Limit Apache Proxy upload speed per connection/ip?

Question

I looked at mod_bandwidth and mod_cban but they dont seem to satisfy my requirements.

I am running a proxy server with apache 2.2 (mod_proxy, proxy_http, proxy_connect).

I want to limit the "upload speed of the client".

This is at the same time server download bandwidth, which should not limited.

I want it per connection or even better per IP.

To make it understandable: The use case is that I don't want bad people uplaoding bad data to bad places using my proxy server to "mask" themselves. Of course I have logs and everything but I want to safe the trouble and make it unattractive in the first place.

For better understanding here is a picture of my setup:

enter image description here

Of course the red arrow could also point to the upper left arrow.

I am currently thinking about starting apache two times on the same server on different ports and using ProxyRemote to send the request to the other proxy. So on the second proxy I can exclude localhost from the throttling. However I would still need a solution to limit incoming but not outgoing bandwidth. I could realise that with IPtables.

But honestly? There must be a better way. There just has to.

of course i can also limit the servers "upload speed" for "outgoing proxy connections" but that just shifts the problem to the other side... — The Shurrican, Jul 06 '11 at 19:01

score 1 · Answer 1 · answered Jul 11 '11 at 22:52

iptables in combination with tc should be able to do this if OP is on Linux. Iptables has a module called connbytes that can match on the number of bytes that has passed the stream so far. Use this to "mark" packets in streams that have sent too many bytes. For example, you may have one rule that marks all packets in streams between 1 MByte and 10 MBytes with mark "1" and another one that marks all packets in streams longer than 10MBytes with mark "2".

Then you set up traffic shaping classes for default (== below 1 Mbyte), for mark "1" and mark "2".

The advantage of this solution is that you need not penalize users unless they collectively consume too much bandwidth. The disadvantage is that these are somewhat complex tools that take som reading to wrap your head around.

iptables and tc is included in most distros. You may also want to look at tcng which makes it radically simpler to formulate tc rule sets.

i still see how this solves the problem of telling downstream that comes from users apart from downstream that is an origin fetch by the proxy server? — The Shurrican, Jul 18 '11 at 11:32

score 0 · Answer 2 · answered Jul 18 '11 at 20:54

0

Your question seems interesting :). Your request seems actually possible with apache + squid + squid delay pools + squid external acl (to filter requests based on headers).

http://wiki.squid-cache.org/Features/DelayPools

http://www.squid-cache.org/Doc/config/external_acl_type/

The external acl type is the key which you can use to filter requests based on the header (POST) to apply the speed limitation.

answered Jul 18 '11 at 20:54

SparX

1,924
12
10

sounds interesting, i am currently thinking of something probably easier involving squid. i am currently thinking of running one proxy that proxyremotes to another proxy on the same machine. but the other one listens on 127.0.0.2 instead of 127.0.0.1. then i can implement a downstream limit on that second proxy for 127.0.0.1. i just have to manage making a downatream limit while not limitng upstream but that should be possible. – The Shurrican Jul 19 '11 at 17:56

Limit Apache Proxy upload speed per connection/ip?

2 Answers2