Install and configure Apache2 QOS module in Debian Squeeze

Friday March 09, 2012 ()

QOS stands for quality of service. It is an Open Source Apache2 module that is able to protect your server from various kinds of malicious access or attacks. A detailed list of what QOS can do to protect your server can be found in their website.

In this blog, we will demonstrate how to configure Apache2 with mod_qos, limit the number of connection per IP address, disallow slow connections that might be blocking the server, limit number of active TCP connections to keep server from running out of resources, and limit bandwidth and number of connections to some locations.

We begin by downloading QOS from SourceForge. The latest version is 10.3. We will use this version for purposes of this demonstration.

Once downloaded, untar the file like this:

tar xvfz mod_qos-10.3.tar.gz

And then issue the following command to build the module from its source. From this point please make sure that you have root access.

cd  mod_qos-10.3/apache2
apxs2 apxs -i -c mod_qos.c -lcrypto -lpcre

apxs2 will install mod_qos.so to /usr/lib/apache2/modules. If apxs2 cannot be found/not yet in your system, install them along with other essential build tools and then reissue the apxs2 command. See below.

apt-get update
apt-get install apache2-threaded-dev build-essential

Installation and configuration

Using your favorite editor, create qos.load and qos.conf in /etc/apache2/mods-available

/etc/apache2/mods-available/qos.load

# Edited 4/5/2013 
LoadModule qos_module  /usr/lib/apache2/modules/mod_qos.so

/etc/apache2/mods-available/qos.conf

<IfModule mod_qos.c>
     # Connection level
     #
     # Maximum number of active TCP   connections is limited to 256:
     # (limited by the available memory, 
     # adjust the settings according to the used hardware)
     MaxClients              256
     #
     # Disables keep-alive when 70% of the TCP connections are occupied
     QS_SrvMaxConnClose      180
     #

     #  Defines minimum upload/download throughput a client must generate
     #  in bytes per seconds before connection is closed.
     #  See comments further down below.     
     QS_SrvMinDataRate        150      1200
     #
     # Allow only 50 connection per IP address
     QS_SrvMaxConnPerIP	50

     # Block clients violating some basic rules frequently (don't allows more than 20
     # violations within 5 minutes)
     QS_ClientEventBlockCount 20 300
     QS_SetEnvIfStatus        400                   QS_Block
     QS_SetEnvIfStatus        401               QS_Block
     QS_SetEnvIfStatus        403               QS_Block
     QS_SetEnvIfStatus        404               QS_Block
     QS_SetEnvIfStatus        405               QS_Block
     QS_SetEnvIfStatus        406               QS_Block
     QS_SetEnvIfStatus        408               QS_Block
     QS_SetEnvIfStatus        411               QS_Block
     QS_SetEnvIfStatus        413               QS_Block
     QS_SetEnvIfStatus        414               QS_Block
     QS_SetEnvIfStatus        417               QS_Block
     QS_SetEnvIfStatus        500               QS_Block
     QS_SetEnvIfStatus        503               QS_Block
     QS_SetEnvIfStatus        505               QS_Block
     QS_SetEnvIfStatus        QS_SrvMinDataRate QS_Block
     QS_SetEnvIfStatus        NullConnection    QS_Block
     #
     #URL request level 
     #
     # Limit concurrent request to location /app/images to 100
     QS_LocRequestLimit            /app/images	100
     #
     # Limit the download bandwidth in /app/downloads
     QS_LocKBytesPerSecLimit /app/downloads 		640
</IfModule>

Save both files, enable qos and restart apache2.

a2enmod qos
/etc/init.d/apache2 restart

More on QS_SrvMinDataRate

QS_SrvMinDataRate <bytes per second> [<max bytes per second> [<connections>]] defines the minimum upload/download throughput a client must generate (the bytes sent/received by the client per seconds). This bandwidth is measured while receiving request data (request line, header fields, or body), sending response data (header fields, body) and during keep-alive. The client connection is closed if the client does not fulfill this required minimal data rate and the IP address of the causing client is marked in order to be handled with low priority (see the QS_ClientPrefer directive).

The "max bytes per second" activates dynamic minimum throughput control: The required minimal throughput is increased in parallel to the number of concurrent clients sending/receiving data (starts increasing when reaching the "connections" threshold). The "max bytes per second" setting is reached when the number of sending/receiving clients is equal to the MaxClients setting.

The "connections" argument is used to specify the number of busy TCP connections a server must have to enable this feature (0 by default). It is used to disable the QS_SrvMinDataRate rule enforcement on idle servers.

Please be careful in setting values for QS_SrvMinDataRate. Robots/spiders could potentially be blocked.

Please visit the QOS website for a lot more options including how to configure Apache logs to include QOS statistics. There is also a documentation that comes with the tar download.

That's it. Good luck.


8,979

Comments (Install and configure Apache2 QOS module in Debian Squeeze )