Send letter to ipdrop-subscribe.at.miksir.pp.ru for subscribe
Dmitriy MiksIr <miksir.at.maker.ru>
This modules can limit number of connection per ip, user and vhost with DOS protection
support (connections can be droped without waiting any input (EAPI only)).
Module based on mod_choke.c by Nathan Shafer <nate-mod_choke.at.seekio.com>
All bandwidth options was removed and some new features added.
GlobalMaxConnectionsPerIP N1 [N2 [N3]]
Set connection limit based on client IP for all connections to your apache server.
N1 - number of connections from same IP with proxy detection (based on X-Forwarded-For)
N2 - same as N1, but without proxy detection (because header may be simply faked for DOS attack)
N3 - same as N2, but detection started on connect before receiving any data. If attaker start many connection to your server but not sending any data, connection still open untill timeout. It's not good, because attaker can reach MaxClients limit and all other connections to your server will be blocked. If N3 limit reached, new connection will be immediatly closed and httpd child killed (*)
N2 can be zero (disabled) only if N3 sets.
Set connection limit based on user's login.
MaxConnectionsPerIP N1 [N2]
Same as GlobalMaxConnectionsPerIP, but apply limit to VirtualHost.
Same as GlobalMaxConnectionsPerUser, but apply limit to VirtualHost.
Set number of clients to VirtualHost. Apache can limit only total number of clients to apache (MaxClients). If you whant limit nember of clients for each VirtualHost - place MaxConnectionsPerVHost in each. N1 can't be greater, than MaxClients.
Set level of debuging.
0 - disable all error messages
1 - log only messages about apply limits; global limits error put to server error_log, virtual limits error put to virtualhost error_log
2 - more verbose about configuration and initialization
3 - maximum verbose; track all new connections ant put it to server error_log
(*) For N3 option of GlobalMaxConnectionsPerIP you need EAPI patch. If you're use mod_ssl, EAPI patch already exists in apache, but if not, you can apply EAPI patch from mod_ssl soure (with or without install mod_ssl). Read more about this in mod_ssl readme. Without EAPI you can simple use mod_ipdrop without N3 option.