Limits
The number of connections and requests is limited to ensure that a single user or bot cannot overload the whole server.
Request Limits
An IP address is limited to 200 requests per second (
LimitDefault
)If this limit is exceeded, the server responds with 429 Too Many Requests
You can see this in ~/log/apache-access.log
:
203.0.113.50 - - [11/Sep/2023:13:51:39 +0200] "GET /index.html HTTP/1.0" 429 6886 "-" "Chrome/116"
Or with more information in ~/log/apache-error.log
:
[Mon Sep 11 13:51:39.724275 2023] [qos:error] [pid 768719:tid 140549650642624] [client 203.0.113.50:36420] mod_qos(067): access denied, QS_ClientEventLimitCount rule: event=LimitDefault, max=200, current=420, age=1, c=203.0.113.50, id=ZP7_S6KBFvv2nPSBdtiWNAAAAII
Adjust limits
We use mod_qos to limit the number of requests.
QOS can be controlled by removing or adding variables from requests.
Each variable represents a specific limit.
This has the advantage that you can easily control the limits
with mod_setenvif in your .htaccess
file.
The limits cannot be freely defined, as this must be done in the global server context. However, the following predefined limits are available, which you can use.
Requests per second:
LimitDefault
: 200 req/s (this variable is added to every request by default)Limit100per1
: 100 req/sLimit200per1
: 200 req/sLimit400per1
: 400 req/sLimit800per1
: 800 req/sLimit1600per1
: 1600 req/s
Requests per minute:
Limit100per60
: 100 req/mLimit200per60
: 200 req/mLimit400per60
: 400 req/mLimit800per60
: 800 req/mLimit1600per60
: 1600 req/m
Tip
The best practices are to increase the limit in a targeted manner. Instead of deactivating or increasing limits in general, you can increase the limits for static content as a first step
Tip
Please note that you must first remove the default limit for the desired request before you can set a new one. Otherwise, both limits apply. You can do this in one or more steps.
Set a new limit for all requests:
# remove default limit and set a new limit
# apply to all requests
SetEnvIf Request_URI ^/ !LimitDefault Limit800per1
Set a new limit for a user agent:
# remove default limit and set a new limit
# apply to a specific user agent
BrowserMatch curl !LimitDefault Limit800per1
Set a new limit for static files:
# remove default limit and set a new limit
# apply to urls ending with .jpg, .png or .css
SetEnvIf Request_URI \.jpg$ !LimitDefault Limit800per1
SetEnvIf Request_URI \.png$ !LimitDefault Limit800per1
SetEnvIf Request_URI \.css$ !LimitDefault Limit800per1
Remove the default limit and do not set a new one:
# remove default limit
SetEnvIf Request_URI ^/ !LimitDefault
Connections Limits
An IP address is limited to 300 simultaneous TCP connections
If this limit is exceeded, the server closes further connections
Modern protocols transmit multiple requests over a few TCP connections.
For this reason, 200 connections per IP address should be sufficient for most cases.
When this limit is exceeded, you can see it as a devop user (see Generic Admin User) in /var/log/apache2/default-error.log
.
[Tue Sep 12 08:04:34.197476 2023] [qos:error] [pid 15569:tid 139679819019968] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=300, concurrent connections=340, c=203.0.113.50
On the client side, the limit is displayed differently depending on the client/browser.
Google Chrome:
ERR_CONNECTION_RESET
Mozilla Firefox:
NS_ERROR_NET_RESET
Curl:
Connection reset by peer
Adjust limits
You can increase the connection limit within the Custom JSON Server Level Configuration.
{
"apache2::qs_srvmaxconnperip": 300
}