Project

General

Profile

Actions

Bug #2475

closed

Connection rate limiting does not work for Captive Portal

Added by George Spiliotis over 12 years ago. Updated over 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Captive Portal
Target version:
-
Start date:
06/07/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0.1
Affected Architecture:

Description

Using pfSense 2.0.1. Installation of pfSense as a CP at a big exhibition fair failed because the connection rate limiting function does not work. Just a few clients hammering the CP login page can consume all the available CPU time.

The "Maximum concurrent connections" option sets the "evasive.max-conns-per-ip" option in /var/etc/lighty-CaptivePortal.conf. This option is ignored by lighttpd since the module mod_evasive.so is missing from pfSense. Even if the lighttpd package is rebuild and that module is put in place, the /etc/inc/system.inc file needs to be modified to actually load the module in lighty-CaptivePortal.conf.

Last time I checked on 2.1 (6 June, 2012) the module was missing as well. I am also fond of doing the rate-limiting using ipfw (which is used by CP) to prevent lighttpd using a lot of CPU cycles for resetting connections.

Actions #1

Updated by Josh Stompro about 12 years ago

This feature bug is related to this ticket.
http://redmine.pfsense.org/issues/2551

Actions #2

Updated by Josh Stompro about 12 years ago

I can confirm that mod_evasive doesn't seem to be included in 2.0.1.

Should there be a mod_evasive.so

/usr/local/lib/lighttpd/mod_auth.so
/usr/local/lib/lighttpd/mod_proxy.so
/usr/local/lib/lighttpd/mod_access.so
/usr/local/lib/lighttpd/mod_accesslog.so
/usr/local/lib/lighttpd/mod_fastcgi.so
/usr/local/lib/lighttpd/mod_cgi.so
/usr/local/lib/lighttpd/mod_indexfile.so
/usr/local/lib/lighttpd/mod_dirlisting.so
/usr/local/lib/lighttpd/mod_staticfile.so
/usr/local/lib/lighttpd/mod_expire.so
/usr/local/lib/lighttpd/mod_compress.so
/usr/local/lib/lighttpd/mod_rewrite.so
/usr/local/lib/lighttpd/mod_redirect.so

lighttpd -V

[2.0.1-RELEASE][root@dl-firewall.larl.org]/var/etc(16): lighttpd -V
lighttpd/1.4.29 (ssl) - a light and fast webserver
Build-Date: Sep  7 2011 11:07:29

Event Handlers:

        + select (generic)
        + poll (Unix)
        - rt-signals (Linux 2.4+)
        - epoll (Linux 2.6)
        - /dev/poll (Solaris)
        - eventports (Solaris)
        + kqueue (FreeBSD)
        - libev (generic)

Network handler:

        + sendfile

Features:

        + IPv6 support
        + zlib support
        + bzip2 support
        + crypt support
        + SSL Support
        + PCRE support
        - mySQL support
        - LDAP support
        - memcached support
        - FAM support
        - LUA support
        - xml support
        - SQLite support
        - GDBM support

From lighty-CaptivePortal.conf

## modules to load
server.modules              =   (

                                                                        "mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect",
                                                                        "mod_fastcgi", "mod_cgi","mod_rewrite" 

This is causing me problems since the captive portal can run wild and use up all the memory on an Alix box.

Actions #3

Updated by Ermal Luçi almost 12 years ago

  • Status changed from New to Feedback

This should work better on 2.0.3 and later.

Actions #4

Updated by Josh Stompro over 11 years ago

I can confirm that on 2.0.3 it looks like mod_evasive is now there. Ermal, thank you for getting this fixed.

I'll try and confirm that it actually does limit the number of connections per IP, but memory use does look to be down at several sites that I have upgraded. On an Alix, The memory used to hover at 83% used, now it is sticking around 63% used.

[2.0.3-RELEASE][admin@cr-firewall.larl.org]/usr/local/lib/lighttpd(8): ls -l /usr/local/lib/lighttpd/
total 263
-rwxr-xr-x  1 root  wheel   7180 Apr 12 10:10 mod_access.so
-rwxr-xr-x  1 root  wheel  16996 Apr 12 10:10 mod_accesslog.so
-rwxr-xr-x  1 root  wheel  28761 Apr 12 10:10 mod_auth.so
-rwxr-xr-x  1 root  wheel  25055 Apr 12 10:10 mod_cgi.so
-rwxr-xr-x  1 root  wheel  19592 Apr 12 10:10 mod_compress.so
-rwxr-xr-x  1 root  wheel  20751 Apr 12 10:10 mod_dirlisting.so
-rwxr-xr-x  1 root  wheel   7059 Apr 12 10:10 mod_evasive.so
-rwxr-xr-x  1 root  wheel  10075 Apr 12 10:10 mod_expire.so
-rwxr-xr-x  1 root  wheel  55128 Apr 12 10:10 mod_fastcgi.so
-rwxr-xr-x  1 root  wheel   8310 Apr 12 10:10 mod_indexfile.so
-rwxr-xr-x  1 root  wheel  24110 Apr 12 10:10 mod_proxy.so
-rwxr-xr-x  1 root  wheel   9930 Apr 12 10:10 mod_redirect.so
-rwxr-xr-x  1 root  wheel  12712 Apr 12 10:10 mod_rewrite.so
-rwxr-xr-x  1 root  wheel  13672 Apr 12 10:10 mod_staticfile.so
## modules to load
server.modules              =   ( "mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect" 
                        ,"mod_rewrite","mod_evasive","mod_fastcgi" 
                )


evasive.max-conns-per-ip = 4

Actions #5

Updated by Chris Buechler over 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF