This will allow us for greater control against abusive clients. Starting on secondary1 for now which seems to be the biggest problem. --- manifests/servergroups/secondary.pp | 1 + modules/mod_limitipconn/README | 10 ++++++++++ modules/mod_limitipconn/files/limitipconn.conf | 18 ++++++++++++++++++ modules/mod_limitipconn/manifests/init.pp | 12 ++++++++++++ 4 files changed, 41 insertions(+), 0 deletions(-) create mode 100644 modules/mod_limitipconn/README create mode 100644 modules/mod_limitipconn/files/limitipconn.conf create mode 100644 modules/mod_limitipconn/manifests/init.pp
diff --git a/manifests/servergroups/secondary.pp b/manifests/servergroups/secondary.pp index b53cff9..d5d96e5 100644 --- a/manifests/servergroups/secondary.pp +++ b/manifests/servergroups/secondary.pp @@ -3,6 +3,7 @@ class secondaryMirror { include mirrorsize-secondary
include httpd::proxy + include mod_limitipconn::mod_limitipconn
httpd::certificate { "wildcard.fedoraproject.org": }
diff --git a/modules/mod_limitipconn/README b/modules/mod_limitipconn/README new file mode 100644 index 0000000..70a5550 --- /dev/null +++ b/modules/mod_limitipconn/README @@ -0,0 +1,10 @@ +===================== +mod_limitipconn +===================== + +----------- +Usage +----------- + +Apache module which allows web server administrators to limit the number of +simultaneous downloads permitted from a single IP address. diff --git a/modules/mod_limitipconn/files/limitipconn.conf b/modules/mod_limitipconn/files/limitipconn.conf new file mode 100644 index 0000000..fb33733 --- /dev/null +++ b/modules/mod_limitipconn/files/limitipconn.conf @@ -0,0 +1,18 @@ +# This module will not function unless mod_status is loaded and the +# "ExtendedStatus On" directive is set. So load only if mod_status is too. +<IfModule mod_status.c> + + # This is always needed + ExtendedStatus On + + # mod_limitipconn configuration + LoadModule limitipconn_module modules/mod_limitipconn.so + + # A global default configuration doesn't make much sense. See the README + # from the mod_limitipconn package for configuration examples. + + MaxConnPerIP 3 + OnlyIPLimit application/octet-stream + +</IfModule> + diff --git a/modules/mod_limitipconn/manifests/init.pp b/modules/mod_limitipconn/manifests/init.pp new file mode 100644 index 0000000..b643d9a --- /dev/null +++ b/modules/mod_limitipconn/manifests/init.pp @@ -0,0 +1,12 @@ + +class mod_limitipconn::mod_limitipconn { + package { mod_limitipconn: + ensure => present + } + + file { '/etc/httpd/conf.d/limitipconn.conf': + source => 'puppet:///mod_limitipconn/limitipconn.conf', + require => Package['httpd'], + notify => Service['httpd'] + } +}
On Wed, Aug 19, 2009 at 11:10 PM, Mike McGrathmmcgrath@redhat.com wrote:
This will allow us for greater control against abusive clients. Starting on secondary1 for now which seems to be the biggest problem.
