QS_ClientEventLimitCount not working as expected

[Don Juma]

Hello,

I am trying to use mod_qos to rate limit a multi-tenant apache instance based on Host header. For the most part, the logic is working as expected. However, even though mod_qos is correctly sending a 429 response code back to the client, it is still also allowing the request to proxy_pass to the upstream. I am intending to use this tool for DDoS mitigations and thus I need it to not saturate the upstream when the client has exceeded their limit. It should just return a 429 and not proxy the request. Please let me know if anything looks wrong.

Thank you.

mod_qos.conf:

LoadModule qos_module modules/mod_qos.so
LoadModule setenvifplus_module modules/mod_setenvifplus.so

<IfModule qos_module>
  <Location /qos>
    SetHandler qos-viewer
  </Location>

  RequestHeaderPlus unset X-Hash
  SetEnvIfPlus Host (.*) virtualIP=$1
  SetHashHeaderPlus X-Hash virtualIP
  QS_ClientIpFromHeader X-Hash

# Intentionally set very low for testing
  QS_ClientEventLimitCount 6 600 virtualIP

  QS_ErrorResponseCode 429
</IfModule>

httpd.conf sample:

ErrorDocument 404 /error_page.html
ErrorDocument 429 /error_page.html

<Location "/error_page.html">
    RewriteEngine off
    Require all granted
</Location>

LogLevel notice

<VirtualHost *:80>
    ProxyPreserveHost On

    ProxyPass / http://127.0.0.1:8001/
    ProxyPassReverse / http://127.0.0.1:8001/
</VirtualHost>

example log entry:

Apr 21 18:19:40 httpd[7635]: [Thu Apr 21 18:19:40.564913 2022] [qos:error] [client 1.2.3.4:56789] mod_qos(067): access denied, QS_ClientEventLimitCount rule: event=virtualIP, max=6, current=25, age=80, c=1234:abcd:efgh:5678:43e8:2c14:d0e1:9ad7

Client sees only a 429, but the upstream (127.0.0.1:8001) shows request is still forwarded up.

[Pascal Buchbinder]

I don't see any reason why mod_proxy would forward the blocked request to the target web server. Which Apache version and which mod_qos version are you using?