vmod throttle xmlrpc protection does not work as expected
georgi.int at gmail.com
georgi.int at gmail.com
Fri Apr 15 11:24:48 CEST 2016
btw the following configuration with ip and client.ip instead does not
work too:
if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
if(throttle.is_allowed("ip:" + client.ip, "10req/s") > 0s) {
error 429 "Calm down";
shield.conn_reset();
}
}
On 04/15/2016 10:33 AM, georgi.int at gmail.com wrote:
> I am using the following implementation to limit the attack to
> wp-login.php and xmlrpc.php, but when I test with apache benchmark (or
> there is an attack) from 1000 concurrent requests with the following
> configuration only 5 requests are failed from 1000 :
>
> if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
> if(throttle.is_allowed("host:" + req.http.host, "10req/s") > 0s) {
> error 429 "Calm down";
> shield.conn_reset();
> }
> }
>
> Is this a normal behavior and why so little number of requests is
> blocked? Is there an info that describe how these requests are handled
> and solution of this problem? If I set the throttle to 1 requests it
> works but this is super stupid and I can't understand why on 10
> requests/s limit the throttle does nothing. If I can't solve this
> issue I should change the varnish with something other so I will be
> really thankfull if you help with this.
More information about the varnish-misc
mailing list