Date: Sat, 19 Jan 2002 13:40:39 +0300
Subject: [Apache] Патч для ограничения максимального числа запросов с одного IP
diff -ur src/include/http_conf_globals.h.orig src/include/http_conf_globals.h
--- src/include/http_conf_globals.h.orig Sat Oct 14 13:10:59 2000
+++ src/include/http_conf_globals.h Tue Nov 28 18:24:51 2000
@@ -89,6 +89,8 @@
extern API_VAR_EXPORT int ap_daemons_limit;
extern API_VAR_EXPORT int ap_suexec_enabled;
extern int ap_listenbacklog;
+extern int ap_daemons_max_by_ip;
+extern int ap_daemons_max_by_ip_read;
extern int ap_dump_settings;
extern API_VAR_EXPORT int ap_extended_status;
diff -ur src/include/http_main.h.orig src/include/http_main.h
--- src/include/http_main.h.orig Sat Oct 14 13:11:00 2000
+++ src/include/http_main.h Tue Nov 28 18:24:51 2000
@@ -129,6 +129,9 @@
void setup_signal_names(char *prefix);
+void update_child_status_remote_ip (int, conn_rec *);
+int count_connections (conn_rec *, int);
+
#ifndef NO_OTHER_CHILD
/*
* register an other_child -- a child which the main loop keeps track of
diff -ur src/include/httpd.h.orig src/include/httpd.h
--- src/include/httpd.h.orig Sat Oct 14 18:16:51 2000
+++ src/include/httpd.h Tue Nov 28 18:24:51 2000
@@ -299,6 +299,12 @@
#define DEFAULT_MIN_FREE_DAEMON 5
#endif
+/* Define default limits for MaxDaemons serving a single address */
+
+#define DEFAULT_MAX_DAEMONS_BY_IP 150
+#define DEFAULT_MAX_DAEMONS_BY_IP_READ 75
+#define LIMIT_CONNECTIONS_BY_IP_ERROR HTTP_SERVICE_UNAVAILABLE
+
/* Limit on the total --- clients will be locked out if more servers than
* this are needed. It is intended solely to keep the server from crashing
* when things get out of hand.
diff -ur src/include/scoreboard.h.orig src/include/scoreboard.h
--- src/include/scoreboard.h.orig Sat Oct 14 12:56:05 2000
+++ src/include/scoreboard.h Tue Nov 28 18:24:51 2000
@@ -160,6 +160,7 @@
char request[64]; /* We just want an idea... */
server_rec *vhostrec; /* What virtual host is being accessed? */
/* SEE ABOVE FOR SAFE USAGE! */
+ unsigned long remoteip;
} short_score;
+int count_connections (conn_rec * current_conn, int state)
+{
+ unsigned long remote_ip = current_conn->remote_addr.sin_addr.s_addr;
+ int res = 0, i;
+
+ for (i = 0; i < HARD_SERVER_LIMIT; i++)
+ {
+ if ((ap_scoreboard_image->servers[i].status == SERVER_DEAD) ||
+ (state > 0 && ap_scoreboard_image->servers[i].status != state))
+ {
+ continue;
+ }
+ if (ap_scoreboard_image->servers[i].remoteip == remote_ip)
+ {
+ res++;
+ }
+ }
+ return res;
+}
+
void ap_time_process_request(int child_num, int status)
{
short_score *ss;
@@ -4189,12 +4243,15 @@
* until no requests are left or we decide to close.
*/
- while ((r = ap_read_request(current_conn)) != NULL) {
+ for (;;){
+ if (ap_daemons_max_by_ip || ap_daemons_max_by_ip_read)
+ update_child_status_remote_ip (my_child_num, (conn_rec *)current_conn);
+
+ if ((r = ap_read_request(current_conn)) == NULL) break;
/* read_request_line has already done a
* signal (SIGUSR1, SIG_IGN);
*/
-
(void) ap_update_child_status(my_child_num, SERVER_BUSY_WRITE, r);
/* process the request if it was read without error */
@@ -5463,6 +5520,10 @@
* client has ACKed our FIN and/or has stopped sending us data.
*/
ap_kill_cleanups_for_socket(ptrans, csd);
+
+ if (daemons_max_by_ip || daemons_max_by_ip_read)
+ update_child_status_remote_ip (child_num, (conn_rec *)NULL);
+
#ifdef NO_LINGCLOSE
ap_bclose(conn_io); /* just close it */
diff -ur src/main/http_protocol.c.orig src/main/http_protocol.c
--- src/main/http_protocol.c.orig Sat Oct 14 18:16:51 2000
+++ src/main/http_protocol.c Tue Nov 28 18:24:52 2000
@@ -73,6 +73,15 @@
#include "http_log.h" /* For errors detected in basic auth common
* support code... */
#include "util_date.h" /* For parseHTTPdate and BAD_DATE */
+
+#include "scoreboard.h" /* for limiting connections by IP */
+#ifndef LONG_STRING_LEN
+#define LONG_STRING_LEN 2048
+#endif /* LONG_STRING_LEN */
+extern int ap_daemons_max_by_ip;
+extern int ap_daemons_max_by_ip_read;
+extern void ap_die();
+
#include <stdarg.h>
#include "http_conf_globals.h"
@@ -1039,6 +1048,8 @@
pool *p;
const char *expect;
int access_status;
+ int current_connections;
+ char *reject_state = NULL;
p = ap_make_sub_pool(conn->pool);
r = ap_pcalloc(p, sizeof(request_rec));
@@ -1070,6 +1081,33 @@
r->read_length = 0;
r->read_body = REQUEST_NO_BODY;
+ if (ap_daemons_max_by_ip && ((current_connections = count_connections(conn,0))
+ > ap_daemons_max_by_ip))
+ {
+ r->request_time=time(NULL);
+ reject_state = "total";
+ }
+ else if (ap_daemons_max_by_ip_read &&
+ ((current_connections = count_connections(conn,SERVER_BUSY_READ))
+ > ap_daemons_max_by_ip_read))
+ {
+ reject_state = "read state";
+ }
+ if (reject_state) {
+ r->status = HTTP_OK;
+ r->request_time = time(NULL);
+ r->proto_num = 1000; /* or something */
+ r->assbackwards = 0; /* who knows... */
+ r->protocol = "HTTP/1.0"; /* just not empty */
+ r->the_request = NULL;
+ r->method = NULL;
+ r->method_number = M_INVALID;
+ ap_die(LIMIT_CONNECTIONS_BY_IP_ERROR, r);
+ ap_log_transaction(r);
+ ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, conn->server, "Client at %s for %s with %d %s current connections", conn->remote_ip, conn->server->server_hostname, current_connections, reject_state);
+ return NULL;
+ }
+
r->status = HTTP_REQUEST_TIME_OUT; /* Until we get a request */
r->the_request = NULL;
1256 Прочтений • [[Apache] Патч для ограничения максимального числа запросов с одного IP (patch apache limit)] [08.05.2012] [Комментариев: 0]
Vova