manifests/servergroups/secondary.pp | 1 + modules/mod_limitipconn/README | 10 ++++++++++ modules/mod_limitipconn/files/limitipconn.conf | 18 ++++++++++++++++++ modules/mod_limitipconn/manifests/init.pp | 12 ++++++++++++ 4 files changed, 41 insertions(+), 0 deletions(-) create mode 100644 modules/mod_limitipconn/README create mode 100644 modules/mod_limitipconn/files/limitipconn.conf create mode 100644 modules/mod_limitipconn/manifests/init.pp
diff --git a/manifests/servergroups/secondary.pp b/manifests/servergroups/secondary.pp index b53cff9..d5d96e5 100644 --- a/manifests/servergroups/secondary.pp +++ b/manifests/servergroups/secondary.pp @@ -3,6 +3,7 @@ class secondaryMirror { include mirrorsize-secondary
include httpd::proxy
- include mod_limitipconn::mod_limitipconn
httpd::certificate { "wildcard.fedoraproject.org": }
diff --git a/modules/mod_limitipconn/README b/modules/mod_limitipconn/README new file mode 100644 index 0000000..70a5550 --- /dev/null +++ b/modules/mod_limitipconn/README @@ -0,0 +1,10 @@ +===================== +mod_limitipconn +=====================
+----------- +Usage +-----------
+Apache module which allows web server administrators to limit the number of +simultaneous downloads permitted from a single IP address. diff --git a/modules/mod_limitipconn/files/limitipconn.conf b/modules/mod_limitipconn/files/limitipconn.conf new file mode 100644 index 0000000..fb33733 --- /dev/null +++ b/modules/mod_limitipconn/files/limitipconn.conf @@ -0,0 +1,18 @@ +# This module will not function unless mod_status is loaded and the +# "ExtendedStatus On" directive is set. So load only if mod_status is too. +<IfModule mod_status.c>
- # This is always needed
- ExtendedStatus On
- # mod_limitipconn configuration
- LoadModule limitipconn_module modules/mod_limitipconn.so
- # A global default configuration doesn't make much sense. See the README
- # from the mod_limitipconn package for configuration examples.
- MaxConnPerIP 3
- OnlyIPLimit application/octet-stream
+</IfModule>
diff --git a/modules/mod_limitipconn/manifests/init.pp b/modules/mod_limitipconn/manifests/init.pp new file mode 100644 index 0000000..b643d9a --- /dev/null +++ b/modules/mod_limitipconn/manifests/init.pp @@ -0,0 +1,12 @@
+class mod_limitipconn::mod_limitipconn {
- package { mod_limitipconn:
- ensure => present
- }
- file { '/etc/httpd/conf.d/limitipconn.conf':
- source => 'puppet:///mod_limitipconn/limitipconn.conf',
- require => Package['httpd'],
- notify => Service['httpd']
- }
+}
1.6.2.5
Note that you should also think about people behind proxies. 3 could be really short.
On Wed, 19 Aug 2009, SmootherFrOgZ wrote:
On Wed, Aug 19, 2009 at 11:10 PM, Mike McGrathmmcgrath@redhat.com wrote:
This will allow us for greater control against abusive clients. Starting on secondary1 for now which seems to be the biggest problem.
manifests/servergroups/secondary.pp | 1 + modules/mod_limitipconn/README | 10 ++++++++++ modules/mod_limitipconn/files/limitipconn.conf | 18 ++++++++++++++++++ modules/mod_limitipconn/manifests/init.pp | 12 ++++++++++++ 4 files changed, 41 insertions(+), 0 deletions(-) create mode 100644 modules/mod_limitipconn/README create mode 100644 modules/mod_limitipconn/files/limitipconn.conf create mode 100644 modules/mod_limitipconn/manifests/init.pp
diff --git a/manifests/servergroups/secondary.pp b/manifests/servergroups/secondary.pp index b53cff9..d5d96e5 100644 --- a/manifests/servergroups/secondary.pp +++ b/manifests/servergroups/secondary.pp @@ -3,6 +3,7 @@ class secondaryMirror { include mirrorsize-secondary
include httpd::proxy
- include mod_limitipconn::mod_limitipconn
httpd::certificate { "wildcard.fedoraproject.org": }
diff --git a/modules/mod_limitipconn/README b/modules/mod_limitipconn/README new file mode 100644 index 0000000..70a5550 --- /dev/null +++ b/modules/mod_limitipconn/README @@ -0,0 +1,10 @@ +===================== +mod_limitipconn +=====================
+----------- +Usage +-----------
+Apache module which allows web server administrators to limit the number of +simultaneous downloads permitted from a single IP address. diff --git a/modules/mod_limitipconn/files/limitipconn.conf b/modules/mod_limitipconn/files/limitipconn.conf new file mode 100644 index 0000000..fb33733 --- /dev/null +++ b/modules/mod_limitipconn/files/limitipconn.conf @@ -0,0 +1,18 @@ +# This module will not function unless mod_status is loaded and the +# "ExtendedStatus On" directive is set. So load only if mod_status is too. +<IfModule mod_status.c>
- # This is always needed
- ExtendedStatus On
- # mod_limitipconn configuration
- LoadModule limitipconn_module modules/mod_limitipconn.so
- # A global default configuration doesn't make much sense. See the README
- # from the mod_limitipconn package for configuration examples.
