how to throttle http requests on a linux machine?

EDIT: here is the summery: i need to reduce max connections preferably system wide on Ubuntu 11.04 but at least within Google Chrome. i do not need or want to throttle bandwidth, Verizon seems to only care about the number of connections so that is all i want to change. also, i don't want to use firefox unless i have to, i have three other machines all using chrome and synced and i just prefer it over firefox.

i use tethering for my home internet connection via my verizon cell phone. without paying for it. this works just fine for streaming netflix via my nintendo wii and pretty much every other conceivable use ive had for it. except, during heavy usage with multiple tabs open on my laptop, the network connection on my phone will just turn off, then on again, then off, but it never fully connects.

i think, based on this and other questions that this is caused by verizon getting too many http requests from my phone. is there some software, script, setting or otherwise that would allow me to throttle my requests to say, 5 or 10 or whatever it turns out is 1 less than verizon is looking for, so that my cell's network connection is not lost?

i would far prefer a slow down rather than complete shut off of my internet connection. i am almost certain is from quantity of requests and not related to data, because, as i mentioned, netflix will run all day without a hitch, and that uses more data than anything else i would be doing. if i had a router i am pretty sure there are settings i could easily change to only allow so many requests at a time ... but in this case, my phone is my router, so no settings. im using ubuntu 11.04 on my netbook with an htc incredible on verizon (not that the phone details are relevant)

i have been trying to figure this out for quite some time, currently the only fix is ensure that all requests are stopped and then sometimes it works again, other times i have to manually turn my 3g service off and then back on. thank you so much for any assistance!

dylan murphy

Posted 2011-06-08T16:46:22.097

Reputation: 171

if there is no chrome solution then i will probably just get a firewall/proxy client-side that lets me limit the connections, if someone could suggest the best one, then they can have the bounty :) – dylan murphy – 2011-06-16T16:30:39.180

Answers

I successfully use an SSH tunnel to circumvent arbitrary connection limits when tethering. The idea is as follows:

ssh -D 1234 server

starts the tunnel, then you configure firefox or other software to use socks 5 proxy localhost/1234. Follow the instructions on this page to instruct firefox to also use the proxy for DNS.

The result is that the router will only see one encrypted connection to your proxy.

If you are using Ubuntu, then you can configure the proxy settings for Ubuntu, not for Chrome or Firefox. Then, all programs including Chrome and Firefox should use that proxy by default.

Open gnome-network-properties, and set the proxy to host localhost, port 1234.

Peltier

Posted 2011-06-08T16:46:22.097

Reputation: 4 834

this sounds promising, i wonder if it would work with chrome, their site only talks about firefox also. but thats cool that you use it for tethering also, if this works and no one posts anything better, you will get the bounty – dylan murphy – 2011-06-17T12:47:14.500

I'm pretty sure it would work with Chrome as well, SOCKS5 is a pretty common technology. – Peltier – 2011-06-17T13:08:06.787

thats exciting, i will look into that when i get off work. – dylan murphy – 2011-06-17T13:14:11.237

could you help me make this work? the instructions on that link are for firefox, i really want to use chrome. i downloaded privoxy as per this but i really don't know what i'm doing.

– dylan murphy – 2011-06-20T16:23:17.790

Sorry, I don't use chrome. – Peltier – 2011-06-20T18:26:29.153

If you're using Firefox, search for "max-connections" settings in about:config.

Anything more complex than that likely requires traffic control / packet filtering / firewall -- for example, you can use Shorewall to do connection rate limiting: http://www.shorewall.net/ConnectionRate.html

Michael Chang

Posted 2011-06-08T16:46:22.097

Reputation: 31

hrm i prefer chrome but if there is no other way i could use firefox – dylan murphy – 2011-06-16T16:14:33.940

You can add a rule to the netfilter/iptables firewall to do this for you. Netfilter consults the nat table concerning new connections (and the filter table per packet). You can rate-limit new connections using a single iptables command.

# iptables --table nat --append --protocol tcp -m multiport \
    --destination-ports 80,443 -m limit ! --limit 10/second --limit-burst 5 \
    --jump DROP

This command must be run as root. It matches all new --table-nat, tcp --protocol tcp connection attempts to ports 80 (http) and 443 (https) --destination-ports 80,443 which is above ! the limit of 5 connection attempts per second --limit 10/second, with an allowance of 5 extra connections --limit-burst 5. It then instructs netfilter to completely ignore these packets --jump DROP.

NB, you'll need to run this command every time you reboot your computer, which can be accomplished via a variety of mechanisms. You can throw this into a shell script, make it executable, and call it via a pre-up line in /etc/network/interfaces--if you use this file to configure your network, and if you use a debian variant.

An quick, easy hack would be to add this line to one of the important-looking start-up scripts under /etc/init.d/.

jpaugh

Posted 2011-06-08T16:46:22.097

Reputation: 1 212

This gives an error Bad argument 'tcp' for me on Ubuntu. – Stan James – 2015-08-11T16:27:51.723

hrm this is promising. im using ubuntu 11.04 but am not very well versed with scripts but adding it to the init.d does sound like that would be an easy solution to this problem. so i would just need to basically copy what you wrote in the answer into that file? – dylan murphy – 2011-06-21T12:17:57.440

This answer has two problems I can see: 1) It doesn't actually solve the problem at hand--it provides rate limiting, but not connection limiting. iptables does support connection limiting with --connlimit and cousins, however... 2) -j DROP or -j REJECT will not make for a friendly web experience, as web pages will time out (with DROP) or immediately show as broken/connection refused with REJECT. – Flimzy – 2011-06-23T08:12:20.497

Well, Peltier's answer is better, because it limits the connections to exactly one, without dropping anything, but this actually does rate-limit connections: the nat table is only used for new connections, and is often used to set up Network Address Translation (NAT). – jpaugh – 2011-06-24T22:46:46.513

Per the Chromium thread Issue 12066: Match Firefox's per-host connection limit of 15, the Chrome team believes 6 connections to a server is the correct upper bound.

