Wondering how to setup rate limit for IP addresses in Digitalocean account? We can help you.
Here at Bobcares, we often receive requests from our customers to setup rate limit on digital ocean account. This is to block IP addresses on too many requests.
Today let’s see how our support engineers set this up for our customers as a part of our Server Management Services.
Steps to set up rate limit for IP addresses in Digitalocean
Generally, there is no direct option to rate limit IPs in the DigitalOcean control panel. However, we can perform it using the built-in functionality of NGINX or using mod_ratelimit on Apache.
Nginx
The ngx_http_limit_req_module allows us to limit the request processing rate per a defined key. it allows us to limit the processing rate of requests coming from a single IP address particularly.
The limitation is done using the “leaky bucket” method. We can do this with the following steps:
Go to the nginx.conf using the following command:
vi /etc/nginx/nginx.confAnd define an area where the session states are stored – this must go inside the http {} container:
http {
[...]
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
[...]
}
|
Then we must put this in a location ~ \.php$ {} container:
[...]
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
limit_req zone=one burst=5;
}
[...]
|
Here, limit_req zone=one burst=5; specifies that this rate limit belongs to the session storage area we defined before. Thus the rate limit is 1r/s.
It means that if we exceed the rate limit, the following requests are delayed. And if we have more requests waiting in the queue than specified in the burst parameter, we may end up with a 503 error like the one given below:
For fixing this we can use the nodelay option as given below:
[...]
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
limit_req zone=one burst=5 nodelay;
}
[...]
|
Finally, we have to reload Nginx using the following command:
/etc/init.d/nginx reloadApache
The mod_evasive module is an Apache web services module that helps our server to run even when there is an attack.
Installing mod_evasive
Debian / Ubuntu
To install the mod_evasive module on Debian / Ubuntu, we can use the following:
sudo apt install libapache2-mod-evasiveCentOS / RedHat
To install the mod_evasive module on RedHat / CentOS:
First, add the EPEL repository:
sudo yum install epel-releaseThen, enter the following command to install mod_evasive:
sudo yum install mod_evasive
Configuring mod_evasive
We need to make the following changes in the configuration file as the first step for preventing DDoS attacks:
1. We need to enter the following command using any text editor:
Debian / Ubuntu:
sudo nano /etc/apache2/mods-enabled/evasive.confRedHat / CentOS:
sudo nano /etc/httpd/conf.d/mod_evasive.conf2. The need we need to find the following entry:
#DOSEmailNotify you@yourdomain.comAnd remove the # sign. Use an email that we check regularly so that we can keep an eye on the alerts.
3. We have to remove the comment tag from the following entries as well. As a result, the log file will look like the following one:
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify mail@yourdomain.com
DOSLogDir "/var/log/apache2/"4. After that we have to save the file and exit.
Finally, we need to reload the Apache service using the following:
Debian / Ubuntu:
sudo systemctl reload apache2RedHat / CentOS:
sudo systemctl restart httpd.serviceParameters and Settings of mod_evasive
There are many mod_evasive parameters some of them are as follows:
DOSSystemCommand: This command allows us to specify a system command to be run when an IP address is added to the blacklist. We can also use this to launch a command to add an IP address to a firewall or IP filter.DOSHashTableSize: This configuration allocates space for running the lookup operations. Increasing the size improves the speed at the cost of memory.DOSPageCount: The number of requests for an individual page that triggers blacklisting can be found with this.DOSSiteCount: The total number of requests for the same site by the same IP address. By default, this is set to 50. We can increase it up to 100 to reduce false positives.DOSPageInterval: With this we can find the number of seconds forDOSPageCount. By default, this is set to 1 second. That means that if you don’t change it, requesting 2 pages in 1 second will temporarily blacklist an IP address.DOSSiteInterval: Similar toDOSPageInterval, this option specifies the number of seconds thatDOSSiteCountmonitors. By default, this is set to 1 second.DOSBlockingPeriod: The amount of time an IP address stays on the blacklist.DOSLogDir: By default, this is set to write logs to /var/log/mod_evasive.
Create Directory for Logs
We can create a new directory to save these apache access logs. While doing this we must ensure to change the owner to Apache, then update the location.
We can do this using the following commands:
sudo mkdir /var/log/apache/mod_evasivesudo chown –R apache:apache /var/log/apache/mod_evasivesudo nano /etc/apache2/mods-enabled/evasive.confDOSLogDir "/var/log/apache/mod_evasive"Whitelisting IP addresses: This option isn’t included in the evasive.conf file by default.
However, we can open the file again and add the following line:
DOSWhitelist XXX.XXX.XXX.XXX
DOSWhitelist XXX.XXX.XXX.*This is typically used with a trusted client that exchanges a lot of data with the website. Also, this tool is good at detecting bots and scripts.
After making the changes we must save the file and exit.
Finally, we need to reload the Apache service.
Conclusion
In short, we saw how our Support Engineers set up rate limit for IP Addresses in DigitalOcean for our customers.
0 Comments