mod_limitipconn.c David Jao Proxy tracking by Jonathan J. Miner Apache C module to limit the maximum number of simultaneous connections per IP address. Allows inclusion and exclusion of files based on MIME type. Example configuration: --------------------------------------------------------------------------- ExtendedStatus On # Only needed if the module is compiled as a DSO LoadModule limitipconn_module lib/apache/mod_limitipconn.so AddModule mod_limitipconn.c MaxConnPerIP 3 # exempting images from the connection limit is often a good # idea if your web page has lots of inline images, since these # pages often generate a flurry of concurrent image requests NoIPLimit image/* MaxConnPerIP 1 # In this case, all MIME types other than audio/mpeg and video* # are exempt from the limit check OnlyIPLimit audio/mpeg video --------------------------------------------------------------------------- Notes: This module will not function unless mod_status is loaded and the "ExtendedStatus On" directive is set. The limits defined by mod_limitipconn.c apply to all IP addresses connecting to your Apache server. Currently there is no way to set different limits for different IP addresses. Connections in excess of the limit result in a stock 503 Service Temporarily Unavailable response. The job of returning a more useful error message to the client is left as an exercise for the reader. mod_limitipconn sets the LIMITIP environment variable to 1 whenever a download is denied on the basis of too high an IP count. You can use this variable to distinguish accesses that have been denied by this module. For example, a line like CustomLog /var/log/httpd/access_log common env=!LIMITIP in httpd.conf can be used to suppress logging of denied connections from /var/log/httpd/access_log. (Note that, if you want to do this, you'll probably also want to comment out the ap_log lines from mod_limitipconn.c to suppress error_log lines as well.) Proxy client tracking By default, all clients behind a proxy are treated as coming from the proxy server's IP address. If you patch Apache with the included patch and configure with --with-forward and rebuild, the real IP addresses of clients behind proxies are correctly detected. You will need to either compile statically or compile with -DRECORD_FORWARD. If you don't patch the server, DO NOT compile with RECORD_FORWARD defined. The module will still function, but it will not recognize clients behind proxies.