Hi,
This is my infrastructure, from the point of view of what my users/attackers are facing: - Amazon web service Elastic Load balancer - 2 or more Ubuntu Linux VPSs behind the load balancer - IPTables running inside Ubuntu - JVM 1.6.0_35-b10 - Tomcat 7.0.33 - My app, running inside Tomcat I want to stop if one person starts making an excesive amount of requests to my app, maybe because he needs to make all those requests but didn’t know there is a service limit in the RestFul service I'm providing, maybe because he doesn’t care about the service limits, or maybe because he wants to attack me with a DoS. I can do it at the app level using a servlet filter and I'm already filtering them by IPs there, but that is not the best solution because the http requests will go all the way to my app, causing a lot of work to the previous layers (from the OS to the app). I can also do it at the Tomcat level using valves even at the engine level, but the same concern applies here: too much previous effort. Besides that, I can not update the offending IPs registered in the valve in a programmatic way (as I can do using servler filters and a MySQL database containing the offending IPs). I can NOT do it at the IPTables level, because the real IP address is in the "x_forwarded_for" header and IPTables deals with TCP/IP, not with HTTP. Or at least, even if there is a way to create a rule, it will not run in an efficient way. I will NOT be able to do it a the load balancer level, because Amazon doesn't allow us the stop some IPs there, not to mention a way to stop a DoS. I have been doing some reasearch, and it seems that I have two good options: Installing Apache HTTPD server or NGINX, before Tomcat. I know a lot about Tomcat, but almost nothing about Apache HTTPD and nothing about NGINX. Which one would you recommend me? This is what I’m looking for: - To be able to evaluate the x_forwarded_for header to recognize the real IP address (because there will be a load balancer behind) - To be able to limit the rate of request based on the IP making it enter my site at a slower rate, or if that is not possible to reject the excesive requests. - To place this new layer (HTTPD or NGINX) between the load balancer and Tomcat, so Tomcat will still run the app. My app has been written in Java and I love java/Tomcat, so this will definitely existing. - Speed, low resources consumption (mainly CPU and RAM), stability, reliability. - Easy to learn, install and maintain. Which one would you recommend, Apache or NGINX? I guess it would be better to use Apache because of all the documentation and information out there, and It would not harm me to finally learn about Apache. But I read somewhere that NGINX is specially fast and light in doing this (stopping Dos). However, I read that it is easier to connect HTTPD and Tomcat while it is not that easy NGINX/Tomcat. Or is there a better solution to stop users making an excesive amount of requests, using just Tomcat? Is there a filter somewhere that could help me, or a valve I haven't heard of? Tia, Brian
