Bug #2475: Connection rate limiting does not work for Captive Portal - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.07 Plus - All Closed Issues
24.07 Plus - All Open Issues
24.07 Plus - Feedback Issues
24.07 Plus - Needs Attention/Work
24.07 Plus - New/Confirmed/In Progress Issues
24.07 Plus - Pull Request Review
24.07 Plus - Waiting on Merge
24.07 Target - All Closed Issues
24.07 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #2475

closed

Connection rate limiting does not work for Captive Portal

Added by George Spiliotis almost 12 years ago. Updated almost 11 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Captive Portal

Target version:

Start date:

06/07/2012

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.0.1

Affected Architecture:

Description

Using pfSense 2.0.1. Installation of pfSense as a CP at a big exhibition fair failed because the connection rate limiting function does not work. Just a few clients hammering the CP login page can consume all the available CPU time.

The "Maximum concurrent connections" option sets the "evasive.max-conns-per-ip" option in /var/etc/lighty-CaptivePortal.conf. This option is ignored by lighttpd since the module mod_evasive.so is missing from pfSense. Even if the lighttpd package is rebuild and that module is put in place, the /etc/inc/system.inc file needs to be modified to actually load the module in lighty-CaptivePortal.conf.

Last time I checked on 2.1 (6 June, 2012) the module was missing as well. I am also fond of doing the rate-limiting using ipfw (which is used by CP) to prevent lighttpd using a lot of CPU cycles for resetting connections.

History
Notes
Property changes

Actions

Copy link

Updated by Josh Stompro over 11 years ago

This feature bug is related to this ticket.
http://redmine.pfsense.org/issues/2551

Actions

Copy link

Updated by Josh Stompro over 11 years ago

I can confirm that mod_evasive doesn't seem to be included in 2.0.1.

Should there be a mod_evasive.so

/usr/local/lib/lighttpd/mod_auth.so
/usr/local/lib/lighttpd/mod_proxy.so
/usr/local/lib/lighttpd/mod_access.so
/usr/local/lib/lighttpd/mod_accesslog.so
/usr/local/lib/lighttpd/mod_fastcgi.so
/usr/local/lib/lighttpd/mod_cgi.so
/usr/local/lib/lighttpd/mod_indexfile.so
/usr/local/lib/lighttpd/mod_dirlisting.so
/usr/local/lib/lighttpd/mod_staticfile.so
/usr/local/lib/lighttpd/mod_expire.so
/usr/local/lib/lighttpd/mod_compress.so
/usr/local/lib/lighttpd/mod_rewrite.so
/usr/local/lib/lighttpd/mod_redirect.so

lighttpd -V

[2.0.1-RELEASE][root@dl-firewall.larl.org]/var/etc(16): lighttpd -V
lighttpd/1.4.29 (ssl) - a light and fast webserver
Build-Date: Sep  7 2011 11:07:29

Event Handlers:

        + select (generic)
        + poll (Unix)
        - rt-signals (Linux 2.4+)
        - epoll (Linux 2.6)
        - /dev/poll (Solaris)
        - eventports (Solaris)
        + kqueue (FreeBSD)
        - libev (generic)

Network handler:

        + sendfile

Features:

        + IPv6 support
        + zlib support
        + bzip2 support
        + crypt support
        + SSL Support
        + PCRE support
        - mySQL support
        - LDAP support
        - memcached support
        - FAM support
        - LUA support
        - xml support
        - SQLite support
        - GDBM support

From lighty-CaptivePortal.conf

## modules to load
server.modules              =   (

                                                                        "mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect",
                                                                        "mod_fastcgi", "mod_cgi","mod_rewrite"

This is causing me problems since the captive portal can run wild and use up all the memory on an Alix box.

Actions

Copy link

Updated by Ermal Luçi about 11 years ago

Status changed from New to Feedback

This should work better on 2.0.3 and later.

Actions

Copy link

Updated by Josh Stompro almost 11 years ago

I can confirm that on 2.0.3 it looks like mod_evasive is now there. Ermal, thank you for getting this fixed.

I'll try and confirm that it actually does limit the number of connections per IP, but memory use does look to be down at several sites that I have upgraded. On an Alix, The memory used to hover at 83% used, now it is sticking around 63% used.

[2.0.3-RELEASE][admin@cr-firewall.larl.org]/usr/local/lib/lighttpd(8): ls -l /usr/local/lib/lighttpd/
total 263
-rwxr-xr-x  1 root  wheel   7180 Apr 12 10:10 mod_access.so
-rwxr-xr-x  1 root  wheel  16996 Apr 12 10:10 mod_accesslog.so
-rwxr-xr-x  1 root  wheel  28761 Apr 12 10:10 mod_auth.so
-rwxr-xr-x  1 root  wheel  25055 Apr 12 10:10 mod_cgi.so
-rwxr-xr-x  1 root  wheel  19592 Apr 12 10:10 mod_compress.so
-rwxr-xr-x  1 root  wheel  20751 Apr 12 10:10 mod_dirlisting.so
-rwxr-xr-x  1 root  wheel   7059 Apr 12 10:10 mod_evasive.so
-rwxr-xr-x  1 root  wheel  10075 Apr 12 10:10 mod_expire.so
-rwxr-xr-x  1 root  wheel  55128 Apr 12 10:10 mod_fastcgi.so
-rwxr-xr-x  1 root  wheel   8310 Apr 12 10:10 mod_indexfile.so
-rwxr-xr-x  1 root  wheel  24110 Apr 12 10:10 mod_proxy.so
-rwxr-xr-x  1 root  wheel   9930 Apr 12 10:10 mod_redirect.so
-rwxr-xr-x  1 root  wheel  12712 Apr 12 10:10 mod_rewrite.so
-rwxr-xr-x  1 root  wheel  13672 Apr 12 10:10 mod_staticfile.so

## modules to load
server.modules              =   ( "mod_access", "mod_accesslog", "mod_expire", "mod_compress", "mod_redirect" 
                        ,"mod_rewrite","mod_evasive","mod_fastcgi" 
                )


evasive.max-conns-per-ip = 4

Actions

Copy link

Updated by Chris Buechler almost 11 years ago

Status changed from Feedback to Resolved

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #2475

Connection rate limiting does not work for Captive Portal

Updated by Josh Stompro over 11 years ago

Updated by Josh Stompro over 11 years ago

Updated by Ermal Luçi about 11 years ago

Updated by Josh Stompro almost 11 years ago

Updated by Chris Buechler almost 11 years ago