vmod throttle xmlrpc protection does not work as expected
georgi.int at gmail.com
georgi.int at gmail.com
Fri Apr 15 09:33:00 CEST 2016
I am using the following implementation to limit the attack to
wp-login.php and xmlrpc.php, but when I test with apache benchmark (or
there is an attack) from 1000 concurrent requests with the following
configuration only 5 requests are failed from 1000 :
if ((req.url ~ "(wp-login.php|xmlrpc.php)")) {
if(throttle.is_allowed("host:" + req.http.host, "10req/s") > 0s) {
error 429 "Calm down";
shield.conn_reset();
}
}
Is this a normal behavior and why so little number of requests is
blocked? Is there an info that describe how these requests are handled
and solution of this problem? If I set the throttle to 1 requests it
works but this is super stupid and I can't understand why on 10
requests/s limit the throttle does nothing. If I can't solve this issue
I should change the varnish with something other so I will be really
thankfull if you help with this.
More information about the varnish-misc
mailing list