To change the number of connections above or below 6, will require building Chrome from source. Or passing to Firefox.

Here are the default values in Firefox (3.5), which can be changed in about:config :

network.http.max-connections 30
network.http.max-connections-per-server 15
network.http.max-persistent-connections-per-proxy 8
network.http.max-persistent-connections-per-server 6
network.http.pipelining false
network.http.pipelining.maxrequests 4
network.http.proxy.pipelining false

Documentation per each of the above settings can be found in the MozillaZine Knowledge Base.

harrymc

Posted 2011-06-08T16:46:22.097

Reputation: 306 093

yeah, @Micheal already mentioned the firefox bit, do you think near future or beta versions might have the option to control that since there have been others asking for it? – dylan murphy – 2011-06-17T12:44:28.153

I cannot answer for the Chrome team. In Firefox there are several variables to consider, per your needs. – harrymc – 2011-06-17T13:01:23.107

For a low level tool or command line tool try tc (traffic control). This tool is built to work with the networking stack of most new kernels. So it should be available on most systems by default, no install necessary.

For http and tc http://www.cyberciti.biz/faq/linux-traffic-shaping-using-tc-to-control-http-traffic/

tc
man tc

http://wiki.openvz.org/Traffic_shaping_with_tc
http://www.topwebhosts.org/tools/traffic-control.php

Also worth reading http://www.faqs.org/docs/Linux-HOWTO/Bandwidth-Limiting-HOWTO.html

nelaaro

Posted 2011-06-08T16:46:22.097

Reputation: 9 321

unfortunately, as i mention in bold in the question, i do not want to throttle bandwidth, that isnt the problem. verizon does not seem to care how quickly you download, they only seem to care about the number of connections being made. – dylan murphy – 2011-06-22T12:59:40.350

Trickle is a util that will do this for you.

Click here for more info

Trickle packages are available for most Linux distributions and BSD.

Here's a link to info for Trickle on the latest version of Ubuntu, with download links

It's probably available through either the Ubuntu Software Center or Synaptic Package Manager also.

Here's a link for Fedora

bwall

Posted 2011-06-08T16:46:22.097

Reputation: 1 354

awesome, im downloading now, i saw someone suggest that elsewhere for a bandwidth throttling but thats not what i want, if it can just throttle requests then its perfect – dylan murphy – 2011-06-08T17:23:18.030

unfortunately as far as i can tell, i was right, all it does is bandwidth throttling, and as i tried to make clear, that is very much not the problem. – dylan murphy – 2011-06-08T17:32:59.423

for really cool tool

< – nelaaro – 2011-06-21T12:39:52.503

This tool clearly does not meet the requirements of the question, as it limits bandwidth, not connections. – Flimzy – 2011-06-23T08:19:14.767

I suspect the best way to do this system-wide, is to use an HTTP proxy. You could then optionally configure it as a Transparent Proxy to force all connections to use it, but it's easier (and has fewer limitations) to just configure your web browsers manually.

The main reason to do this with a proxy, rather than with iptables, is so that it doesn't anger your web browser. By using the -j DROP, as suggested in another answer, you're essentially discarding the TCP connection entirely--which means your browser will probably sit there waiting for a response, until it times out, then will finally show you a half-loaded page, with broken windows, missing CSS, etc.

By using a proxy instead, the pending requests aren't dropped--they're just queued until there's room to continue.

Probably the simplest, lightest weight configuration (that I've found so far) would be to install Tinyproxy, and set the MaxClients value to the maximum number of outbound connections you want.

If you want to use squid--perhaps because you just like overkill, or maybe you like its caching or other fancy whiz-bang features, the only outbound connection limit I see is on a per-peer basis. But this can still work. Set up two proxies--one as squid, one as something else (perhaps Tinyproxy, hehe), and configure Tinyproxy as squid's only peer with the max-conn setting set to your maximum number of connections. Then tell squid to forward all requests through that peer by setting the never_direct option.

Flimzy

Posted 2011-06-08T16:46:22.097

Reputation: 4 168

i wish you had submitted this before the bounty expired. this sounds like the closest to what i wanted to accomplish, im going to try this when i get off work. – dylan murphy – 2011-06-23T13:04:30.400

ok so i have tinyproxy, and i changed the config file to a low MaxClients value. how do i know it is working? i tried tinyproxy -d at the terminal thinking maybe it would show me that it was doing something. in any case, i will need to run this everytime i reboot right? – dylan murphy – 2011-06-23T18:13:36.483

I think I submitted it about 5 mins before the bounty expired, but no biggie... it if helps you, that's the main thing :) To test it, I would set MaxClients to 1, then try loading several pages at once... it should be pretty apparent that it's only actually loading one file at at time, if it's working. You could also run iptraf on your network interface--it has a mode that can show you all active TCP connections at the moment. You should only see a limited number of connections to port 80. – Flimzy – 2011-06-23T20:52:21.950