Protecting HTTPd via PF

[APseudoUtopia]

Hey,

I've been playing around with my pf/altq rules lately. I have a question about the max-src-conn and max-src-conn-rate for a HTTP server (apache2, if it matters ).

There's the related code:

pass in on $ext_if inet proto tcp from any to $ip3 port 80 user root flags S/SA synproxy state queue http (max-src-conn 100, max-src-conn-rate 50/5) # HTTP Traffic

Basically, I'd like to figure out what a realistic value is for max-src-conn and max-src-conn-rate for a http server. I was considering doing "max-src-conn 30, max-src-conn-rate 15/5".

Also, can anyone clarify on how apache threads/connections work? I'm using the prefork MPM. When one user browses one page, apache opens one process/thread for that user, and that single process/thread serves all the html and images and such? (As long as it meets the requirements of MaxKeepAliveRequests and KeepAliveTimeout, of course). So that one process/thread would count as one connection (For all requests for html, images, etc), right? So it would count as 1 max-src-conn?

So, for example, if I wanted to limit any user to only browsing ONE page at a time on my website and be able to load all html, image files, etc, on that one page (I'd never do this, but as an example..), I'd set max-src-conn to 1?

If you're confused, I apologize...haha.

Thanks for any/all replies.

 

[chrcol]

currently I got synproxy on my apache rule but never got round to configuring the rate limiting, I guess first consider if using keepalive on the apache or not as keepalive disabled means more connections to load images etc. for web pages.

30 connections per source ip address on http seems too generous, the default for internet explorer is only 4 and most tweak guides tell people to set it to 10, opera default is 8 connections and 20 total, if someone used a local proxy on opera it would utilise 20 connections. So I would set 20 maximum on the max-src-conn and even that is generous.

This works on raw connections, so if we assume keepalive is off and someone loads a webpage using IE that has 4 images, I expect there would be 5 connections with the first 4 at once and the 5th when the first is closed.

I would probably set it to 8. The rate setting in your example is 30 per 5 seconds?

 

[Mel_Flynn]

Keep alive reuses the same connection, however - nothing prevents a browser or spider, or spider posing as browser, to use 20 connections (even using KeepAlive) to reap pages. I think the default for most browsers is 2 connections per viewport or 2 connections per server, I'm not sure which it is.

In firefox the setting can be viewed in about:config. Look for network.http.

 

[vivek]

Your best bet is set and test. If there is any problem increase or decrease value.

 

[gilinko]

Be sure to test your settings with a MSIE browser, as it can open as much as 100 connections simultaneously to a webserver, and then just use about 4 of them but keep the other 96 idling...

So if it works with a MSIE browser, you can guarantee that it works with 99.9% of other browsers out there. Had that headache myself with my webserver, and in the end I skipped the max-conn settings for the http protocol.

 

[robbak]

Be aware of proxies. If you have a dynamic page, many people behind a proxy could trigger any arbitrarily large number of simultaneous connections to your server.
However, you may consider that that valid situation is unlikely enough to ignore, but just be aware of it.

 

[dwaynie]

Hey!

Been a while What did you guys end up doing?

Tried

max-src-conn 100, max-src-conn-rate 15/5

yesterday, ended up banning any mobile device that tried to visit my website.

max-src-conn 100, max-src-conn-rate 15/5

works fine for visits with regular PCs though.