Klunky Blog

Apache mod_qos module

I was asked to implement rate limiting on Apache and my first thought was mod_sec. Mod_sec turned out to be too complicated with too much of an overhead. Something lighter and easier should be sought. mod_qos worked :)

After installing the modules - qos setenvif setenvifplus - add this into your conf.d/mod_qos.conf,

    SetEnvIfPlus Request_URI %string% QS_Limit
    QS_ClientEventLimitCount 5 10
    QS_ErrorResponseCode 509
    <Location />
    ResponseSetEnvIfPlus QS_ErrorNotes 067 RATELIMITED=1
    ResponseHeaderPlus set Retry-After 10 env=RATELIMITED
    </Location>

Checks if more than 5 requests witin 10 seconds with %string%, and sends back http code 509 and a message asking to retry 10 seconds later.

Play nice please with my web server.