Project

General

Profile

Bug #16342

Consider rate-limiting connections to Redmine

Added by CyrilBrulebois 4 months ago. Updated 20 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
-
Start date:
01/10/2019
Due date:
% Done:

100%

Spent time:
QA Check:
Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

(This might be valid for other services, feel free to repurpose the ticket as you see fit.)

Until now we've had issues with Redmine becoming slow all of a sudden whenever an IP is squatting Apache's connection pool. A manual action is usually needed, to block the offender.

I've noticed some rules lately in Debian's dsa-puppet.git, which might help us:

        @ferm::rule { 'dsa-http-limit':
                prio        => '20',
                description => 'limit HTTP DOS',
                chain       => 'http_limit',
                domain      => '(ip ip6)',
                rule        => 'mod limit limit-burst 60 limit 15/minute jump ACCEPT;
                                jump DROP'
        }

There are many other, more specific entries, see modules/apache2/manifests/dynamic.pp (for various spiders).

In another area, for snapshot.debian.org:

        @ferm::rule { 'dsa-snapshot-connlimit':
                domain => '(ip ip6)',
                prio  => "005",
                rule  => "proto tcp mod state state (NEW) interface ! lo daddr (${ipv4addr} ${ipv6addr})  mod multiport destination-ports (80 443) mod connlimit connlimit-above 3 DROP;
                          proto tcp mod state state (NEW) interface ! lo                                                dport 6081                 mod connlimit connlimit-above 3 DROP
                           ",
        }

History

#1 Updated by mercedes508 4 months ago

  • Status changed from New to Confirmed

#2 Updated by groente 20 days ago

  • Status changed from Confirmed to Resolved
  • % Done changed from 0 to 100

Ended up fixing this with apache mod_qos, connections are now limited to 20 per ip.

Also available in: Atom PDF