Hi dev@trafficserver.apache.org, ATS has a feature to restrict the number of per client connections ATS will receive: proxy.config.net.per_client.max_connections_in
The intention of the configuration is to mitigate certain DOS situations via malicious or otherwise misbehaving clients which consume an inordinate amount of resources by spinning up a lot of connections. It is possible, though, that certain clients can be expected to initiate a lot of connections to a box. For instance, certain networking configurations may result in ATS peers within a data center initiating many connections to each other. In such situations, it would be good to "allow list" a set of IP addresses for whom the per_client.max_connections_in will not be applied. I've created a PR that demonstrates such a feature: https://github.com/apache/trafficserver/pull/12198 It adds *proxy.config.http.per_client.connection.allow_list.filename* as a configuration that points to a yaml file that contains a sequence of IP address ranges for whom per_client.max_connections_in will not be enforced. It is implemented with the libswoc net library used in other components in ATS which supports the following formats: 10.0.2.123 Ignore a single IP Address. 10.0.3.1-10.0.3.254 Ignore a range of IP address. 10.0.4.0/24 Ignore a range of IP address specified by CIDR notation. Here is an example YAML file ignoring some address ranges: allow_list: - 10.0.2.123 - 172.16.0.0/20 - 192.168.1.0/24 Please let me know if you have suggestions or concerns about this configuration. Thanks, Brian Neradt -- "Come to Me, all who are weary and heavy-laden, and I will give you rest. Take My yoke upon you and learn from Me, for I am gentle and humble in heart, and you will find rest for your souls. For My yoke is easy and My burden is light." ~ Matthew 11:28-30
