* Limiting httpd traffic
@ 2008-01-05 0:25 Umut Arus
2008-01-05 11:32 ` G.W. Haywood
0 siblings, 1 reply; 7+ messages in thread
From: Umut Arus @ 2008-01-05 0:25 UTC (permalink / raw)
To: netfilter
Hi,
We want to limiting httpd outgoing traffic in a proxy server, so in
the scenario, one user should be connects to one web site (one IP) in
limited connection (for example max. 10).
I don't think that requirement does not meet with --connlimit-above
parameter. Am I wrong?
Is it possible to type a rule with ipfilter command?
Regards,
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Limiting httpd traffic
2008-01-05 0:25 Limiting httpd traffic Umut Arus
@ 2008-01-05 11:32 ` G.W. Haywood
2008-01-05 11:50 ` Umut Arus
0 siblings, 1 reply; 7+ messages in thread
From: G.W. Haywood @ 2008-01-05 11:32 UTC (permalink / raw)
To: netfilter
Hi there,
On Sat, 5 Jan 2008, Umut Arus wrote:
> We want to limiting httpd outgoing traffic in a proxy server,
Do you mean "httpd outgoing traffic" or "HTTP outgoing traffic"?
> in the scenario, one user should be connects to one web site (one IP)
> in limited connection (for example max. 10).
You are thinking of it in the way the user of a Web browser thinks of
it. Read about how HTTP traffic works. After a single HTTP request
has been processed, the TCP connection may no longer exist - although
the user may still be reading a page fron the Website to which he sent
the request.
You need to make your objective clearer before you propose a solution,
and give more information. For example, how many users will there be?
How much traffic will they generate, expressed both as connections and
as bytes per unit time? Will the limits be fixed or variable? Do you
not care about incoming traffic at all? Do the connection limits only
apply to simultaneous connections or to connections within some time?
> I don't think that requirement does not meet with --connlimit-above
> parameter. Am I wrong?
I'm not sure exactly what that sentence means, so I don't know if it's
wrong. :) But I do not think that you will be able to do what you want
to do in the way that you propose.
> Is it possible to type a rule with ipfilter command?
I do not know of an 'ipfilter' command. Perhaps you need to see
http://coombs.anu.edu.au/ipfilter/
which has no connection with iptables.
--
73,
Ged.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Limiting httpd traffic
2008-01-05 11:32 ` G.W. Haywood
@ 2008-01-05 11:50 ` Umut Arus
2008-01-05 11:57 ` G.W. Haywood
2008-01-05 13:19 ` Leonardo Rodrigues Magalhães
0 siblings, 2 replies; 7+ messages in thread
From: Umut Arus @ 2008-01-05 11:50 UTC (permalink / raw)
To: netfilter
Hi,
I mean that "http outgoing traffic". rapidshare connections and as
getright download manager softwares are exploited our bandwith. I want
to limit connection per web-site and per-source IP's.
I hope so, I would explain more clearly
Quoting "G.W. Haywood" <ged@jubileegroup.co.uk>:
> Hi there,
>
> On Sat, 5 Jan 2008, Umut Arus wrote:
>
>> We want to limiting httpd outgoing traffic in a proxy server,
>
> Do you mean "httpd outgoing traffic" or "HTTP outgoing traffic"?
>
>> in the scenario, one user should be connects to one web site (one IP)
>> in limited connection (for example max. 10).
>
> You are thinking of it in the way the user of a Web browser thinks of
> it. Read about how HTTP traffic works. After a single HTTP request
> has been processed, the TCP connection may no longer exist - although
> the user may still be reading a page fron the Website to which he sent
> the request.
>
> You need to make your objective clearer before you propose a solution,
> and give more information. For example, how many users will there be?
> How much traffic will they generate, expressed both as connections and
> as bytes per unit time? Will the limits be fixed or variable? Do you
> not care about incoming traffic at all? Do the connection limits only
> apply to simultaneous connections or to connections within some time?
>
>> I don't think that requirement does not meet with --connlimit-above
>> parameter. Am I wrong?
>
> I'm not sure exactly what that sentence means, so I don't know if it's
> wrong. :) But I do not think that you will be able to do what you want
> to do in the way that you propose.
>
>> Is it possible to type a rule with ipfilter command?
>
> I do not know of an 'ipfilter' command. Perhaps you need to see
>
> http://coombs.anu.edu.au/ipfilter/
>
> which has no connection with iptables.
>
> --
>
> 73,
> Ged.
