Limit IP downloads in Apache – Save Bandwidth Published: Nov 04, 2005
  • Rating

    5/5

Limit the amount of downloads at the same time from and IP address - what a great idea to save yourself some bandwidth costs. It seems that no one is using it, we tried it and love it using mod_limitipconn.c

Limit IP downloads in Apache – Save Bandwidth

Overview:
Blocking and preventing bandwidth abusers in Apache isn’t an easy task and no one seems to talk about it. We all just leave our websites open for someone to download as many things from the site, at the same time, as the server will allow. I’ve seen some people downloading up to 20 videos at the same time on one of my other sites. Growing tired of kids constantly abusing downloads I decided to see what options I had and came up with some great solutions.

If you have a site with large media such as videos, images or documents then you should read this and think about implementing it. It took me about 20 minutes to figure out, now that I’ve done the brute work it should take you 10 or so minutes.

Preventing Bandwidth Abuse

Instead of using the common talked about hotlinking method I wanted something at the server level which is more reliable. Hotlinking is basically a mod_rewrite .htaccess file that prevents other sites from putting images that are hosted on your server, on their site therefore using your bandwidth.

I wanted to limit the amount of downloads per IP from a visitor on my actual site, meaning someone could only download X number of things at once, instead of unlimited.

After some research I found an Apache module called: mod_limitipconn.c

About LimitIPConn
“This is the distribution page for the Apache module mod_limitipconn.c, which allows web server administrators to limit the number of simultaneous downloads permitted from a single IP address.”
Official site: http://dominia.org/djao/limitipconn.html

Sweet, ok well does this thing work with Cpanel…. Yes, yes it does =)

Test System For this Tutorial
Red Hat Enterprise 3
Cpanel 10.8
Apache 1.3, MySQL 4.1 , PHP 4.4


You can limit a specific number of downloads per IP in the Apache configuration file (httpd.conf) and have different rules for each directory if you want. So if you have a directory called /videos you can create a ruleset for that directory in particular limiting the concurrent downloads to 1 for example. Then you can create another rule for a directory like /archive which you can limit image downloads to 5, there are all kinds of things you can set and lots of rules available!

Understanding the limitipconn Rules
There are many different configurations you can use for this, I’ll go over a few ones I think would be more useful.


Example configuration:

---------------------------------------------------------------------------

ExtendedStatus On

# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so
AddModule mod_limitipconn.c

<IfModule mod_limitipconn.c>
    <Location /somewhere>
 MaxConnPerIP 3
 # exempting images from the connection limit is often a good
 # idea if your web page has lots of inline images, since these
 # pages often generate a flurry of concurrent image requests
 NoIPLimit image/*
    </Location>

    <Location /mp3>
 MaxConnPerIP 1
 # In this case, all MIME types other than audio/mpeg and video*
 # are exempt from the limit check
 OnlyIPLimit audio/mpeg video
    </Location>
</IfModule>

---------------------------------------------------------------------------


Installing mod_limitipconn.c
Installing this was quick and easy. Login to your server through shell as the root user.

# wget tar xzvf mod_limitipconn-0.04.tar.gz
# cd mod_limitipconn-0.04
# vi Makefile
Find
APXS = apxs
CHANGE TO:
APXS = /usr/local/apache/bin/apxs
Save

#make
#make install

This adds the module to httpd.conf and backs up the old configuration from httpd.conf.new

# vi /usr/local/apache/conf/httpd.conf
It should have added the following:

LoadModule limitipconn_module libexec/mod_limitipconn.so
and
AddModule mod_limitipconn.c

Now we need to setup the configuration for the site you want to add the limits to. Search the domain you want and go to the configuration for it in httpd.conf

You should be at the part like this:

<VirtualHost IP HERE>
ServerAlias www.domain.com domain.com

Add the following configuration that you want, this restricts 2 directories I have on my site to prevent users from downloading more than 1 video at a time, I have 2 separate rules.

