Hi, Or you can do this in HAProxy: http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ HAProxy and Varnish works pretty well together ;)
HAProxy will even protect you again slowloris and some other type of attacks. cheers On Fri, Mar 9, 2012 at 6:09 PM, Damon Snyder <[email protected]> wrote: > Another way of doing this in nginx in front of varnish. See the limit_* > directives in nginx http://wiki.nginx.org/HttpLimitZoneModule#limit_zone. It > depends on your application, but typically, if you have an abusive > client(s), you end up serving a lot of the requests from varnish so your > apache processes never sees the bulk of the requests. Additionally, your > apache threads are a more finite resource, so you want to keep them from all > being occupied by the flood of requests if you can. > > Hope this helps, > Damon > > > On Fri, Mar 9, 2012 at 1:35 AM, Gianni Carabelli <[email protected]> wrote: >> >> Hi all. >> I've got few servers with varnish + apache on loopback. >> Modsecurity mitigate the problem on the only apache side, but fails with >> apache + varnish. >> I'm using mod_rpaf to get the right ip address, but probably something >> goes wrong. >> >> I would like to get another approach and try to block the attack >> completely in varnish. >> In apache, some directive say: "if there are enough connection from this >> ip in READ/WRITE state, reject incoming connections from that ip" >> Is there a way to do so in varnish? >> >> Thanks >> >> JohnnyRun >> >> _______________________________________________ >> varnish-misc mailing list >> [email protected] >> https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc > > > > _______________________________________________ > varnish-misc mailing list > [email protected] > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc _______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