- MaxConnPerIP 3
- OnlyIPLimit application/octet-stream
+</IfModule>
diff --git a/modules/mod_limitipconn/manifests/init.pp b/modules/mod_limitipconn/manifests/init.pp new file mode 100644 index 0000000..b643d9a --- /dev/null +++ b/modules/mod_limitipconn/manifests/init.pp @@ -0,0 +1,12 @@
+class mod_limitipconn::mod_limitipconn {
- package { mod_limitipconn:
- ensure => present
- }
- file { '/etc/httpd/conf.d/limitipconn.conf':
- source => 'puppet:///mod_limitipconn/limitipconn.conf',
- require => Package['httpd'],
- notify => Service['httpd']
- }
+}
1.6.2.5
Note that you should also think about people behind proxies. 3 could be really short.
I thought about that, I just pulled 3 out of the air to keep things cool while we're testing other network issues there, I have no idea what would be a recommended number there so I'm open to ideas.
-Mike
manifests/servergroups/secondary.pp | 1 + modules/mod_limitipconn/README | 10 ++++++++++ modules/mod_limitipconn/files/limitipconn.conf | 18
++++++++++++++++++
modules/mod_limitipconn/manifests/init.pp | 12 ++++++++++++ 4 files changed, 41 insertions(+), 0 deletions(-) create mode 100644 modules/mod_limitipconn/README create mode 100644 modules/mod_limitipconn/files/limitipconn.conf create mode 100644 modules/mod_limitipconn/manifests/init.pp
diff --git a/manifests/servergroups/secondary.pp
b/manifests/servergroups/secondary.pp
index b53cff9..d5d96e5 100644 --- a/manifests/servergroups/secondary.pp +++ b/manifests/servergroups/secondary.pp @@ -3,6 +3,7 @@ class secondaryMirror { include mirrorsize-secondary
include httpd::proxy
include mod_limitipconn::mod_limitipconn
httpd::certificate { "wildcard.fedoraproject.org": }
diff --git a/modules/mod_limitipconn/README
b/modules/mod_limitipconn/README
new file mode 100644 index 0000000..70a5550 --- /dev/null +++ b/modules/mod_limitipconn/README @@ -0,0 +1,10 @@ +===================== +mod_limitipconn +=====================
+----------- +Usage +-----------
+Apache module which allows web server administrators to limit the
number of
+simultaneous downloads permitted from a single IP address. diff --git a/modules/mod_limitipconn/files/limitipconn.conf
b/modules/mod_limitipconn/files/limitipconn.conf
new file mode 100644 index 0000000..fb33733 --- /dev/null +++ b/modules/mod_limitipconn/files/limitipconn.conf @@ -0,0 +1,18 @@ +# This module will not function unless mod_status is loaded and the +# "ExtendedStatus On" directive is set. So load only if mod_status is
too.
+<IfModule mod_status.c>
- # This is always needed
- ExtendedStatus On
- # mod_limitipconn configuration
- LoadModule limitipconn_module modules/mod_limitipconn.so
- # A global default configuration doesn't make much sense. See the
README
- # from the mod_limitipconn package for configuration examples.
- MaxConnPerIP 3
- OnlyIPLimit application/octet-stream
+</IfModule>
diff --git a/modules/mod_limitipconn/manifests/init.pp
b/modules/mod_limitipconn/manifests/init.pp
new file mode 100644 index 0000000..b643d9a --- /dev/null +++ b/modules/mod_limitipconn/manifests/init.pp @@ -0,0 +1,12 @@
+class mod_limitipconn::mod_limitipconn {
- package { mod_limitipconn:
ensure => present
- }
- file { '/etc/httpd/conf.d/limitipconn.conf':
source => 'puppet:///mod_limitipconn/limitipconn.conf',
require => Package['httpd'],
notify => Service['httpd']
- }
+}
1.6.2.5
Note that you should also think about people behind proxies. 3 could be really short.
I thought about that, I just pulled 3 out of the air to keep things cool while we're testing other network issues there, I have no idea what would be a recommended number there so I'm open to ideas.
-Mike _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
infrastructure@lists.fedoraproject.org