6

I have a couple of Apache 2 machines behind an HAPROXY setup, I tried to setup mod_evasive on those Apache machine while also using mod_rpaf to get the real X-FORWARDED client ip.

For some reason, mod_evasive grabs and blocks some ips (testing with ApacheBench) but some can go on and open more connections and basically DOS my servers.

any idea what can exclude one ip from the other in mod_evasive? considering the fact it's behind a proxy and that the real client ips are visible on the apache logs?

mod_evasive's definitions are the defaults when the DOSWhitelist is set to our subnet mask (192.168.. for example).

the rpaf module has the RPAFproxy_ips definition with our HAPROXY ip. any ideas?

Elad Meidar
  • 171
  • 1
  • 3
  • well, it turns out that the ApacheBench didn't send enough requests so that mod_evasive would suspect and block it. it works fine and as expected. – Elad Meidar Feb 09 '11 at 16:31

2 Answers2

2

The problem you've run into is likely part of the design of mod_evasive: It's stats used for blocking are saved in each child process. So, if you are using the Prefork MPM and have MaxClients is set to 50, then connections to each of these 50 clients will be tracked independently.

Further, there is the MaxRequestsPerChild setting. Once this is reached, the child will be killed, and the stats along with it. So, in some cases, mod_evasive is simply not effective.

I'm sorry I don't have a better alternative to recommend at this point. I'm searching myself. ( I have not yet confirmed if it works any better with other MPMs, either. )

References:

Mark Stosberg
  • 3,771
  • 23
  • 27
0

You can use mod_evasive_x to use X-Forwarded-For header value for client IP address and the last stable version of mod_rpaf where you can set network subnet mask for RPAF_ProxyIPs values. For my instances in AWS behind load balancer (ELB) it works properly.