm not sure I have understood your clue....
May be mod_rewrite with a rewrite map bound to an external program could calculate such a one way hash: user->fakeIPaddress? If that was true, enhancements on mod_qos should be required anyway?
Bests
Giorgio
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Pascal,
just a post to thank you, and to give a feedback. My issue to apply your suggestion, was to stay in a linux distribution with standard packages to avoid compilation of non standard modules for each upgrade.
So I installed an Ubuntu 14.04 with mod_qos_10.28 ad apache 2.4 which I used as a reverse proxy for my web servers. On My webservers I used a rewrite rule bound to an external program to dynamically calculate a fake IPv4 for each username (a static map could have been used also with periodical updates) and set an http header containing tha fake IP address before sending the request to the ubuntu proxy.
The mod_qos on ubuntu server gets the header and sets the rate limiting policy.
All seems working.
Thank you for all your help and time.
Bests
Giorgio
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I'm trying to limit thunderbird clients with lightning calendar plugin that loop (on certain occasions) with continuous PROPFIND and OPTIONS method requests to my calendar server based on caldav protocol.
URL pattern are like: https://myserver/groupware/rpc.php/calendar/(user_name)/calendars
Unfortunately users (potentially 10.000) networks are behind NAT, so they share the same IP address.
My userbase is large (10.000 users).
Is there any chance to set a limiting rule based on a cookie whoose value is set with the username?
I would be grateful for any clue/help you could provide....
Thankyou in advance
Best regards.
Giorgio
Hi Giorgio
Thanks for sharing your ideas with us.
No, there is no "session store" in mod_qos which could count events for individual users.
mod_qos only features the "per IP store". It would be possible to use this store if we build an "IP like" (128bit, e.g. MD5) hash value for each user name but this would need an extension or a separate Apache module doing it.
Regards, Pascal
Last edit: Pascal Buchbinder 2015-06-24
such a hash function could be added to https://sourceforge.net/projects/modsetenvifplus/
Hi Pascal, thank for your quick feedback. Sad that your wonderful piece of software can't help me in such a situation..:(.
With ISPs doing more and more NAT with PAT, limiting users doing nasty things is becoming harder and harder.....
Thank you for your clue anyway.
Bests.
Giorgio
Hello Pascal,
sorry to bother you again, but your feeedback intrigued me and I'm not sure I have understood your clue....
May be mod_rewrite with a rewrite map bound to an external program could calculate such a one way hash: user->fakeIPaddress? If that was true, enhancements on mod_qos should be required anyway?
Bests
Giorgio
Proposal:
The configuration might look like this:
Note: you have to install version 0.30 to mod_setenvifplus to configure this
Regards, Pascal
Hi Pascal, I'm grateful for your help, I will try you propousal asap.
Thank you for the time you dedicated to me.
Bests
Giorgio
Hi Pascal,
just a post to thank you, and to give a feedback. My issue to apply your suggestion, was to stay in a linux distribution with standard packages to avoid compilation of non standard modules for each upgrade.
So I installed an Ubuntu 14.04 with mod_qos_10.28 ad apache 2.4 which I used as a reverse proxy for my web servers. On My webservers I used a rewrite rule bound to an external program to dynamically calculate a fake IPv4 for each username (a static map could have been used also with periodical updates) and set an http header containing tha fake IP address before sending the request to the ubuntu proxy.
The mod_qos on ubuntu server gets the header and sets the rate limiting policy.
All seems working.
Thank you for all your help and time.
Bests
Giorgio