Menu

IP address exclusion for QS_LocRequestLimitMatch

Open Discussion
tom
2025-09-24
2025-09-26

  • tom

    tom - 2025-09-24

    I am using QS_LocRequestLimitMatch to restrict the number of concurrent connections to 10 for a particular set of URLs being hammered by bots. This works nicely reducing the server load to something manageable.

    Now I would like to add some IP block excludes for clients on our local network but cannot get this to work. I have tried using QS_SrvMaxConnExcludeIP which some Google AI search results suggest is indirectly possible. I have also tried marking the IPs as VIPs for use with QS_VipIPHeaderName but without success. The documentation on this topic seems a little hard to digest. Does anyone know of any worked examples which show how to do this?

    Thanks
    Tom Crane

     

    • Pascal Buchbinder

      Pascal Buchbinder - 2025-09-25

      I suggtest to set the QS_VipRequest variable for the requests which you want to exclude from the QS_LocRequestLimitMatch rules.

      example for illustration:
      SetEnvIf Remote_Addr 127.0.0.1 QS_VipRequest=yes

       

  • tom

    tom - 2025-09-26

    Thanks for the suggestion. That is one of the things I had tried previously but w/o success. It seems that whatever I set for the IP regex it does not apply it. It even ignores,

    SetEnvIf Remote_Addr .* QS_VipRequest=yes

    I know that it is processing the statement because an illegal regex, e.g. just a * by itself produces an error when starting Apache.

    I read that mod_qos advises to use MPM Worker. I am using MPM Event but did try with MPM Worker but it made no difference.

    One possible complicating factor is that my webserver is behind a traffic manager/load balancer and I am using mod_remoteip to log the client's IP. That said, I notice that mod_qos correctly logs the client IP and load balancer IPs as shown here (slightly obfuscated for security),

    [Fri Sep 26 15:34:39.302334 2025] [qos:error] [pid 2146530:tid 2146562] [client 192.168.104.37:0] mod_qos(010): access denied, QS_LocRequestLimit* rule: ^/pq/.+/AS/MZK/.+(rev=|raw=).+$(10), concurrent requests=11, c=192.168.120.21, id=aNakf5TfEGHrGzg1GDDuQwAAAAk

    My QS_LocRequestLimitMatch statement (slightly obfuscated for security) used to produce the above log record with the above catch-all QS_VipRequest=yes is,

    QS_LocRequestLimitMatch "^/pq/.+/AS/MZK/.+(rev=|raw=).+$" 10

    Is there anything I might be missing?

    Thanks
    Tom Crane

     

    • Pascal Buchbinder

      Pascal Buchbinder - 2025-09-26

      QS_VipRequest=yes
      Disables some restrictions for this request (see privileged Users). Requires the definition of a VIP header using the QS_VipHeaderName directive (this activates VIP verification).

      You also need to enable the privileged users using the QS_VipHeaderName parameter, as the variable set by SetEnvIf is ignored otherwise. As a name for the header you can choose something that does not exist.

       

  • tom

    tom - 2025-09-26

    Thanks very much for that suggestion. The QS_VipHeaderName statement was the part I had been missing and I now have it working nicely.

    The documentation could be a little clearer on this. I had also been confused by the mod-qos-vip reference assuming it referred to an existing internal mod_qos component rather than being an arbitrary user choosable label.

    Best regards
    Tom Crane

     

Log in to post a comment.