<IfModule mod_limitipconn.c>
    <Location /videos>
        MaxConnPerIP 1
        # In this case, all MIME types other than audio/mpeg and video*
        # are exempt from the limit check
        OnlyIPLimit audio/mpeg video
    </Location>

    <Location /forums/media/data>
        MaxConnPerIP 1
        # In this case, all MIME types other than audio/mpeg and video*
        # are exempt from the limit check
        OnlyIPLimit audio/mpeg video
    </Location>

</IfModule>


So my whole entry for the domain looks like this:

<VirtualHost IPHERE>
ServerAlias www.domain.com domain.com
ServerAdmin webmaster@domain.com
DocumentRoot /home/domain/public_html
BytesLog domlogs/domain.com-bytes_log
ServerName www.domain.com
<IfModule mod_php4.c>
php_admin_value open_basedir "/home/domain:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
<IfModule mod_limitipconn.c>
    <Location /videos>
        MaxConnPerIP 1
        # In this case, all MIME types other than audio/mpeg and video*
        # are exempt from the limit check
        OnlyIPLimit audio/mpeg video
    </Location>

    <Location /forums/media/data>
        MaxConnPerIP 1
        # In this case, all MIME types other than audio/mpeg and video*
        # are exempt from the limit check
        OnlyIPLimit audio/mpeg video
    </Location>

</IfModule>
User domain
Group domain
CustomLog domlogs/domain.com combined
ScriptAlias /cgi-bin/ /home/domain/public_html/cgi-bin/
</VirtualHost>


Save httpd.conf


Test Apache Configuration
# apachectl configtest start
Make sure it comes back ok without errors

# /scripts/restartsrv_httpd

Apache will restart. Try it out. Go to your limited directory and try to download 2 things (2 depends on your IP limit you set). You should get forwarded to a 503 Temporary Service page. We can customize that as well =)


Customizing the 503 Temporary Service Page
FTP to your webspace and edit your public_html/.htaccess file

Add the following to the top:
ErrorDocument 503 http://www.domain.com/bandwidth.php

Save the file and upload it.

Create a page called bandwidth.php or html, or whatever you want. Put a message saying you’re preventing bandwidth abuse and limiting downloads to 1 at a time.

Make sure everything is working well and go relax, you did a good job and managed to save your server a lot of bandwidth and yourself some cash!


About the Author:
Steven Leggett is the editor of the server resource and hosting tutorial site, www.webhostgear.com and specializes in system administration and web development.

 

  • Rating

    5/5

Related Articles

Comments (16)