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Limiting httpd traffic
2008-01-05 11:50 ` Umut Arus
@ 2008-01-05 11:57 ` G.W. Haywood
2008-01-05 13:19 ` Leonardo Rodrigues Magalhães
1 sibling, 0 replies; 7+ messages in thread
From: G.W. Haywood @ 2008-01-05 11:57 UTC (permalink / raw)
To: netfilter
Hi there,
On Sat, 5 Jan 2008, Umut Arus wrote:
> >> We want to limiting httpd outgoing traffic in a proxy server,
>
> I mean that "http outgoing traffic". rapidshare connections and as
> getright download manager softwares are exploited our bandwith. I want
> to limit connection per web-site and per-source IP's.
> I hope so, I would explain more clearly
Type
man iptables
look for 'hashlimit'
Is that what you want?
--
73,
Ged.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Limiting httpd traffic
2008-01-05 11:50 ` Umut Arus
2008-01-05 11:57 ` G.W. Haywood
@ 2008-01-05 13:19 ` Leonardo Rodrigues Magalhães
2008-01-05 13:35 ` Umut Arus
1 sibling, 1 reply; 7+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2008-01-05 13:19 UTC (permalink / raw)
To: netfilter ML
[-- Attachment #1: Type: text/plain, Size: 706 bytes --]
squid can handle traffic limitation with his very flexible ACLs. Do
you run squid in your network ?? If yes, maybe you can get better
results doing this limitation in squid than in iptables.
Umut Arus escreveu:
> Hi,
>
> I mean that "http outgoing traffic". rapidshare connections and as
> getright download manager softwares are exploited our bandwith. I want
> to limit connection per web-site and per-source IP's.
> I hope so, I would explain more clearly
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 5589 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Limiting httpd traffic
2008-01-05 13:19 ` Leonardo Rodrigues Magalhães
@ 2008-01-05 13:35 ` Umut Arus
2008-01-05 13:39 ` Leonardo Rodrigues Magalhães
0 siblings, 1 reply; 7+ messages in thread
From: Umut Arus @ 2008-01-05 13:35 UTC (permalink / raw)
To: netfilter ML
Thank for reply. But squid can not handle this type of limitations and
waste excessive cpu. We removed that configuration before.
thanks,
Quoting Leonardo Rodrigues Magalhães <leolistas@solutti.com.br>:
>
>
> squid can handle traffic limitation with his very flexible ACLs. Do
> you run squid in your network ?? If yes, maybe you can get better
> results doing this limitation in squid than in iptables.
>
> Umut Arus escreveu:
>> Hi,
>>
>> I mean that "http outgoing traffic". rapidshare connections and as
>> getright download manager softwares are exploited our bandwith. I
>> want to limit connection per web-site and per-source IP's.
>> I hope so, I would explain more clearly
>
> --
>
>
> Atenciosamente / Sincerily,
> Leonardo Rodrigues
> Solutti Tecnologia
> http://www.solutti.com.br
>
> Minha armadilha de SPAM, NÃO mandem email
> gertrudes@solutti.com.br
> My SPAMTRAP, do not email it
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Limiting httpd traffic
2008-01-05 13:35 ` Umut Arus
@ 2008-01-05 13:39 ` Leonardo Rodrigues Magalhães
0 siblings, 0 replies; 7+ messages in thread
From: Leonardo Rodrigues Magalhães @ 2008-01-05 13:39 UTC (permalink / raw)
To: Umut Arus; +Cc: netfilter ML
[-- Attachment #1: Type: text/plain, Size: 1165 bytes --]
I had a similar case once .... where i was extremely interesting on
squid delay_pool functionality but didnt want to waste CPU and I/O
because of squid.
I then installed squid with a NULL cache_dir, which means no cache
at all being done. On the very few days i got logging just to check
everything was OK. Some days after, i disabled logging as well.
http_access ACLs were pretty simple so i dont think they would waste
too much cpu power.
Maybe disabling cache and logging you can use squid to acchieve your
bandwidth limitation with some GREAT and FLEXIBLE ACLs, which i dont
think you'll be able to acchieve with others solutions ..... and
because of disabled features, maybe your CPU and I/O overhead wouldnt be
that big .....
Umut Arus escreveu:
> Thank for reply. But squid can not handle this type of limitations and
> waste excessive cpu. We removed that configuration before.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 5589 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2008-01-05 13:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-05 0:25 Limiting httpd traffic Umut Arus
2008-01-05 11:32 ` G.W. Haywood
2008-01-05 11:50 ` Umut Arus
2008-01-05 11:57 ` G.W. Haywood
2008-01-05 13:19 ` Leonardo Rodrigues Magalhães
2008-01-05 13:35 ` Umut Arus
2008-01-05 13:39 ` Leonardo Rodrigues Magalhães
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox