Bug #1579

1.4.18 + mod_evasive + ipv6

Added by Anonymous about 6 years ago. Updated over 5 years ago.

Status:FixedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:mod_evasive
Target version:1.5.0
Missing in 1.5.x:

Description

Hello,

it seems there is a problem with mod_evasive when using together with IPv6. I am using a limit of 15 connections per IP. Once i enable IPv6 via "server.use-ipv6" (this is on linux) i get insane many 403 errors and alot of "connection turned away" errors in my log. Note: This happens only after enabling IPv6.
I am running a very high traffic website with over 500req/s on average.
Reproducing this is probably not easy since you would need alot of clients with different IP addresses.

I have tested this with 1.5.0 R1922 and it works fine there. I have been searching the ticket db but havent been able to locate anything or any note if there was indeed something fixed.

Regards,
Jonas Frey

Fix-mod_evasive-IPv6-1579.patch Magnifier - 2. try (2.28 KB) stbuehler, 2008-06-23 19:28


Related issues

Related to Bug #2061: mod_evasive + ipv6 does not work Invalid 2009-09-01

History

#1 Updated by Anonymous almost 6 years ago

Followup:

In contrary to my previous post: this is not fixed in 1.5.x. It happens there, too. It just takes more time to be visible but then its the same.
After all mod_evasive is unusable together with IPv6. This module should be considered broken.

Regards,
Jonas Frey

#2 Updated by stbuehler almost 6 years ago

Please test the attached patch if possible, perhaps it gets in before 1.4.20

#3 Updated by Anonymous almost 6 years ago

I managed to run in to the same problem when enabling mod evasive. My case should be fairly reproducible (seen in a week or so at least), so I can test the patch soon.

-- naked

#4 Updated by Anonymous almost 6 years ago

I tested this patch and the behaviour was similar to what it was before this patch - meaning that once a limit was passed, all new connections seemed to receive the 403 response, not just connections originating from the same IP address.

-- naked

#5 Updated by Anonymous almost 6 years ago

I was fearing that perhaps I made a mistake and didn't actually apply the patch or that the binary wouldn't have been updated, but that does not seem to be case - the error message is:

2008-06-02 19:51:09: (mod_evasive.c.175) ::ffff:1.2.3.4 turned away. Too many connections.

And line 175 in mod_evasive.c is exactly the log_error_write line after applying the patch.

-- naked

#6 Updated by Anonymous almost 6 years ago

Accidentally set the need feedback tag, sorry. Also, taking a quick peek at the patch, it looks like the comparsion is the wrong way around in the IPv6 case (== vs. =!) - however, I can't confirm this right now.

-- naked

#7 Updated by Anonymous almost 6 years ago

I am running lighttpd since 06/24 with Fix-mod_evasive-IPv6-1579.patch
without any problem (the patch was applied as I was having the problem with mod_evasive when I enabled IPv6) on ftp.free.fr/ftp.proxad.net.

-- fantec

#8 Updated by stbuehler over 5 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Fixed in r2222 and r2224 for 1.4 and 1.5

Also available in: Atom