Limits

The number of connections and requests is limited to ensure that a single user or bot cannot overload the whole server.

Request Limits

  • An IP address is limited to 200 requests per second

  • If this limit is exceeded, the server responds with 429 Too Many Requests

You can see this in ~/log/apache-access.log:

203.0.113.50 - - [11/Sep/2023:13:51:39 +0200] "GET /index.html HTTP/1.0" 429 6886 "-" "Chrome/116"

Or with more information in ~/log/apache-error.log:

[Mon Sep 11 13:51:39.724275 2023] [qos:error] [pid 768719:tid 140549650642624] [client 203.0.113.50:36420] mod_qos(067): access denied, QS_ClientEventLimitCount rule: event=LimitDefault, max=200, current=420, age=1, c=203.0.113.50, id=ZP7_S6KBFvv2nPSBdtiWNAAAAII

Adjust limits

We use mod_qos to limit the number of requests. QOS can be controlled by removing or adding variables from requests. Each variable represents a specific limit. This has the advantage that you can easily control the limits with mod_setenvif in your .htaccess file.

There are the following variables and limits available.

Requests per second:

  • LimitDefault: 200 req/s (this variable is added to every request by default)

  • Limit100per1: 100 req/s

  • Limit200per1: 200 req/s

  • Limit400per1: 400 req/s

  • Limit800per1: 800 req/s

  • Limit1600per1: 1600 req/s

Requests per minute:

  • Limit100per60: 100 req/m

  • Limit200per60: 200 req/m

  • Limit400per60: 400 req/m

  • Limit800per60: 800 req/m

  • Limit1600per60: 1600 req/m

Tip

The best practices are to increase the limit in a targeted manner. Instead of deactivating or increasing limits in general, you can increase the limits for static content as a first step

Tip

Please note that you must first remove the default limit for the desired request before you can set a new one. Otherwise, both limits apply. You can do this in one or more steps.

Set a new limit for all requests:

# remove default limit and set a new limit
# apply to all requests
SetEnvIf Request_URI ^/ !LimitDefault Limit800per1

Set a new limit for a user agent:

# remove default limit and set a new limit
# apply to a specific user agent
BrowserMatch curl !LimitDefault Limit800per1

Set a new limit for static files:

# remove default limit and set a new limit
# apply to urls ending with .jpg, .png or .css
SetEnvIf Request_URI \.jpg$ !LimitDefault Limit800per1
SetEnvIf Request_URI \.png$ !LimitDefault Limit800per1
SetEnvIf Request_URI \.css$ !LimitDefault Limit800per1

Connections Limits

  • An IP address is limited to 300 simultaneous TCP connections

  • If this limit is exceeded, the server closes further connections

Modern protocols transmit multiple requests over a few TCP connections. For this reason, 200 connections per IP address should be sufficient for most cases. When this limit is exceeded, you can see it as a devop user (see Generic Admin User) in /var/log/apache2/default-error.log.

[Tue Sep 12 08:04:34.197476 2023] [qos:error] [pid 15569:tid 139679819019968] mod_qos(031): access denied, QS_SrvMaxConnPerIP rule: max=300, concurrent connections=340, c=203.0.113.50

On the client side, the limit is displayed differently depending on the client/browser.

  • Google Chrome: ERR_CONNECTION_RESET

  • Mozilla Firefox: NS_ERROR_NET_RESET

  • Curl: Connection reset by peer

Adjust limits

You can increase the connection limit within the Custom JSON Server Level Configuration.

{
   "apache2::qs_srvmaxconnperip": 300
}