Limits

The number of connections and requests is limited to ensure that a single user or bot cannot overload the whole server.

Request Limits

  • An IP address is limited to 200 requests per second (LimitDefault)

  • If this limit is exceeded, the server responds with 429 Too Many Requests

You can see this in ~/log/apache-access.log:

203.0.113.50 - - [11/Sep/2023:13:51:39 +0200] "GET /index.html HTTP/1.0" 429 6886 "-" "Chrome/116"

Or with more information in ~/log/apache-error.log:

[Mon Sep 11 13:51:39.724275 2023] [qos:error] [pid 768719:tid 140549650642624] [client 203.0.113.50:36420] mod_qos(067): access denied, QS_ClientEventLimitCount rule: event=LimitDefault, max=200, current=420, age=1, c=203.0.113.50, id=ZP7_S6KBFvv2nPSBdtiWNAAAAII

Adjust limits

We use mod_qos to limit the number of requests. QOS can be controlled by removing or adding variables from requests. Each variable represents a specific limit. This has the advantage that you can easily control the limits with mod_setenvif in your .htaccess file.

The limits cannot be freely defined, as this must be done in the global server context. However, the following predefined limits are available, which you can use.

Requests per second:

  • LimitDefault: 200 req/s (this variable is added to every request by default)

  • Limit100per1: 100 req/s

  • Limit200per1: 200 req/s

  • Limit400per1: 400 req/s

  • Limit800per1: 800 req/s

  • Limit1600per1: 1600 req/s

Requests per minute:

  • Limit100per60: 100 req/m

  • Limit200per60: 200 req/m

  • Limit400per60: 400 req/m

  • Limit800per60: 800 req/m

  • Limit1600per60: 1600 req/m

Tip

The best practices are to increase the limit in a targeted manner. Instead of deactivating or increasing limits in general, you can increase the limits for static content as a first step

Tip

Please note that you must first remove the default limit for the desired request before you can set a new one. Otherwise, both limits apply. You can do this in one or more steps.

Set a new limit for all requests:

# remove default limit and set a new limit
# apply to all requests
SetEnvIf Request_URI ^/ !LimitDefault Limit800per1

Set a new limit for a user agent:

# remove default limit and set a new limit
# apply to a specific user agent
BrowserMatch curl !LimitDefault Limit800per1

Set a new limit for static files:

# remove default limit and set a new limit
# apply to urls ending with .jpg, .png or .css
SetEnvIf Request_URI \.jpg$ !LimitDefault Limit800per1
SetEnvIf Request_URI \.png$ !LimitDefault Limit800per1
SetEnvIf Request_URI \.css$ !LimitDefault Limit800per1

Remove the default limit and do not set a new one:

# remove default limit
SetEnvIf Request_URI ^/ !LimitDefault

Connections Limits

  • An IP address is limited to 300 simultaneous TCP connections

  • If this limit is exceeded, the server closes further connections

Modern protocols transmit multiple requests over a few TCP connections. For this reason, 200 connections per IP address should be sufficient for most cases. When this limit is exceeded, you can see it as a devop user (see Generic Admin User) in /var/log/apache2/default-error.log.

[Tue Sep 12 08:04:34.197476 2023] [qos:error] [pid 15569:tid 139679819019968] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=300, concurrent connections=340, c=203.0.113.50

On the client side, the limit is displayed differently depending on the client/browser.

  • Google Chrome: ERR_CONNECTION_RESET

  • Mozilla Firefox: NS_ERROR_NET_RESET

  • Curl: Connection reset by peer

Adjust limits

You can increase the connection limit within the Custom JSON Server Level Configuration.

{
   "apache2::qs_srvmaxconnperip": 300
}