Connection rate limiting does not work for Captive Portal
|Affected version:||2.0.1||Affected Architecture:|
Using pfSense 2.0.1. Installation of pfSense as a CP at a big exhibition fair failed because the connection rate limiting function does not work. Just a few clients hammering the CP login page can consume all the available CPU time.
The "Maximum concurrent connections" option sets the "evasive.max-conns-per-ip" option in /var/etc/lighty-CaptivePortal.conf. This option is ignored by lighttpd since the module mod_evasive.so is missing from pfSense. Even if the lighttpd package is rebuild and that module is put in place, the /etc/inc/system.inc file needs to be modified to actually load the module in lighty-CaptivePortal.conf.
Last time I checked on 2.1 (6 June, 2012) the module was missing as well. I am also fond of doing the rate-limiting using ipfw (which is used by CP) to prevent lighttpd using a lot of CPU cycles for resetting connections.
#1 Updated by Josh Stompro 7 months ago
This feature bug is related to this ticket.
#2 Updated by Josh Stompro 7 months ago
I can confirm that mod_evasive doesn't seem to be included in 2.0.1.
Should there be a mod_evasive.so
/usr/local/lib/lighttpd/mod_auth.so /usr/local/lib/lighttpd/mod_proxy.so /usr/local/lib/lighttpd/mod_access.so /usr/local/lib/lighttpd/mod_accesslog.so /usr/local/lib/lighttpd/mod_fastcgi.so /usr/local/lib/lighttpd/mod_cgi.so /usr/local/lib/lighttpd/mod_indexfile.so /usr/local/lib/lighttpd/mod_dirlisting.so /usr/local/lib/lighttpd/mod_staticfile.so /usr/local/lib/lighttpd/mod_expire.so /usr/local/lib/lighttpd/mod_compress.so /usr/local/lib/lighttpd/mod_rewrite.so /usr/local/lib/lighttpd/mod_redirect.so
[2.0.1-RELEASE][email@example.com]/var/etc(16): lighttpd -V lighttpd/1.4.29 (ssl) - a light and fast webserver Build-Date: Sep 7 2011 11:07:29 Event Handlers: + select (generic) + poll (Unix) - rt-signals (Linux 2.4+) - epoll (Linux 2.6) - /dev/poll (Solaris) - eventports (Solaris) + kqueue (FreeBSD) - libev (generic) Network handler: + sendfile Features: + IPv6 support + zlib support + bzip2 support + crypt support + SSL Support + PCRE support - mySQL support - LDAP support - memcached support - FAM support - LUA support - xml support - SQLite support - GDBM support
## modules to load server.modules = ( "mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect", "mod_fastcgi", "mod_cgi","mod_rewrite"
This is causing me problems since the captive portal can run wild and use up all the memory on an Alix box.
#3 Updated by Ermal Luçi 4 months ago
- Status changed from New to Feedback
This should work better on 2.0.3 and later.
#4 Updated by Josh Stompro 19 days ago
I can confirm that on 2.0.3 it looks like mod_evasive is now there. Ermal, thank you for getting this fixed.
I'll try and confirm that it actually does limit the number of connections per IP, but memory use does look to be down at several sites that I have upgraded. On an Alix, The memory used to hover at 83% used, now it is sticking around 63% used.
[2.0.3-RELEASE][firstname.lastname@example.org]/usr/local/lib/lighttpd(8): ls -l /usr/local/lib/lighttpd/ total 263 -rwxr-xr-x 1 root wheel 7180 Apr 12 10:10 mod_access.so -rwxr-xr-x 1 root wheel 16996 Apr 12 10:10 mod_accesslog.so -rwxr-xr-x 1 root wheel 28761 Apr 12 10:10 mod_auth.so -rwxr-xr-x 1 root wheel 25055 Apr 12 10:10 mod_cgi.so -rwxr-xr-x 1 root wheel 19592 Apr 12 10:10 mod_compress.so -rwxr-xr-x 1 root wheel 20751 Apr 12 10:10 mod_dirlisting.so -rwxr-xr-x 1 root wheel 7059 Apr 12 10:10 mod_evasive.so -rwxr-xr-x 1 root wheel 10075 Apr 12 10:10 mod_expire.so -rwxr-xr-x 1 root wheel 55128 Apr 12 10:10 mod_fastcgi.so -rwxr-xr-x 1 root wheel 8310 Apr 12 10:10 mod_indexfile.so -rwxr-xr-x 1 root wheel 24110 Apr 12 10:10 mod_proxy.so -rwxr-xr-x 1 root wheel 9930 Apr 12 10:10 mod_redirect.so -rwxr-xr-x 1 root wheel 12712 Apr 12 10:10 mod_rewrite.so -rwxr-xr-x 1 root wheel 13672 Apr 12 10:10 mod_staticfile.so
## modules to load server.modules = ( "mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect" ,"mod_rewrite","mod_evasive","mod_fastcgi" )
evasive.max-conns-per-ip = 4