configuration challenge with ConnectionsPerIP

8 November 2016, 12:47
Hi Hugo,

I wonder if you could help me solve a big problem that I face at the moment.

I have a customer that has 6 e-commerce sites (mix between wordpress and php sites) and they have 6 member of staffs connected to the sites trough out the day accessing all the sites. Either to managed order or simply naviaget the customer around the site....

I have 1 plublic IP so I use Hiawatha as reverse proxy to serve all my websites.
On the Reverse proxy, I have
ConnectionsPerIP = 25

Every other day I get a very unpleasant call from the client saying that they cannot access any of their sites..
The Reverse proxy log are showing:|Mon 07 Nov 2016 15:54:12 +0000|Client banned because of too many simultaneous connections

As you know a browser can use up to 6 connections for one website so the math is as follow:
1 desktop accessing * 6 websites at 6 browser connection = 36
Now, we have 6 member of staff 36*6 =216
If I set ConnectionsPerIP = 216, I leave myself whide open to DDOS attack etc..
One solution would be to whitelist the client IP but I'll rather not..
Is it possible to allow the specific ip to have the 216 connection or all the ConnectionsPerIP to be 216 at the backend server in the VirtualHost {}

ANy advise will be greatly apprceciated
Thank you
Hugo Leisink
9 November 2016, 16:59
At this moment, specifying a per-IP ConnectionsPerIP is not possible. I'm not going to implement such thing, because then every option can be made per-IP. Too much work, no time, ugly configuration, so no-go.

My advice: set it as high as needed to make it work. That does not make you vulnerable for DDoS attacks, because you already are. Such attacks aim at filling up your bandwidth with garbage. That doesn't require a valid connection.

Don't be afraid of something that is not there. You are not being DDoS-ed and you are probably not a high-profile target. If you are under attack, you can look at options like ChallengeClient and BanOnFlooding.

Hiawatha has a lot of security options. The downside of that is that it can make people too much paranoid. Don't be.
This topic has been closed.