Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2517701
  • 博文数量: 540
  • 博客积分: 11289
  • 博客等级: 上将
  • 技术积分: 6160
  • 用 户 组: 普通用户
  • 注册时间: 2008-02-11 20:27
个人简介

潜龙勿用,见龙在田

文章分类

全部博文(540)

文章存档

2018年(2)

2013年(5)

2012年(24)

2011年(104)

2010年(60)

2009年(217)

2008年(128)

分类: 系统运维

2009-07-01 12:02:11

这个模块对于连接数的限制,我在linux下测试结果显示:
是统计跟某个IP建立的连接数作为限制依据,其实就是ESTABLISHED状态数,如果限制为2,则只能建立2个ESTABLISHED状态的连接。对于资源下载限制的线程数即为2线程。

参考文档、下载:


limitipconn-README:

# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so



    # Set a server-wide limit of 10 simultaneous downloads per IP,
    # no matter what.
    MaxConnPerIP 10
   
    # This section affects all files under
    MaxConnPerIP 3
    # exempting images from the connection limit is often a good
    # idea if your web page has lots of inline images, since these
    # pages often generate a flurry of concurrent image requests
    NoIPLimit image/*
   


   
    # This section affects all files under /home/*/public_html
    MaxConnPerIP 1
    # In this case, all MIME types other than audio/mpeg and video*
    # are exempt from the limit check
    OnlyIPLimit audio/mpeg video
   



---------------------------------------------------------------------------

Notes:

1) This module will not function unless mod_status is loaded and the
   "ExtendedStatus On" directive is set.

2) Server-wide access restrictions and per-directory access restrictions
   are computed separately.  In the above example, if someone is
   downloading 11 images from
   simultaneously, they WILL be denied on the 11th download, because the
   server-wide limit of 10 downloads is not affected by the per-directory
   NoIPLimit.  If you want to set global settings which can be overruled
   by per-directory settings, you will need something like

   
    # global per-directory settings here

       
        # local per-directory settings here

       


   


3) If you are using any module based upon a quick handler hook (such as
   mod_cache), mod_limitipconn will not be able to process any
   per-directory configuration directives in time to affect the return
   result of the other module.  This is a technical limitation imposed
   by Apache.  In such a situation, you will have to use server-wide
   configuration directives only.

   Note that previous versions of mod_limitipconn did not allow any
   server-wide configuration directives, and hence could not be used
   with mod_cache at all.  In other words, the present situation still
   represents an improvement over previous versions.

4) The limits defined by mod_limitipconn.c apply to all IP addresses
   connecting to your Apache server. Currently there is no way to set
   different limits for different IP addresses.

5) Connections in excess of the limit result in a stock 503 Service
   Temporarily Unavailable response. The job of returning a more useful
   error message to the client is left as an exercise for the reader.

6) mod_limitipconn sets the LIMITIP environment variable to 1 whenever a
   download is denied on the basis of too high an IP count. You can use
   this variable to distinguish accesses that have been denied by this
   module. For example, a line like

      CustomLog /var/log/httpd/access_log common env=!LIMITIP

   in httpd.conf can be used to suppress logging of denied connections
   from /var/log/httpd/access_log. (Note that, if you really want to
   suppress logging, you'll probably also want to comment out the
   ap_log_rerror lines from mod_limitipconn.c as well.)

7) By default, all clients behind a proxy are treated as coming from the
   proxy server's IP address. If you wish to alter this behavior,
   consider installing mod_extract_forwarded from
  



测试举例:

[root@node02 ~]# cat /etc/httpd/conf.d/limitipconn.conf
LoadModule limitipconn_module modules/mod_limitipconn.so
ExtendedStatus On

                       
##--/这个地方请使用相对路径,因为我测试时如果使用了绝对路径/var/www/html/便不生效了。

        MaxConnPerIP 2
        NoIPLimit image/*
   


   
        MaxConnPerIP 1
        # In this case, all MIME types other than audio/mpeg and video*
        # are exempt from the limit check
        OnlyIPLimit audio/mpeg video
   


配好好放了大文件到/var/www/html/目录下,用迅雷下载,只能2线程,此时你在去打开网页会提示服务不可用。Service Temporarily Unavailable

但是用浏览器来测试线程数限制的话,效果难以看出,因为你刷新一下页面,在服务器端看不到ESTABLISHED

===============================================

一、对于mod_limitipconn,其实该模块不仅提供客户端并发联接数的控制能力,从安全角度来说还可以起到对抗固定来源IP地址发起的 DOS攻击,包括来源固定的大量访问请求型攻击(大量GET或POST请求型的攻击),当同一来源IP地址的联接数超过限定的值后,会弹回对方的访问请 求,给对方一个“503服务临时无效”的响应。当Apache服务器受到大量的访问请求型攻击的时候,由于大量的Apache进程及PHP和MYSQL运 行消耗,会导致服务器资源迅速耗尽,网站打开缓慢或瘫痪。如果是此种类型的攻击,使用mod_limitipconn模块则可以有效地提升服务器的抗攻击 能力,因为大量的请求被弹回,节省了服务器运行PHP及MYSQL的性能消耗。当然只要请求进了80端口,不管是接受还是弹回请求,Aapche都有运行 成本,所以此方法只能是减轻而无法解决,毕竟应用层的处理效率是比较低的。

二、对于网站访问量比较大、使用了mod_limitipconn模块且限制同一客户端并发联接数低于3的情况下,如果用Apache默认的配置参 数,极 可能经常出现“服务临时无效”的提示。因为Apache默认是设置“KeepAlive on”,且“KeepAliveTimeout 180”,所以一旦建立联接,那么在3分钟内这个联接是不会被释放的。所以如果网站不同页面点击频率比较高或图片资源比较多的话,会经常出现服务临时无效 的提示。那么有两种方式去解决,一是加大并发联接数的量,比如设置为普通站点10个并发联接数,图片站点则20个。另一种方式就是如果你不想加大这个值的 话,可以设置KeepAlive为off,然后缩短Timeout时间,这样联接会很快被释放出来。具体情况根据需要去调整测试,以得到一个最适合自己站 点情况的值。

三、如果要同时限制并发联接数与带宽的话,就用bw_mod+mod_limitipconn,因为虽然bw_mod也可以控制并发联接数,但他是 针对某 个目录或整个网站的并发联接数,是用来控制服务器端的总联接数,比如设置MaxConnection all 1000,那么这个网站所能接受的最大并发联接数为1000,而并不是限制每一客户端的并发联接数,而mod_limitipconn则是针对同一来源 IP的客户端的并发联接数,所以这两者的联接数限制是有所区别的。
四、个人感觉用了bw_mod及mod_limitipconn模块后,网站访问速度有所下降,能凭直观地感觉出来,并且CPU的负载有所上升。特别是在 网站访问量比较大的情况下,这两个模块会消耗一定的主机性能,所以轻重权衡这个得大家自己根据情况来采用了。另外bw_mod里有个参数是用来设置控制精 度与频率的,默认是1000毫秒,如果你想提高带宽控制精度就改小这个数值,但会消耗更多的CPU资源,反之亦然,降低精度可提升性能。


阅读(1397) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~