Re: [mod-security-users] Retry-After header not being set?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Retry-After header not being set?
|
From: Andrew H. <and...@lo...> - 2022-02-16 18:05:32
|
Hi Jamie, That works for me: > GET /foo HTTP/1.1 > Host: example.com > User-Agent: curl/7.81.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 429 Too Many Requests < Date: Wed, 16 Feb 2022 16:52:32 GMT < Server: Apache < Retry-After: 10 < Content-Length: 227 < Content-Type: text/html; charset=iso-8859-1 Is your Apache config loading mod_headers? E.g.: LoadModule headers_module lib/httpd/mod_headers.so It's not a "core" Apache module, so it may not be compiled by default. For what it's worth, in my opinion, ModSecurity is really, really not a good place to do any kind of rate limiting. Especially on Apache: the underlying persistent collection mechanism is ridiculously flakey and will break your heart (and eat your RAM). The implementation of 'deprecatevar' is particularly "interesting". (Can you tell I've been burnt by all this before? :) ) I've had much more success putting HAProxy in front of Apache and using its stick tables to take care of rate limiting. I've also heard good things about using the Apache mod_qos module, although I've never tried it myself. You can also do some clever things using iptables and tc. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 |
