-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Brian,
On 1/12/13 6:56 PM, Brian Braun wrote: > I can NOT do it at the IPTables level, because the real IP address > is in the "x_forwarded_for" header and IPTables deals with TCP/IP, > not with HTTP. Or at least, even if there is a way to create a > rule, it will not run in an efficient way. What makes you think that using a bizarre iptables configuration to check X-Forwarded-For headers would be slower in iptables than, say, httpd or nginx? Are you using SSL between the lb and Tomcat? If so, then iptables almost definitely won't work (or will be a total pain, as you say). > I will NOT be able to do it a the load balancer level, because > Amazon doesn't allow us the stop some IPs there, not to mention a > way to stop a DoS. You can do it, but it's a total PITA because you have to reverse all your inbound rules. They don't currently offer blacklisting, it seems :( > I have been doing some reasearch, and it seems that I have two > good options: Installing Apache HTTPD server or NGINX, before > Tomcat. I know a lot about Tomcat, but almost nothing about Apache > HTTPD and nothing about NGINX. Which one would you recommend me? Don't overlook squid, which was built for HTTP proxying. On 1/13/13 8:22 AM, André Warnier wrote:> Brian Braun wrote: > Based on these elements, I would recommend having a look at > mod_evasive in Apache httpd. I would also recommend looking at mod_qos, which is a separate package not included with httpd. > Note that all 3 connection methods above already include options > for load-balancing the Tomcat back-ends, if you would see any > advantage in suppressing the "Amazon web service Elastic Load > balancer" layer. NB: I've been evaluating ELB versus httpd-based lb and it turns out that an ELB costs a bit more than a "tiny" EC2 instance that could probably handle everything you need for an httpd-based lb. On the other hand, ELB gives you an lb that you don't have to configure and keep up-to-date, other than maintaining the back-end server list and keeping the SSL certificate(s) up-to-date (if you need that kind of thing). > To restate the obvious : No matter at which level you do the > rate-limiting or DOS-protection, it is going to cost some overhead > somewhere. Generally-speaking however, if the point is to limit > and discard at the request level, it is better to do it as early > as possible. +1 I'm actually quite surprised that Amazon doesn't offer blacklisting as part of the ELB setup. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlD0QR4ACgkQ9CaO5/Lv0PA6KACfVuVRZvAiBj366z/zp88B6bsX yFwAmgKgESUzgKIAgow09KgTY8hDai2P =/3Ns -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
