[PATCH] Adding mod_limitipconn

[SmootherFrOgZ]

On Wed, Aug 19, 2009 at 11:10 PM, Mike McGrath<mmcgrath at redhat.com> wrote:
> This will allow us for greater control against abusive clients.
> Starting on secondary1 for now which seems to be the biggest problem.
> ---
>  manifests/servergroups/secondary.pp            |    1 +
>  modules/mod_limitipconn/README                 |   10 ++++++++++
>  modules/mod_limitipconn/files/limitipconn.conf |   18 ++++++++++++++++++
>  modules/mod_limitipconn/manifests/init.pp      |   12 ++++++++++++
>  4 files changed, 41 insertions(+), 0 deletions(-)
>  create mode 100644 modules/mod_limitipconn/README
>  create mode 100644 modules/mod_limitipconn/files/limitipconn.conf
>  create mode 100644 modules/mod_limitipconn/manifests/init.pp
>
> diff --git a/manifests/servergroups/secondary.pp b/manifests/servergroups/secondary.pp
> index b53cff9..d5d96e5 100644
> --- a/manifests/servergroups/secondary.pp
> +++ b/manifests/servergroups/secondary.pp
> @@ -3,6 +3,7 @@ class secondaryMirror {
>     include mirrorsize-secondary
>
>     include httpd::proxy
> +    include mod_limitipconn::mod_limitipconn
>
>     httpd::certificate { "wildcard.fedoraproject.org": }
>
> diff --git a/modules/mod_limitipconn/README b/modules/mod_limitipconn/README
> new file mode 100644
> index 0000000..70a5550
> --- /dev/null
> +++ b/modules/mod_limitipconn/README
> @@ -0,0 +1,10 @@
> +=====================
> +mod_limitipconn
> +=====================
> +
> +-----------
> +Usage
> +-----------
> +
> +Apache module which allows web server administrators to limit the number of
> +simultaneous downloads permitted from a single IP address.
> diff --git a/modules/mod_limitipconn/files/limitipconn.conf b/modules/mod_limitipconn/files/limitipconn.conf
> new file mode 100644
> index 0000000..fb33733
> --- /dev/null
> +++ b/modules/mod_limitipconn/files/limitipconn.conf
> @@ -0,0 +1,18 @@
> +# This module will not function unless mod_status is loaded and the
> +# "ExtendedStatus On" directive is set. So load only if mod_status is too.
> +<IfModule mod_status.c>
> +
> +    # This is always needed
> +    ExtendedStatus On
> +
> +    # mod_limitipconn configuration
> +    LoadModule limitipconn_module modules/mod_limitipconn.so
> +
> +    # A global default configuration doesn't make much sense. See the README
> +    # from the mod_limitipconn package for configuration examples.
> +
> +    MaxConnPerIP 3
> +    OnlyIPLimit application/octet-stream
> +
> +</IfModule>
> +
> diff --git a/modules/mod_limitipconn/manifests/init.pp b/modules/mod_limitipconn/manifests/init.pp
> new file mode 100644
> index 0000000..b643d9a
> --- /dev/null
> +++ b/modules/mod_limitipconn/manifests/init.pp
> @@ -0,0 +1,12 @@
> +
> +class mod_limitipconn::mod_limitipconn {
> +    package { mod_limitipconn:
> +        ensure => present
> +    }
> +
> +    file { '/etc/httpd/conf.d/limitipconn.conf':
> +        source => 'puppet:///mod_limitipconn/limitipconn.conf',
> +        require => Package['httpd'],
> +        notify => Service['httpd']
> +    }
> +}
> --
> 1.6.2.5
>

Note that you should also think about people behind proxies. 3 could
be really short.


-- 
Xavier.t Lamien
--
http://fedoraproject.org/wiki/XavierLamien
GPG-Key ID: F3903DEB
Fingerprint: 0F2A 7A17 0F1B 82EE FCBF 1F51 76B7 A28D F390 3DEB