mod_evasive enabled globally, disabled per VirtualHost?
6 posts
• Page 1 of 1
mod_evasive enabled globally, disabled per VirtualHost?
Hi. I'm trying to accomplish the following scenario in my httpd.conf: to enable mod_evasive globally -for all sites- on a webserver, but the module has to be disabled on a per website (VirtualHost) basis if necessary. I couldn't find any reference on how to accomplish this in the documentation or through Google, is this set up possible? Something in the line of:
<VirtualHost example.com http://www.example.com>
# disable mod_evasive
</VirtualHost>
<VirtualHost *>
LoadModule evasive_module modules/mod_evasive.so
</VirtualHost>
Otherwise I'd have to enable mod_evasive globally, and disable Helicon Ape completely as a module per website (web.config, <modules><remove name="Helicon.Ape"/>) and I wouldn't want that.
It would even be better when the module could be disabled in a website's .htaccess file (SetEnv if mod_evasive is loaded en then UnSetEnv that var?)
<VirtualHost example.com http://www.example.com>
# disable mod_evasive
</VirtualHost>
<VirtualHost *>
LoadModule evasive_module modules/mod_evasive.so
</VirtualHost>
Otherwise I'd have to enable mod_evasive globally, and disable Helicon Ape completely as a module per website (web.config, <modules><remove name="Helicon.Ape"/>) and I wouldn't want that.
It would even be better when the module could be disabled in a website's .htaccess file (SetEnv if mod_evasive is loaded en then UnSetEnv that var?)
Re: mod_evasive enabled globally, disabled per VirtualHost?
Hello,
You can't Put LoadModule directive inside VirtualHost. It should be enabled globally.
Then you put nothing for VirtualHost you want to exclude and use the mod_evasive rules for the rest of the hosts (*):
LoadModule evasive_module modules/mod_evasive.so
<VirtualHost example.com http://www.example.com>;
# nothing
</VirtualHost>
<VirtualHost *>
#Turn on
#optional directive (default value equals to 1024)
DOSHashTableSize 1024
#obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</VirtualHost>
Please try and report the results.
Also, it would be good to know what exactly you are trying to achieve using mod_evasive. We might be able to provide a better solution.
You can't Put LoadModule directive inside VirtualHost. It should be enabled globally.
Then you put nothing for VirtualHost you want to exclude and use the mod_evasive rules for the rest of the hosts (*):
LoadModule evasive_module modules/mod_evasive.so
<VirtualHost example.com http://www.example.com>;
# nothing
</VirtualHost>
<VirtualHost *>
#Turn on
#optional directive (default value equals to 1024)
DOSHashTableSize 1024
#obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</VirtualHost>
Please try and report the results.
Also, it would be good to know what exactly you are trying to achieve using mod_evasive. We might be able to provide a better solution.
Re: mod_evasive enabled globally, disabled per VirtualHost?
Hi Anton, thank you for your reply.
I'm trying to implement basic anti HTTP DDoS/brute-force security measures, either with Helicon Ape's mod_evasive or IIS Dynamic IP
Restrictions.
Unfortunately, your suggestion doesn't work. I now have in my httpd.conf (and executed an iisreset after saving the httpd.conf):
[all loaded modules here]
LoadModule evasive_module modules/mod_evasive.so
<VirtualHost example.com example.com>
# nothing
</VirtualHost>
<VirtualHost *>
LoadModule evasive_module modules/mod_evasive.so
#optional directive (default value equals to 1024)
DOSHashTableSize 1024
#obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 120
</VirtualHost>
And my client is still blocked on example.com after 10 requests (I use the 'ab' utility):
$ GET -uUsSed example.com
GET example.com
User-Agent: lwp-request/2.07
GET example.com --> 200 OK
[!snip!]
# ab -n 30 -c 11 http://www.example.com:80/
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Server Software: Microsoft-IIS/8.0
Server Hostname: http://www.example.com
Server Port: 80
Complete requests: 30
Failed requests: 8
(Connect: 0, Length: 8, Exceptions: 0)
Write errors: 0
Non-2xx responses: 22
and directly after that:
Complete requests: 30
Failed requests: 0
Write errors: 0
Non-2xx responses: 30
$ GET -uUsSed example.com
GET example.com
User-Agent: lwp-request/2.07
GET example.com --> 403 Forbidden
(I had to break some URLs here and there: "Your message contains too many URLs. The maximum number of URLs allowed is 5.")
Regards,
Jan
I'm trying to implement basic anti HTTP DDoS/brute-force security measures, either with Helicon Ape's mod_evasive or IIS Dynamic IP
Restrictions.
Unfortunately, your suggestion doesn't work. I now have in my httpd.conf (and executed an iisreset after saving the httpd.conf):
[all loaded modules here]
LoadModule evasive_module modules/mod_evasive.so
<VirtualHost example.com example.com>
# nothing
</VirtualHost>
<VirtualHost *>
LoadModule evasive_module modules/mod_evasive.so
#optional directive (default value equals to 1024)
DOSHashTableSize 1024
#obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 120
</VirtualHost>
And my client is still blocked on example.com after 10 requests (I use the 'ab' utility):
$ GET -uUsSed example.com
GET example.com
User-Agent: lwp-request/2.07
GET example.com --> 200 OK
[!snip!]
# ab -n 30 -c 11 http://www.example.com:80/
This is ApacheBench, Version 2.0.40-dev <$Revision: 1.146 $> apache-2.0
Server Software: Microsoft-IIS/8.0
Server Hostname: http://www.example.com
Server Port: 80
Complete requests: 30
Failed requests: 8
(Connect: 0, Length: 8, Exceptions: 0)
Write errors: 0
Non-2xx responses: 22
and directly after that:
Complete requests: 30
Failed requests: 0
Write errors: 0
Non-2xx responses: 30
$ GET -uUsSed example.com
GET example.com
User-Agent: lwp-request/2.07
GET example.com --> 403 Forbidden
(I had to break some URLs here and there: "Your message contains too many URLs. The maximum number of URLs allowed is 5.")
Regards,
Jan
Re: mod_evasive enabled globally, disabled per VirtualHost?
Apparantly, the port number is mandatory in a <VirtualHost> directive? It works now with the following config:
LoadModule evasive_module modules/mod_evasive.so
<VirtualHost example.com:80>
# Nothing
</VirtualHost>
<VirtualHost *:80>
<IfModule evasive_module>
# Optional directive (default value equals to 1024)
DOSHashTableSize 2048
# Obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 120
#DOSCloseSocket Off
</IfModule>
</VirtualHost>
Without the :80 it doesn't work.
LoadModule evasive_module modules/mod_evasive.so
<VirtualHost example.com:80>
# Nothing
</VirtualHost>
<VirtualHost *:80>
<IfModule evasive_module>
# Optional directive (default value equals to 1024)
DOSHashTableSize 2048
# Obligatory directives (if even one of them is not set, malfunctioning is possible)
DOSPageCount 10
DOSSiteCount 150
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 120
#DOSCloseSocket Off
</IfModule>
</VirtualHost>
Without the :80 it doesn't work.
Re: mod_evasive enabled globally, disabled per VirtualHost?
Hello,
It seems like a bug with <VirtualHost *>
Thanks for pointing at it.
It seems like a bug with <VirtualHost *>
Thanks for pointing at it.
Re: mod_evasive enabled globally, disabled per VirtualHost?
Anton wrote:Hello,
It seems like a bug with <VirtualHost *>
Thanks for pointing at it.
Ah great, thanks.
6 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 10 guests