Hi Constantine, 1- I had almost decided to program a filter. However, I have found this solution: http://stackoverflow.com/questions/3679465/find-number-of-active-sessions-created-from-a-given-client-ip/3679783#3679783 What do you think about it? I havent tried it yet, but as far as I can tell it looks good. It would help me to know how many sessions exist for a certain IP. Knowing that, I could deny more sessions for that IP (even though the procedure to deny is not included in this code).
2- You don't need to authenticate to acess the demo page, so in theory it should not need a session. However, I'm handling that page in the same way all the other pages -that require authentication- are being handled. I mean, all of them create a session if a session doesn't exist yet. Maybe I could improve that so the demo page would not create a session if its the first page that the bot goes to, but what if in the future a bot goes to any other page at a high rate? The site would crash anyway. So I prefer to find a solution against too many sessions per IP, regardless of which pages have been visited. 3- Thanks a lot for reminding me about the manager tag. I had almost forgot about it. However, the attribute "maxActiveSessions" limits the total of sessions among all the visitors, not specifically the total of sessions FOR A CERTAIN IP, or does it? Thanks! On Sun, Sep 30, 2012 at 3:24 AM, Konstantin Kolinko <knst.koli...@gmail.com>wrote: > 2012/9/30 Brian Braun <brianbr...@gmail.com>: > > Hi, > > > > I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL). > > > > I'm providen a geolocation service. My users invoque a URL in my server > > (something like http://services.acme.com/locate?ip=......) providing > the IP > > address, and it responds with the geolocation info. This service must > admit > > a very high rate of queries, and it is doing it sucessfully now. This URL > > doesn't create sessions in order to save resources, and because sessions > > are not required after all. Each call is treated individually, no need to > > link them in sessions. In other words, this is a RESTful service. > > > > Besides the service URL, I have a website in the form > > http://www.acme.com("www." instead of "services."). This website has a > > demo page where > > visitors can type an IP address and see the response (values, format, and > > an explanation of that). This website DOES create session, because it is > > necessary given that the user logs in, uses his account, manages his > > license codes, etc. > > > > The problem is that some people are requesting the demo URL at a very > high > > rate, instead of requesting the special service URL that has been > designed > > to provide the service returning a response in XML. When they request > this > > demo page at a very high rate, a ton of sessions are being created and > > Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats > gets > > slower and slower, and dies at the end. In other words, this is something > > similar to a DOS attack (Denial Of Service). > > I need to solve this. I need a way to limit the number of sessions that > are > > being created for the same IP, and in the same host under Tomcat, so if > > this people start doing this, the app will stop them. > > It is very import to be able to apply a solution just to the "www" > website, > > not to the other "services." subdomain, so the solution must not be > global > > to the Tomcat engine. > > > > What would you recommend as a strategy? > > Is there some kind of valve that I can use in the server.xml file to > solve > > this? > > Should I create a filter that does this? Is a filter the best place to > > implement a solution? > > Is there a way to inspect the API and get the list of current sessions? > Or > > do I need to build my own list at the application scope, most likely > using > > the events when a session is created or destroyed to update this list? > > Is there a solution already built? Or do I have to program one from > scratch? > > > > Note: I want to solve it at the host or context level. Not at the Tomcat > > engine level, or at the Linux level (IPTables/firewall), or adding Apache > > HTTPD server before Tomcat. > > > > 1. You can write a Filter. > > 2. Your requests to your demo page are authenticated? If yes, maybe > you can track abuse from there (and ban abusers). If not, do you need > a session for those pages? > > 3. <Manager maxActiveSessions="..." /> > https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
