apache how to limit per user ip

Question

i have a password protected directory with hundreds of users in htpasswd file.

i want to allow download of files on these conditions:

1. check if username is valid (already done).
2. check if another connection with the same username exists. (the are modules to check connection from same ip exists but i have not found any based on username)
3. if 2 is correct check if both connections come from the same IP.

in other words how to limit each user to download from only 1 ip simultaneously?

i've seen hundreds of articles and questions about how to limit number of Connections based on IP. but none based on User. to clarify by a User i am referring to a valid-user in htpasswd file.

an example : lets say i have a htpasswd with the following users:

simon:$apr1$oL5flt.H$ayy6GOm0TblhH3lJXqf9o0
john:$apr1$JLGdTKlz$72ImnSlauIsCRV4lkrqE3/

and i've added require valid-user to htaccess.

• john connects to get file.zip from 192.168.2.8 with 1 connection. (allow)
• john makes another 31 connections to a total of 32 (or any number really) from 192.168.2.8.(allow)[because ip matches already active connections]
• john connects from 192.168.2.9 to get any file before closing previus connections .(deny)[because active connections have different ip]
• simon connects from 192.168.2.8 (same ip as active connections) , (allow)[no other connections from simon]
• john from 192.168.2.8 finishes downloading file.zip
• john from 192.168.2.9 wants to download a file (allow).

thanks in advance.

Answer 1

Use iptables? This below may not be perfect but I hope it points you in the right direction. If you have multiple virtual hosts, where you don't want this restriction, you may have to place it on a separate IP or play with the destination a bit.

/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 1 -j REJECT --reject-with tcp-reset