|
From: Andrew H. <and...@lo...> - 2022-03-11 20:03:56
|
Hi Patrick, > Thanks for the reply, but I’m actually just wanting to protect a small portion of the site. Almost all of the site can and should run without restrictions, except for some PHP scripts that (if hit repeatedly) cause performance issues. If your solution is designed to stop *trusted users* from accidentally pushing too hard on expensive PHP scripts then you might get away with using ModSecurity for simple rate limiting. If, on the other hand, you're looking for real denial of service defence against malicious clients then you really don't want to be using Apache+ModSecurity to provide that. In a production environment, when Apache+ModSec DoS rules are put under pressure, you end up seeing truly *staggering* resource usage (namely RAM), blocking can be unreliable, odd error messages appear complaining about accessing the underlying database files, the database files themselves can quickly balloon and consume the file system (they need regular pruning), and the whole thing just crumbles really easily. You mentioned that you only want to rate limit requests to certain URLs, which rules out doing anything clever at the network layer. I'm personally moving all my use of Apache+ModSec DoS rules over to a simple HAProxy instance sitting in front of Apache, which works perfectly (HAProxy has a highly efficient key-value store, "stick tables", which achieves much the same thing as the ModSec DoS rules, but the configuration is simpler and the setup is extremely reliable with only a fraction of the resource use). And there are other options, too, like mod_qos, as mentioned earlier in the thread. Have a good weekend. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 |
