QS_ClientEventBlockCount - how to find what triggered and event

Andrew
2013-09-12
2013-09-13
  • Andrew

    Andrew - 2013-09-12

    We see the following messages in the error log that says that IP 10.125.144.24 has been blocked due to a high number of QS_Block events:

    [Thu Sep 12 01:56:29 2013] [notice] mpmstats: bsy: 2 in mod_was_ap22_http.c
    [Thu Sep 12 02:03:28 2013] [error] [client 10.125.144.24] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=20, c=10.125.144.24, id=d7ZDkwp9XaAAAE5kbYYAAAAe, referer: http://mysite.com/Page.jsp
    [Thu Sep 12 02:03:28 2013] [error] [client 10.125.144.24] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=21, c=10.125.144.24, id=d7ZVrQp9XaAAAD@iG2QAAABG, referer: http://mysite.com/Page.jsp
    [Thu Sep 12 02:03:28 2013] [error] [client 10.125.144.24] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=22, c=10.125.144.24, id=d7bzSwp9XaAAAD@iG2UAAABC, referer: http://mysite.com/Page.jsp
    [Thu Sep 12 02:03:28 2013] [error] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=23, c=10.125.144.24
    [Thu Sep 12 02:03:28 2013] [error] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=24, c=10.125.144.24
    [Thu Sep 12 02:03:28 2013] [error] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=25, c=10.125.144.24
    [Thu Sep 12 02:03:28 2013] [error] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=26, c=10.125.144.24
    [Thu Sep 12 02:03:28 2013] [error] mod_qos(060): access denied, QS_ClientEventBlockCount rule: max=20, current=27, c=10.125.144.24
    

    Checking the logs I see no errors on the apache side, all the requests are served with 200 or 304 status codes... I only see 500 appearing as a result of QoS blocking.

    Right before the error appears in the logs there are about 60 request coming from that IP within a second (all served with 200). In our QoS config we have this IP excluded from QS_SrvMaxConnPerIP by QS_SrvMaxConnExcludeIP and there are no QS_SrvMaxConnPerIP rule errors in the logs.

    QoS config:

    # will allow only 30 connections per IP
    QS_SrvMaxConnPerIP       30
    
    # disables connection restrictions for certain clients:
    QS_SrvMaxConnExcludeIP   127.0.0.1 
    QS_SrvMaxConnExcludeIP   10.125.144.25
    
    # allows privileged access to a single resource:
    SetEnvIf     Request_URI /server-status          QS_VipRequest=yes
    SetEnvIf     Request_URI /qos                    QS_VipRequest=yes
    
    # block clients violating some basic rules frequently (don't allows more than 20
    # violations within 5 minutes):
    QS_ClientEventBlockCount 20 300
    QS_SetEnvIfStatus        400               QS_Block
    QS_SetEnvIfStatus        401               QS_Block
    QS_SetEnvIfStatus        403               QS_Block
    QS_SetEnvIfStatus        404               QS_Block
    QS_SetEnvIfStatus        405               QS_Block
    QS_SetEnvIfStatus        406               QS_Block
    QS_SetEnvIfStatus        408               QS_Block
    QS_SetEnvIfStatus        411               QS_Block
    QS_SetEnvIfStatus        413               QS_Block
    QS_SetEnvIfStatus        414               QS_Block
    QS_SetEnvIfStatus        417               QS_Block
    QS_SetEnvIfStatus        500               QS_Block
    QS_SetEnvIfStatus        503               QS_Block
    QS_SetEnvIfStatus        505               QS_Block
    QS_SetEnvIfStatus        QS_SrvMinDataRate QS_Block
    QS_SetEnvIfStatus        NullConnection    QS_Block
    

    How would it be possible to know what triggered QS_Block event?

     
  • Pascal Buchbinder

    you may add

    SetEnvIf     Remote_Addr   127.0.0.1      QS_VipRequest=yes
    SetEnvIf     Remote_Addr   10.125.144.25  QS_VipRequest=yes
    QS_SetEnvIf  QS_VipRequest QS_Block       !QS_Block
    

    to the end(!) of your configuration in order to exclude these two clients from the QS_ClientEventBlockCount limitation

     
  • Andrew

    Andrew - 2013-09-12

    Thanks Pascal, I will try that.

    Do you know if there's any way to log QS_Block event? Maybe this way I get more info on what's causing the issue.

     
  • Pascal Buchbinder

    You may want to write the QS_Block variable to the log file (%{QS_Block}e), just count the response status codes, or watch for QS_SrvMinDataRate errors.
    The connection without any requests, detected by configuring the NullConnection event, are not logged and stay invisible.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks