On Wed, Feb 15, 2012 at 10:58 PM, Juan Marín Otero <juan.marin.otero@anonymised.com> wrote:
Hi all,
I’d like to discuss an enhancement that I’ve been working on for the control flow module that would allow it to:
-
Establish global limits for number of concurrent requests from a single IP address. A single IP address may only take up to n number of requests in parallel.
-
Specify limits for the number of requests that a particular IP address can take, same as above but specific to a particular IP
-
IP blacklist, which would reject requests coming from specific IP addresses.
Not sure if completely necessary, but I’ve rounded up some more details into a GSIP here:
http://geoserver.org/display/GEOS/GSIP+72±+Control+Flow+Module+Enhancements
Feedback and comments really welcome.
Hi Juan,
thanks a lot for the detailed GSIP, it’s well laid out and provides a good explanation
of what has been done.
I’m overall quite happy about the improvements, there are a just a few minor points that
may need amending.
The reason why the original module did not have ip address control is due to routers and
proxies.
When you have a big organization, with hundred or thousands of people behind a single
public ip address, it gets difficult to use just the ip: you might be handling a user with
a single ip that’s flooding you, or seeing the effect of 30 people working in parallel
against GeoServer, while you want to stop/limit the first applying limits to the seconds
might well make the application unusable for that particular organization.
Also you might have reverse proxies local to the server that act as front ends to the
server, if you just get the ip address you’ll get the one of the local proxy.
To address the above there is the x-forwarded-for header that reverse proxies
normally set to inform software that a proxy is in the middle:
http://en.wikipedia.org/wiki/X-Forwarded-For
If you look into the “monitoring” module you’ll see how the header is used.
Another detail in the GSIP that might need reworking is this syntax:
ip.address=,<ip_addr>
Is it just me, or the above won’t allow to control more than one specific ip
address? The property files are, in the end, serialized maps.
I guess the following one might do instead:
ip.<ip_addr>=count
(and you scan the whole property file contents to look for those).
One final note is that this is the first GSIP that is being proposed by a non
core developer. As far as I know you don’t have committ access either, right?
If this is your first contribution you should also open a ticket in jira
and attach the full patch for review.
Anyways, the work looks good.
Normally we allow commit access directly for new community modules, since
you are modifying an extension I guess we can give you commit access anyways
but you’ll have to ask for reviews before making commits to any core/extension
module.
Thanks again for the contribution and for approaching the community in such
a clear way, looking forward to see the GSIP applied.
Cheers
Andrea
–
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549
http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf