Re: [mod-security-users] How to restrict hits per uri per unit of time
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2017-06-12 04:20:11
|
Sébastian, The counter is part of the URI collection in your example. But there is no URI collection in ModSecurity. There are only the documented and pre-defined collections. In your case, the RESOURCE or GLOBAL collection would probably the one to chose. But whatever you do, I think mod_qos is better suited to tasks as this then ModSecurity. But I second that you can make this work in ModSec, it's just a bit of an act while it's quite straight forward with mod_qos. Cheers, Christian On Sun, Jun 11, 2017 at 12:18:48PM +0200, Piller Sébastien wrote: > > 'm trying to configure modsecurity for Apache to limit the number of hits a given resource can be accessed per unit of time (let's say, 10 hits per minute per resource, no matter which ip address does the request). The resources have an url pattern in the form of "[https://myhost/my-resource/my-resource-id](https://myhost/my-resource/my-resource-id)" > Hi everybody > I'm trying to configure modsecurity for Apache to limit the number of hits a given resource can be accessed per unit of time (let's say, 10 hits per minute per resource, no matter which ip address does the request). The resources have an url pattern in the form of "[https://myhost/my-resource/my-resource-id](https://myhost/my-resource/my-resource-id)"Â > > I have the following configuration in my vhost configuration (adapted from a blog found on the web): > # Limit the requests count by unit of time. > SecRuleEngine On > > > Â # SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog,id:132 > Â SecAction initcol:uri=%{REQUEST_URI},pass,nolog,id:232 > Â SecAction "phase:5,deprecatevar:uri.counter=10/60,pass,nolog,id:332" > Â SecRule URI:COUNTER "@ge 10" "phase:2,pause:10,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:432" > Â SecAction "phase:2,pass,setvar:uri.counter=+1,nolog,id:532" > Â Header always set Retry-After "60" env=RATELIMITED > > > ErrorDocument 429 "Too Many Requests" > > As I understand this snippet, it tells modsecurity "create a variable named uri for each request_uri and associate a counter for each, then decrement it of 10 each 60 seconds. If the current's uri counter reach the value of 10, fail with an error code 429, else increment it" which is what I need. > > This configuration leads to "uri variable not found" error, which I don't understand why. > > If I uncomment the 1st SecAction and change the remaining configuration to reference it, it works (returns a 429 after 10 quick calls), but obviously does not take the uri into account (it fails for any resource, eg. /my-resource/123 and /my-resource/456) > > Could anybody give some help with this? All my attempts fails miserably and I'm not very familiar with Apache's config in general, so I guess I'm missing some important notion here. > > PS: Apache is v2.4, mod-security is v2.9 > > Thank you! > Thanks! > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course mailto:chr...@ne... twitter: @ChrFolini |