Bug #1579
closed1.4.18 + mod_evasive + ipv6
Description
Hello,
it seems there is a problem with mod_evasive when using together with IPv6. I am using a limit of 15 connections per IP. Once i enable IPv6 via "server.use-ipv6" (this is on linux) i get insane many 403 errors and alot of "connection turned away" errors in my log. Note: This happens only after enabling IPv6.
I am running a very high traffic website with over 500req/s on average.
Reproducing this is probably not easy since you would need alot of clients with different IP addresses.
I have tested this with 1.5.0 R1922 and it works fine there. I have been searching the ticket db but havent been able to locate anything or any note if there was indeed something fixed.
Regards,
Jonas Frey
Files
Updated by Anonymous over 16 years ago
Followup:
In contrary to my previous post: this is not fixed in 1.5.x. It happens there, too. It just takes more time to be visible but then its the same.
After all mod_evasive is unusable together with IPv6. This module should be considered broken.
Regards,
Jonas Frey
Updated by stbuehler over 16 years ago
Please test the attached patch if possible, perhaps it gets in before 1.4.20
Updated by Anonymous over 16 years ago
I managed to run in to the same problem when enabling mod evasive. My case should be fairly reproducible (seen in a week or so at least), so I can test the patch soon.
-- naked
Updated by Anonymous over 16 years ago
I tested this patch and the behaviour was similar to what it was before this patch - meaning that once a limit was passed, all new connections seemed to receive the 403 response, not just connections originating from the same IP address.
-- naked
Updated by Anonymous over 16 years ago
I was fearing that perhaps I made a mistake and didn't actually apply the patch or that the binary wouldn't have been updated, but that does not seem to be case - the error message is:
2008-06-02 19:51:09: (mod_evasive.c.175) ::ffff:1.2.3.4 turned away. Too many connections.
And line 175 in mod_evasive.c is exactly the log_error_write line after applying the patch.
-- naked
Updated by Anonymous over 16 years ago
Accidentally set the need feedback tag, sorry. Also, taking a quick peek at the patch, it looks like the comparsion is the wrong way around in the IPv6 case (== vs. =!) - however, I can't confirm this right now.
-- naked
Updated by Anonymous over 16 years ago
I am running lighttpd since 06/24 with Fix-mod_evasive-IPv6-1579.patch
without any problem (the patch was applied as I was having the problem with mod_evasive when I enabled IPv6) on ftp.free.fr/ftp.proxad.net.
-- fantec
Updated by stbuehler over 16 years ago
- Status changed from New to Fixed
- Resolution set to fixed
Fixed in r2222 and r2224 for 1.4 and 1.5
Also available in: Atom