Menu

limit connection by originating client ip

Open Discussion
Mandrick Ko
2016-10-20
2016-10-24

  • Mandrick Ko

    Mandrick Ko - 2016-10-20

    Hi,

    I have users connecting to my web server from the internal network (some connect to the web server directly, some come in via NAT) of the company as well as users connecting to the server remotely via Citrix. In short, our environment is a mix of direct access, plus NAT and Citrix.

    While direct connections show unique ip addresses in the tcp connections, those comming via NAT/Citrix always show the same ip address in the connections.

    I would need to stop only the connections (base on the originating client ip addresses of the connections regardless they are direct connections or via NAT/Citrix) that violate the connection and request limits set in mod_qos. I am supposed I can perform this restriction simply by telling NAT/Citrix to write the originating client ip to the http request header and apply QS_ClientIpFromHeader and QS_ClientEventLimitCount to mod_qos. Here below is my settings in my qos.conf:

    <IfModule mod_qos.c="">
    # handle connections from up to 50000 different IPs
    QS_ClientEntries 50000
    # allows max 50 connections from a single ip address:
    QS_SrvMaxConnPerIP 50
    # limits the connections for this virtual host:
    QS_SrvMaxConn 2000
    # allows keep-alive support till the server reaches 70% of the max allowed connections:
    QS_SrvMaxConnClose 70%
    # we are going to get the originating client ip (with property name NS-Client-IP) from the http header
    QS_ClientIpFromHeader NS-Client-IP
    # for any originating client ip, we allow them to have max 300 requests in 3 mins
    QS_ClientEventLimitCount 300 180
    </IfModule>

    For testing, I have a program that would write faked "originating client IP" to a header variable NS-Client-IP of the http request header and try to flood the server with lots of requests.

    I did verified in the log that there is indeed NS-Client-IP written to the http request header.

    However, I found in my apache error.log the following error:

    [Tue Oct 18 15:55:02.506213 2016] [:error] [pid 14383:tid 139721258825472] [client 127.0.0.1:42578] mod_qos(069): no valid IP header found (@hp): header 'NS-Client-IP' not available, fallback to connection's IP 127.0.0.1, id=lk7Mfhw-BQB-AAEBQAAAAC84AAAA9-9jGasFWBN-AAA, referer: ...

    What is wrong with my setting? Could anyone advise me how I should fix it to get this working in this mix direct access/NAT/Citrix environment?

    I am grateful for any clue and help.

    Best Regards,
    Mandrick

     

    Last edit: Mandrick Ko 2016-10-20

  • Pascal Buchbinder

    Pascal Buchbinder - 2016-10-23

    Hi Mandrick
    In such a "hybrid" setup, you should ensure that only "trusted" sources are allowed to send the IP address via HTTP request headers.

    Example using http://modsetenvifplus.sourceforge.net/:

    SetEnvIfPlus Remote_Addr ^(10\.[0-9.]+|172\.1[6-9]\.[0-9.]+|172\.2[0-9]\.[0-9.]+|172\.3[0-1]\.[0-9.]+|192\.168\.[0-9.]+|127\.[0-9.]+)$ private_net=$1
SetEnvIfPlus Remote_Addr (.*) other_net=$1
RequestHeaderPlus set NS-Client-IP ${other_net} env=!private_net

    Second, I would log the NS-Client-IP header (using %{NS-Client-IP}i within the LogFormat).

    But about your configuration:
    1) The client IP address can't be read from the HTTP request header fields for directives acting on a connection level (this would be too late) and therefore, the QS_ClientIpFromHeader directive has no influence to the QS_SrvMaxConnPerIP, QS_SrvMaxConn, or QS_SrvMaxConnClose directives.
    2) You did not define any event for the QS_ClientEventLimitCount directive.

    Regards, Pascal

     

  • Mandrick Ko

    Mandrick Ko - 2016-10-24

    Pascal,

    This info is very helpful. Thank you big time!

    Best Regards,
    Mandrick

     

  • Ricardo V

    Ricardo V - 2017-06-19

    Hi!
    I'm Facing the same issue. (apache 2.4.4-event) mod_qos:11.12
    Checked that the header is present and it has only one IP. (It is logged in acces_log)
    I Keep getting:

    [Mon Jun 19 13:37:14.401467 2017] [:error] [pid 63779:tid 139933626779392] [client 172.27.150.47:16111] mod_qos(069): no valid IP header found (@hp): header 'X-Forwarded-For' not available, fallback to connection's IP 172.27.147.33, id=WUe3aqwbkhYAAPkjpPUAAAAl

    My config:
    QS_LogOnly on
    QS_ClientEntries 100000
    QS_ClientEventBlockExcludeIP 10.178.174.249
    SetEnvIf Request_URI "^/pai_bus/services/conectividad" QS_Limit
    QS_ClientEventLimitCount 90 30 QS_Limit
    QS_ClientIpFromHeader X-Forwarded-For
    QS_SrvMaxConnClose 75%

    Any help will be very appreciated.
    Best Regards!

     

    Last edit: Ricardo V 2017-06-19

  • Pascal Buchbinder

    Pascal Buchbinder - 2017-06-19
    • QS_ClientEventBlockExcludeIP
      Makes only sense in conjunction with QS_ClientEventBlockCount
    • mod_qos(069)
      Looks like the defined header is not present in the request
     

    Last edit: Pascal Buchbinder 2017-06-20

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.