Re: [mod-security-users] Retry-After header not being set?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Retry-After header not being set?
|
From: Jamie B. <ja...@ib...> - 2022-02-17 09:47:53
|
I haven’t. I’m using mod_security already for CRS stuff, so I was hoping I could just add basic limiting for a couple of URLs with it although I appreciate it might not be the best tool for the job. As I say, it works, but without the header being set. Maybe that’s because my error document is a PHP script and it’s getting removed somehow. *From:* Michael Woods via mod-security-users < mod...@li...> *Sent:* 17 February 2022 09:20 *To:* mod...@li... *Cc:* Michael Woods <sco...@ya...> *Subject:* Re: [mod-security-users] Retry-After header not being set? Have you looked at mod_qos, this is a third part module which needs to be built and installed into Apache. We are having a lot of success with it in rate limiting incoming requests. Email: sco...@ya... On Wednesday, 16 February 2022, 19:13:52 GMT, Jamie Burchell <ja...@ib...> wrote: One peculiar thing I noticed is that after the 429 response, the next request gives me a 429 even if I have waited for a long time. -----Original Message----- From: Jamie Burchell <ja...@ib...> Sent: 16 February 2022 18:45 To: mod...@li... Subject: RE: [mod-security-users] Retry-After header not being set? Hi Andrew mod_headers is there; I'm using the same syntax to set a HSTS expiry header in the virtualhost block. That header is present, but not the Retry-After. Thanks Jamie -----Original Message----- From: Andrew Howe <and...@lo...> Sent: 16 February 2022 17:15 To: mod...@li... Subject: Re: [mod-security-users] Retry-After header not being set? Hi Jamie, That works for me: > GET /foo HTTP/1.1 > Host: example.com > User-Agent: curl/7.81.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 429 Too Many Requests < Date: Wed, 16 Feb 2022 16:52:32 GMT < Server: Apache < Retry-After: 10 < Content-Length: 227 < Content-Type: text/html; charset=iso-8859-1 Is your Apache config loading mod_headers? E.g.: LoadModule headers_module lib/httpd/mod_headers.so It's not a "core" Apache module, so it may not be compiled by default. For what it's worth, in my opinion, ModSecurity is really, really not a good place to do any kind of rate limiting. Especially on Apache: the underlying persistent collection mechanism is ridiculously flakey and will break your heart (and eat your RAM). The implementation of 'deprecatevar' is particularly "interesting". (Can you tell I've been burnt by all this before? :) ) I've had much more success putting HAProxy in front of Apache and using its stick tables to take care of rate limiting. I've also heard good things about using the Apache mod_qos module, although I've never tried it myself. You can also do some clever things using iptables and tc. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
