Re: [mod-security-users] Retry-After header not being set?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Retry-After header not being set?
|
From: Michael W. <sco...@ya...> - 2022-02-17 09:30:53
|
Have you looked at mod_qos, this is a third part module which needs to be built and installed into Apache. We are having a lot of success with it in rate limiting incoming requests.
Email: sco...@ya...
On Wednesday, 16 February 2022, 19:13:52 GMT, Jamie Burchell <ja...@ib...> wrote:
One peculiar thing I noticed is that after the 429 response, the next
request gives me a 429 even if I have waited for a long time.
-----Original Message-----
From: Jamie Burchell <ja...@ib...>
Sent: 16 February 2022 18:45
To: mod...@li...
Subject: RE: [mod-security-users] Retry-After header not being set?
Hi Andrew
mod_headers is there; I'm using the same syntax to set a HSTS expiry header
in the virtualhost block. That header is present, but not the Retry-After.
Thanks
Jamie
-----Original Message-----
From: Andrew Howe <and...@lo...>
Sent: 16 February 2022 17:15
To: mod...@li...
Subject: Re: [mod-security-users] Retry-After header not being set?
Hi Jamie,
That works for me:
> GET /foo HTTP/1.1
> Host: example.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse < HTTP/1.1 429 Too Many Requests <
Date: Wed, 16 Feb 2022 16:52:32 GMT < Server: Apache < Retry-After: 10 <
Content-Length: 227 < Content-Type: text/html; charset=iso-8859-1
Is your Apache config loading mod_headers? E.g.:
LoadModule headers_module lib/httpd/mod_headers.so
It's not a "core" Apache module, so it may not be compiled by default.
For what it's worth, in my opinion, ModSecurity is really, really not a good
place to do any kind of rate limiting. Especially on Apache:
the underlying persistent collection mechanism is ridiculously flakey and
will break your heart (and eat your RAM). The implementation of
'deprecatevar' is particularly "interesting". (Can you tell I've been burnt
by all this before? :) )
I've had much more success putting HAProxy in front of Apache and using its
stick tables to take care of rate limiting. I've also heard good things
about using the Apache mod_qos module, although I've never tried it myself.
You can also do some clever things using iptables and tc.
Thanks,
Andrew
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
|