  • Gravatar - David K
    David K 20:31, December 19, 2005
    Thaks for this walkthru--I've implemented it on my Apache 2.0 runing on Win2K server and it works perfectly.<br />
    The only issue I saw was that .rm files weren't recognized as video, so I removed the <br />
    OnlyIPLimit audio/mpeg video<br />
    line in <Location /...><br />
    Thaks again!
  • Gravatar - Mih
    Mih 21:02, December 26, 2005
    I have also implemented on RHE3 Cpanel it but on my folder i have downloads stuff like .rar exe zip or pdf files. <br />
    <br />
    I would like to know what i write instead this syntax:<br />
    <br />
    OnlyIPLimit audio/mpeg video<br />
    <br />
    Thanks for your co operation and your efforts are appreciable.
  • Gravatar - MrPC
    MrPC 05:41, January 4, 2006
    I get this when type "make". Can some1 help me out?<br />
    ===================<br />
    root@home [~/mod_limitipconn-0.22]# make<br />
    /usr/local/apache/bin/apxs -c mod_limitipconn.c<br />
    gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm -DMOD_SSL=208125 -DUSE_HSREGEX -DEAPI -fpic -DSHARED_MODULE -I/usr/local/apache/include -c mod_limitipconn.c<br />
    mod_limitipconn.c:34:20: ap_mpm.h: No such file or directory<br />
    mod_limitipconn.c:35:25: apr_strings.h: No such file or directory<br />
    mod_limitipconn.c:41: error: syntax error before "limitipconn_module"<br />
    mod_limitipconn.c:41: warning: data definition has no type or storage class<br />
    mod_limitipconn.c:47: error: syntax error before "apr_array_header_t"<br />
    mod_limitipconn.c:47: warning: no semicolon at end of struct or union<br />
    mod_limitipconn.c:49: warning: data definition has no type or storage class<br />
    mod_limitipconn.c:51: error: syntax error before '}' token<br />
    mod_limitipconn.c:51: warning: data definition has no type or storage class<br />
    mod_limitipconn.c:53: error: syntax error before '*' token<br />
    mod_limitipconn.c: In function `limitipconn_create_dir_config':<br />
    mod_limitipconn.c:55: error: `cfg' undeclared (first use in this function)<br />
    mod_limitipconn.c:55: error: (Each undeclared identifier is reported only once<br />
    mod_limitipconn.c:55: error: for each function it appears in.)<br />
    mod_limitipconn.c:55: error: syntax error before ')' token<br />
    mod_limitipconn.c:60: error: `p' undeclared (first use in this function)<br />
    mod_limitipconn.c: In function `limitipconn_handler':<br />
    mod_limitipconn.c:69: error: `cfg' undeclared (first use in this function)<br />
    mod_limitipconn.c:69: error: syntax error before ')' token<br />
    mod_limitipconn.c:70: error: request for member `module_index' in something not a structure or union<br />
    mod_limitipconn.c:89: error: `worker_score' undeclared (first use in this function)<br />
    mod_limitipconn.c:89: error: `ws_record' undeclared (first use in this function)<br />
    mod_limitipconn.c:100: error: too many arguments to function `ap_sub_req_lookup_uri'<br />
    mod_limitipconn.c:174: error: `SERVER_IDLE_KILL' undeclared (first use in this function)<br />
    mod_limitipconn.c:176: error: `SERVER_CLOSING' undeclared (first use in this function)<br />
    mod_limitipconn.c:184: warning: passing arg 5 of `ap_log_rerror' from incompatible pointer type<br />
    mod_limitipconn.c: In function `limit_config_cmd':<br />
    mod_limitipconn.c:198: error: `cfg' undeclared (first use in this function)<br />
    mod_limitipconn.c:198: error: syntax error before ')' token<br />
    mod_limitipconn.c: In function `no_limit_config_cmd':<br />
    mod_limitipconn.c:216: error: `cfg' undeclared (first use in this function)<br />
    mod_limitipconn.c:216: error: syntax error before ')' token<br />
    mod_limitipconn.c:218: warning: assignment makes pointer from integer without a cast<br />
    mod_limitipconn.c: In function `excl_limit_config_cmd':<br />
    mod_limitipconn.c:226: error: `cfg' undeclared (first use in this function)<br />
    mod_limitipconn.c:226: error: syntax error before ')' token<br />
    mod_limitipconn.c:228: warning: assignment makes pointer from integer without a cast<br />
    mod_limitipconn.c: At top level:<br />
    mod_limitipconn.c:235: error: initializer element is not constant<br />
    mod_limitipconn.c:235: error: (near initialization for `limitipconn_cmds[0].name')<br />
    mod_limitipconn.c:237: error: initializer element is not constant<br />
    mod_limitipconn.c:237: error: (near initialization for `limitipconn_cmds[0].func')<br />
    mod_limitipconn.c:239: error: initializer element is not constant<br />
    mod_limitipconn.c:239: error: (near initialization for `limitipconn_cmds[0].cmd_data')<br />
    mod_limitipconn.c:240: warning: braces around scalar initializer<br />
    mod_limitipconn.c:240: warning: (near initialization for `limitipconn_cmds[0].req_override')<br />
    mod_limitipconn.c:240: warning: initialization makes integer from pointer without a cast<br />
    mod_limitipconn.c:241: error: initializer element is not constant<br />
    mod_limitipconn.c:241: error: (near initialization for `limitipconn_cmds[0]')<br />
