DOSWhiteList in Helicon Ape mod_evasive
4 posts
• Page 1 of 1
DOSWhiteList in Helicon Ape mod_evasive
Once again I'm testing Helicon Ape's mod_evasive. I know it hasn't been tested in a while (mod_evasive_IIS_85-8-3681.html#p8871) and my earlier question on the DOSWhiteList directive wasn't answered (my <VirtualHost> question was answered, thanks for that).
The DOSWhiteList case:
The blogpost http://helicontech.blogspot.nl/2009/06/ ... n-ape.html mentions a directive called DOSWhiteList, to white list IP addresses. According to the documentation, it should accept wildcards: 127.0.0.*, and IPv6 addresses. Even though mod_evasive hasn't been tested in a while, is DOSWhiteList still supported in the latest version of Ape? I can't get it to work with wildcards in Helicon Ape version 3.1.0.233.
Works:
DOSWhiteList 127.0.0.1
Doesn't work:
DOSWhiteList 127.0.0.*
For anyone interested, the current mod_evasive configuration I'm testing with is:
IPv6:
What notation should I use in IPv6 addresses for wildcards? To add 2001:10::/28, would 2001:10::* or 2001:10::.* suffice?
The DOSWhiteList case:
The blogpost http://helicontech.blogspot.nl/2009/06/ ... n-ape.html mentions a directive called DOSWhiteList, to white list IP addresses. According to the documentation, it should accept wildcards: 127.0.0.*, and IPv6 addresses. Even though mod_evasive hasn't been tested in a while, is DOSWhiteList still supported in the latest version of Ape? I can't get it to work with wildcards in Helicon Ape version 3.1.0.233.
Works:
DOSWhiteList 127.0.0.1
Doesn't work:
DOSWhiteList 127.0.0.*
For anyone interested, the current mod_evasive configuration I'm testing with is:
- Code: Select all
<VirtualHost *:80>
<IfModule evasive_module>
DOSHashTableSize 4096
DOSPageCount 5
DOSSiteCount 65
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 120
DOSCloseSocket On
DOSWhiteList 127.0.0.1 10.11.111.* 10.11.12.*
DOSWhiteList 10.11.111.111 #because 10.11.111.* doesn't work
</IfModule>
</VirtualHost>
IPv6:
What notation should I use in IPv6 addresses for wildcards? To add 2001:10::/28, would 2001:10::* or 2001:10::.* suffice?
Re: DOSWhiteList in Helicon Ape mod_evasive
Hello.
Actually all modules and features of Helicon Ape are regularly tested using our automatic testing system. It tests all features of product on a number of different operating systems, including high load test and it conducts approximately 2000 different integrity and functional tests each week on each of the supported OS. So it is not correct to say mod_evasive hasn't been tested a while. It's just we have not changed it's code for a while, because current features work as designed and new features are not requested.
As for DOSWhiteList directive, this might be issue with documentation. There can be only one IP address per directive. So your code mast look like:
DOSWhiteList 127.0.0.1
DOSWhiteList 10.11.111.*
DOSWhiteList 10.11.12.*
As for IPv6 syntax please allow me to check with development.
Actually all modules and features of Helicon Ape are regularly tested using our automatic testing system. It tests all features of product on a number of different operating systems, including high load test and it conducts approximately 2000 different integrity and functional tests each week on each of the supported OS. So it is not correct to say mod_evasive hasn't been tested a while. It's just we have not changed it's code for a while, because current features work as designed and new features are not requested.
As for DOSWhiteList directive, this might be issue with documentation. There can be only one IP address per directive. So your code mast look like:
DOSWhiteList 127.0.0.1
DOSWhiteList 10.11.111.*
DOSWhiteList 10.11.12.*
As for IPv6 syntax please allow me to check with development.
Re: DOSWhiteList in Helicon Ape mod_evasive
Hello Yaroslav,
thank you for your reply.
Great
It was just what Anton said in mod_evasive_IIS_85-8-3681.html#p8871.
Unfortunately, I still cannot get wildcards to work in a DOSWhiteList. My real, not munged configuration:
I guessed the IPv6 syntax.
This doesn't whitelist my test machine running Apache benchmark (ab):
If I remove the # from # DOSWhiteList 77.94.248.[munged], the IP address is whitelisted... Looking at my HTTP logfiles, I'm sure the connection is made over IPv4 (there is no AAAA record for my.example.net test website).
Sure ofcourse.
thank you for your reply.
Yaroslav wrote:Hello.
Actually all modules and features of Helicon Ape are regularly tested using our automatic testing system. It tests all features of product on a number of different operating systems, including high load test and it conducts approximately 2000 different integrity and functional tests each week on each of the supported OS. So it is not correct to say mod_evasive hasn't been tested a while. It's just we have not changed it's code for a while, because current features work as designed and new features are not requested.
Great
It was just what Anton said in mod_evasive_IIS_85-8-3681.html#p8871.Yaroslav wrote:As for DOSWhiteList directive, this might be issue with documentation. There can be only one IP address per directive. So your code mast look like:
DOSWhiteList 127.0.0.1
DOSWhiteList 10.11.111.*
DOSWhiteList 10.11.12.*
Unfortunately, I still cannot get wildcards to work in a DOSWhiteList. My real, not munged configuration:
- Code: Select all
<IfModule evasive_module>
DOSHashTableSize 1024
DOSPageCount 5
DOSSiteCount 65
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 120
DOSCloseSocket Off
DOSWhiteList 127.0.0.1
DOSWhiteList 77.94.248.*
# DOSWhiteList 77.94.248.[munged]
DOSWhiteList 77.94.249.*
DOSWhiteList 77.94.250.*
DOSWhiteList 77.94.251.*
DOSWhiteList 77.94.252.*
DOSWhiteList ::1
DOSWhiteList 2a00:f60::.*
DOSWhiteList 2a00:f60::1:.*
DOSWhiteList 2a00:f60::2:.*
</IfModule>
I guessed the IPv6 syntax.
This doesn't whitelist my test machine running Apache benchmark (ab):
- Code: Select all
ab -v 10 -n 50 -c 10 http://my.example.net/wp-login.php
If I remove the # from # DOSWhiteList 77.94.248.[munged], the IP address is whitelisted... Looking at my HTTP logfiles, I'm sure the connection is made over IPv4 (there is no AAAA record for my.example.net test website).
Yaroslav wrote:As for IPv6 syntax please allow me to check with development.
Sure ofcourse.
Re: DOSWhiteList in Helicon Ape mod_evasive
Hello Yaroslav,
You promised to get back to me on the IPv6 whitelist syntax, did you find out how yet?
Anyway, I found mod_evasive is practically unusable in an enterprise hosting environment: clients are blocked when viewing large PDF documents because the browser (or PDF plugin) requests the file by Content-Range. This results in some 38 HTTP requests for a 4.1 MB large PDF file. I had mod_evasive set to 15 requests in one second (DOSPageCount 15, DOSPageInterval 1).
Regards,
Jan
You promised to get back to me on the IPv6 whitelist syntax, did you find out how yet?
Anyway, I found mod_evasive is practically unusable in an enterprise hosting environment: clients are blocked when viewing large PDF documents because the browser (or PDF plugin) requests the file by Content-Range. This results in some 38 HTTP requests for a 4.1 MB large PDF file. I had mod_evasive set to 15 requests in one second (DOSPageCount 15, DOSPageInterval 1).
Regards,
Jan
4 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests