[mirror-admin] enabling keep-alives
Axel Thimm
Axel.Thimm at ATrpms.net
Thu Mar 27 00:01:53 EDT 2008
On Wed, Mar 26, 2008 at 09:12:08AM -0400, Brian Long wrote:
>
> On Tue, 2008-03-25 at 22:22 +0200, Axel Thimm wrote:
> > On Tue, Mar 25, 2008 at 07:39:48AM +0100, Günther Fischer wrote:
> > > On our side I see many partial GETs for one ISO from one IP. I think
> > > this are download accelerators.
> > > So we reach quickly the max number of httpd 768 (I have defined). With
> > > redirected the ISOs to ftp I see it around 200.
> > >
> > > So I look to stop too many connections from one IP.
> >
> > I use two tricks, one is to limit connections to ISO dirs by some
> > amount per IP:
> >
> > <IfModule mod_limitipconn.c>
> > MaxConnPerIP 6
> > </IfModule>
>
> Wouldn't this also hinder folks behind a NAT device? If I have a /24
> subnet behind a single NAT IP, only 6 of my hosts would be able to
> perform legitimate downloads before being limited as if they were a
> download accelerator. True?
Yes and no. The mod_limitipconn module supports detection on real
client addresses but only if apache is patched. The docs say:
Proxy client tracking
By default, all clients behind a proxy are treated as coming from the
proxy server's IP address. If you patch Apache with the included patch
and configure with --with-forward and rebuild, the real IP addresses
of clients behind proxies are correctly detected. You will need to
either compile statically or compile with -DRECORD_FORWARD.
If you don't patch the server, DO NOT compile with RECORD_FORWARD
defined. The module will still function, but it will not recognize
clients behind proxies.
--
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.ale.org/pipermail/mirror-admin/attachments/20080327/1c7062e6/attachment.bin
-------------- next part --------------
--
More information about the Mirror-admin
mailing list