[Page 1, 2 Next]

Topic: Available mod_qos :: updated

[1]

Topic: Available mod_qos :: updated

[Steffen]

03 June 2023 update to v11.74, see below

mod_qos is a quality of service (QoS) module for the Apache HTTP server implementing control mechanisms that can provide different priority to different requests.

For years only on *nix. And now our HTTPD developer Rainer Jung has made code changes to support Windows, many Thanks!

The module is able to protect your server from various kinds of malicious access or attacks. It has tons of options, including for DoS attacks, limit the number of requests to a URL, limit the number of concurrent connections etc.

Download : https://www.apachelounge.com/download/


Documentation http://mod-qos.sourceforge.net/ and https://en.wikipedia.org/wiki/Mod_qos


Discussion with Rainer can you find at https://www.apachelounge.com/viewtopic.php?t=8854
there is also a smoke test example.

Config :

Enable /mod_unique_id.so

LoadModule qos_module modules/mod_qos.so

<Location /qos>
SetHandler qos-viewer
</Location>

http://localhost/qos gives you an overview.


Enjoy

Note:
Maybe better for people needing to do load limiting it is a much better solution than starting with mod_security just for that purpose. And the other alternatives, like mod_evasive and mod_bw are rather limited.

[puertoblack2003]

testing now.So far no issue :thumbsup:

[puertoblack2003]

so lookin at this in my log

[rjung]

The core:error line is independent of mod_qos and would occur even without mod_qos loaded. So apache itself rightfully denies that request as a bad request. The %2e is percent encoding for ".", so someone tries to make a path traversal attack including many /../ but decodes them hoping this will circumvent for access rules. mod_qos has a check, whether Apache could successfully decode the URL (it could not in this case) and logs its own warning in addition to Apache. The overall web server behavior does not change in this case.

You can try with and without mod_qos e.g. using a http client, that does not itself decode the percent encoded URL but instead sends it as is to the server. e.g.:

curl -v -k "https://myserver/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts"

Thanks for testing and using the module!

Best regards,

Rainer

[Steffen]

Did some testing:

When I set:

[rjung]

Hi Steffen,
the two directives QS_RequestHeaderFilter and QS_ResponseHeaderFilter are decorated dirrferently in the source code of the module. Wheres as request one can be used inside and outside of <Directory> and <Location>, the response one must be used inside of <Directory> or <Location>. So that one can't be used directly top level in the global server config or a virtual host config. Not sure why this is the case, but at least that part of the code explains the "not allowed here". I could ask the author whether it is intentional, but as a workaround you could use <Location />. Not saying it is actually a good general setting to activate the response header filter.

The warning when activating strict request header validation are probably expected. One would have to add more allowed headers with QS_RequestHeaderFilterRule. But I think using this module for too much of request checking one slowly gets into the realm of mod_security. IMHO the strenghts of mod_qos are by enforcing definable metric limits as max concurrency, request and event rates. This limits can be defined very flexible and use to prevent from overload situations and also to react on application specific things like brute force login attacks.

Thanks and regards,

Rainer

[puertoblack2003]

should we continue here in this thread results of testing?

steffen pointed out a sample config , which iI'm currently using.

[rjung]

A comment on the log lines you observe:

[Wed Mar 16 23:42:46.086183 2022] [qos:error] [pid 37828:tid 16388] mod_qos(034): access denied, QS_SrvMinDataRate rule (in:0): min=153, this connection=0, c=118.193.34.168

This means, that client connections, that did not send enough data, were forcibly closed by the module.

The config

QS_SrvMinDataRate 150 1200

requires a minimum data rate of 150 Bytes/second but increases that minimum requirement depending on your current concurrency up until 1200 bytes/second when the server is busy. The "min=153" in the log line tells us, that there the module increased the required minimum from the 150 configures bytes/secod slightly to 153 bytes/second. connection=0 tells us, that these connections did not send anything at all. The checks happen every 5 seconds by default, but this granularity can be changed eg. to 10 or 20 seconds.

It seems to be working fine, but every now and then there is a connection hitting your server where the client does not immediately send a request or stalls during sending it. As your configuration denies such behavior, the module now kills those connections.

Best regards,

Rainer

[puertoblack2003]

[dmye]

If using mod_qos_user_id suggest Cancel

[dmye]

QS_UserTrackingCookieName Resulting in multiple consecutive slash ('/')

[Steffen]

Version 11.72 available only for VS17

[DnvrSysEngr]

After installing and configuring mod_qos, I am not getting this in my error log when launching apache:

loaded MPM is 'WinNT' but mod_qos should be used with MPM 'Worker' or 'Event' only.

What should be done to resolve this?

[admin]

You can ignore it for windows.

[Steffen]

Updated to version 11.73. Only VS17

Most noticeable change it that it is now build with PCRE2.

[puertoblack2003]

latest 11.74 https://sourceforge.net/projects/mod-qos/files/

[Steffen]

Thanks !

Updated.

Changes 11.74

- Fixed: Potential counter overflow for early event detection
(increment before block) or log only mode.

[Stray78]

Any idea when 11.75 will be compiled? Thank you!

[Steffen]

Change is minor, only :

- QS_ClientIpFromHeader supports other modules (e.g. mod_remoteip) setting a client address to the request record when using the special header name #USERAGENT_IP.

I put it on the to-do list, expect coming weeks.

[Stray78]

Thank you!