    mod_limitipconn.c:244: error: syntax error before '*' token<br />
    mod_limitipconn.c: In function `limitipconn_init':<br />
    mod_limitipconn.c:246: error: `s' undeclared (first use in this function)<br />
    mod_limitipconn.c:248: error: `AP_MPMQ_HARD_LIMIT_THREADS' undeclared (first use in this function)<br />
    mod_limitipconn.c:249: error: `AP_MPMQ_HARD_LIMIT_DAEMONS' undeclared (first use in this function)<br />
    mod_limitipconn.c: At top level:<br />
    mod_limitipconn.c:253: error: syntax error before '*' token<br />
    mod_limitipconn.c: In function `register_hooks':<br />
    mod_limitipconn.c:255: error: `APR_HOOK_MIDDLE' undeclared (first use in this function)<br />
    mod_limitipconn.c: At top level:<br />
    mod_limitipconn.c:259: error: syntax error before "limitipconn_module"<br />
    mod_limitipconn.c:260: error: `STANDARD20_MODULE_STUFF' undeclared here (not in a function)<br />
    mod_limitipconn.c:260: error: initializer element is not constant<br />
    mod_limitipconn.c:260: error: (near initialization for `limitipconn_module')<br />
    mod_limitipconn.c:261: warning: excess elements in scalar initializer<br />
    mod_limitipconn.c:261: warning: (near initialization for `limitipconn_module')<br />
    mod_limitipconn.c:262: warning: excess elements in scalar initializer<br />
    mod_limitipconn.c:262: warning: (near initialization for `limitipconn_module')<br />
    mod_limitipconn.c:263: warning: excess elements in scalar initializer<br />
    mod_limitipconn.c:263: warning: (near initialization for `limitipconn_module')<br />
    mod_limitipconn.c:264: warning: excess elements in scalar initializer<br />
    mod_limitipconn.c:264: warning: (near initialization for `limitipconn_module')<br />
    mod_limitipconn.c:265: warning: excess elements in scalar initializer<br />
    mod_limitipconn.c:265: warning: (near initialization for `limitipconn_module')<br />
    mod_limitipconn.c:267: warning: excess elements in scalar initializer<br />
    mod_limitipconn.c:267: warning: (near initialization for `limitipconn_module')<br />
    mod_limitipconn.c:267: warning: data definition has no type or storage class<br />
    apxs:Break: Command failed with rc=1<br />
    make: *** [mod_limitipconn.so] Error 1<br />
  • Gravatar - Nick
    Nick 16:23, January 31, 2006
    Thank you very much man. I have some DOS attacks in my server those days, and this is really helpfull :)
  • Gravatar - Frosty
    Frosty 09:55, February 23, 2006
    Very helpful there too :-)<br />
    Many thanks.
  • Gravatar - konnor
    konnor 15:16, April 17, 2006
    Wow! Man, really really thank you for this stuff! It works perfectly! (After I set up the ExtendedStatus directive ;))<br />
    Last night I had a bloody DOS attack on my web server - I hope this stuff protect my server in the future. Thanks again!
  • Gravatar -  A server admin
    A server admin 13:34, July 28, 2006
    How do you make this if you have direct physical access to the webserver. And do not need to login to the server. Specifically on a Windows apache server.??
  • Gravatar - kon
    kon 12:10, March 18, 2007
    I am guessing this is only for a full Server root access and not for someone who is on shared hosting...?
  • Gravatar - fabiOne
    fabiOne 12:04, May 4, 2007
    Good, good, good. You have complete a perfect job for many people.<br />
    Many thanks.
  • Gravatar - RTG (Asia) Network
    RTG (Asia) Network 15:51, August 21, 2007
    The link no longer works.<br />
  • Gravatar - NobodyHasGottaBodyLikeMe
    NobodyHasGottaBodyLikeMe 23:18, June 16, 2008
    One thing I found: You may get a lot of false positives if you have KeepAlive enabled in Apache, since by default it keeps each connection open for 15 seconds. So if the user hits several pages in succession while using a lame browser, they may get a 503 error when they aren't doing anything objectionable.<br />
  • Gravatar - lovelu
    lovelu 20:20, October 30, 2008
    its work for mp3 file. but it does not working for pdf file. what to do?
  • Gravatar - Farzin Sadeghi
    Farzin Sadeghi 08:39, January 2, 2010
    Thanks man. you saved my life !! :D <br />
    it works like a charm. :D<br />
    <br />
    -------------<br />
    to lovelu<br />
    if u want to limit other file types<br />
    u should add the extension to your active mime.conf and then add the disable extension with a "space" , like this :<br />
    OnlyIPLimit audio/mpeg video aplication/pdf extension1 extension2 ... and so on.<br />
    or every thing esle u defined in mime.conf :D
  • Gravatar - Farzin
    Farzin 16:50, January 17, 2010
    hi , thanks for great post.<br />
    <br />
    is it possible to limit connections per file ? for example limiting ip to 2 , but also letting them download 5 files at the same time.<br />
    that counts 10 connections.<br />
    but it is devided between 5 files automatically. <br />
    can it be possible ?
  • Gravatar - John
    John 20:07, October 13, 2010
    Hello,

    How to uninstall this ?

    Thanks in advance

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2014 WebHostGear.com