2012/9/30 Brian Braun <brianbr...@gmail.com>: > Hi, > > I'm using Tomcat 7.0.22 (+Ubuntu Linux + MySQL). > > I'm providen a geolocation service. My users invoque a URL in my server > (something like http://services.acme.com/locate?ip=......) providing the IP > address, and it responds with the geolocation info. This service must admit > a very high rate of queries, and it is doing it sucessfully now. This URL > doesn't create sessions in order to save resources, and because sessions > are not required after all. Each call is treated individually, no need to > link them in sessions. In other words, this is a RESTful service. > > Besides the service URL, I have a website in the form > http://www.acme.com("www." instead of "services."). This website has a > demo page where > visitors can type an IP address and see the response (values, format, and > an explanation of that). This website DOES create session, because it is > necessary given that the user logs in, uses his account, manages his > license codes, etc. > > The problem is that some people are requesting the demo URL at a very high > rate, instead of requesting the special service URL that has been designed > to provide the service returning a response in XML. When they request this > demo page at a very high rate, a ton of sessions are being created and > Tomcat ultimately collapses. Basically, the RAM is exhausted, Tomcats gets > slower and slower, and dies at the end. In other words, this is something > similar to a DOS attack (Denial Of Service). > I need to solve this. I need a way to limit the number of sessions that are > being created for the same IP, and in the same host under Tomcat, so if > this people start doing this, the app will stop them. > It is very import to be able to apply a solution just to the "www" website, > not to the other "services." subdomain, so the solution must not be global > to the Tomcat engine. > > What would you recommend as a strategy? > Is there some kind of valve that I can use in the server.xml file to solve > this? > Should I create a filter that does this? Is a filter the best place to > implement a solution? > Is there a way to inspect the API and get the list of current sessions? Or > do I need to build my own list at the application scope, most likely using > the events when a session is created or destroyed to update this list? > Is there a solution already built? Or do I have to program one from scratch? > > Note: I want to solve it at the host or context level. Not at the Tomcat > engine level, or at the Linux level (IPTables/firewall), or adding Apache > HTTPD server before Tomcat. >
1. You can write a Filter. 2. Your requests to your demo page are authenticated? If yes, maybe you can track abuse from there (and ban abusers). If not, do you need a session for those pages? 3. <Manager maxActiveSessions="..." /> https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
