Obs Delay Source

tcp no delay mod download

prplz.io › tcpnodelaymod. This will have little to no effect if the client doesn't have TCP NoDelay. As such, I highly recommend that 1.7.10 players install prplz's TcpNoDelayMod for Forge. TcpNoDelayMod. A forge mod for minecraft 1.7.2, 1.7.10 and 1.8 that sets TCP_NODELAY to true, instead of the regular false. This reduces ingame latency and. tcp no delay mod download

mod_qos

More information about mod_qos:

Build

mod_qos requires OpenSSL, PCRE, threading and shared memory support. mod_qos was originally developed and fully tested for Apache version 2.2 MPM worker binaries, but works with Apache version 2.4 as well. The module is optimized to be used in a reverse proxy server.

Notes:
You should choose the worker MPM if you intend to use any connection level control directive.
If you decide to use HTTP/2 , you should only use the request level control directives as mod_qos works for the hypertext transfer protocol version 1.0 and 1.1 (RFC1945/RFC2616) only.

You can compile the module using . Your httpd binary must support dynamically loaded objects (DSO). Verify this by checking the availability of mod_so: The command must list the mod_so.c module. The following command compiles the module and installs mod_qos into the server's modules directory.

cd mod_qos-11.66/apache2 apxs -i -c mod_qos.c -lcrypto -lpcre cd ../..

If the necessary header files of OpenSSL, PCRE, etc. cannot be found, add the option to the command to specify the directory where header files can be found and if any of the required libraries cannot be found (may happen if you use mod_qos without mod_ssl), add the option to specify the directory where libraries can be found.
Note: you may customize the code using the following preprocessor directives:

Name	Description	Default
QS_MOD_EXT_HOOKS	Enables the optional hooks defined in mod_qos.h	not set
QSLOG_CLID	Defines the environment variable which shall be used for the "user tracking id" (U) within the format string used by the directive.	mod_qos_user_id
QSLOG_EVENT	Defines the environment variable which shall be used for the "event" (Q) within the format string used by the directive.	Event
QSLOG_AVERAGE	Defines the environment variable which shall be used for the "average" (a) within the format string used by the directive.	QS_AllConn
QS_LOG_REPEAT	Counter used to define how many repetitive messages are summarized.	20
QS_REQ_RATE_TM	Default for the directive.	5
QS_EXTRA_MATCH_LIMIT	Match limit field used for PCRE data processing.	1500

The support tools may be built (at least on some Linux platforms) using the GNU autotools. Some of these utilities require third-party libraries such as apr, apr-util, PCRE, libpng, and OpenSSL.

cd mod_qos-11.66/tools ./configure make

Configuration

Configuration is mostly done on a per-server basis (except the generic request filter and a few other directives). Directives within a virtual host are merged with the settings in the global configuration.

The , , , , and all directives may be used outside of virtual host configurations only.

The directive may be used to put mod_qos into a permissive mode where rule violations are logged only but no actions are applied to requests or connections to enforce a rule. This may be used for test purposes.

Request Level Control

The module features directives to control server access on a per-URL level - basically the main function of mod_qos.
Only one rule (URL string or regular expression) of each type is evaluated per request where regular expression rules (*Match) have higher priority than the rules using a literal URL-string. A rule may be used in parallel to a and/or rule if they use the very same URL string or regular expression.

Defines the number of concurrent requests for the specified request pattern (path and query). The rule with the lowest number of allowed concurrent connections has the highest priority if multiple expressions match the request. By default, no limitations are active.
Defines the allowed number of requests per second to the URL (path and query) pattern. Requests are limited by adding a delay to each request (linear). The delay calculation is based on an average request rate measurement using a sampling rate of 10 seconds. By default, no limitation is active. This directive should be used in conjunction with only (you must use the very same regex pattern with the and directive) to avoid too many concurrent requests.
Defines the allowed download bandwidth to the location matching the defined URL (path and query) pattern. Responses are slowed down by adding a delay to each response (every 8kbytes). Bandwidth calculation is based on measuring the transferred data. By default, no limitation is active. This directive should be used in conjunction with only (you must use the very same regex pattern with the and directive) to avoid too many concurrent requests.
Defines the number of concurrent requests for the specified location (applied to the parsed path). By default, no limitations are active for locations. Has lower priority than directives.
Defines the default limitation for the maximum of concurrent requests per-location for those locations not defined by any directive. It could also be used to limit the number of concurrent requests to a virtual host.
Defines the allowed number of requests per second to a location, similar to the directive. The maximum number of requests is limited by adding a delay to each request (linear, each request gets the same delay). By default, no limitation is active. This directive should be used in conjunction with only (you must use the same location for both directives) to avoid too many concurrent requests.. Has lower priority than .
Throttles the download bandwidth to the defined kbytes per second. Works similar as the directive slowing down HTTP responses by adding a delay to each response. By default, no limitation is active. This directive should be used in conjunction with only (you must use the same location for both directives) to avoid too many concurrent requests.. Has lower priority than .

Sample configuration:
# maximum number of active TCP connections is limited to 512 MaxClients 512 # limits concurrent requests to the locations: # - /app/a max. 200 concurrent requests # - /app/b and /app/c (together) max. 300 concurrent requests # - /images max. 100 concurrent requests QS_LocRequestLimit /app/a 200 QS_LocRequestLimitMatch ^(/app/b/|/app/c/).*$ 300 QS_LocRequestLimit /images 100 # limits download bandwidth to 5Mbit/sec (resp. 640kbytes/sec) # for downloads from /app/a: QS_LocKBytesPerSecLimit /app/a 640

Status Code and Error Page

The directives are used to control the response given to clients whose requests have been denied.

Defines an error page to be returned when a request is denied. The defined URL must be a (S)HTML document accessible by the client. You may enable server-side includes (SSI) in order to present detailed error messages based on the error codes provided by mod_qos.
Alternatively, a HTTP redirect (302) to a dedicated error page may be defined using an absolute URL defining schema, hostname, and path.
Defines the HTTP response code which is used when a request is denied. Requests denied at connection level usually get a HTTP 500 response code (ignoring the settings of the and directives).
Default (no custom error code or page defined) codes are:
400: if a request has no valid URL.
403: for requests denied by a , or directive.
413: when limiting the max. body data length by the directive.
500: for requests denied by any other directive.

Privileged Users

Additional directives are used to identify VIPs (very important persons) and to control the session life time and its cookie format. VIP users have privileged access and less QoS restrictions than ordinary users.

VIP information is stored and evaluated at different levels:

Session: VIP identification is stored using a HTTP session cookie. mod_qos starts a new session when detecting a HTTP response header (the header name is defined by the directive). Alternatively, a new session is started when detecting an authenticated user, see . The directives are used to set session attributes.
Request: The process environment may be evaluated by mod_qos rules. This variable is set automatically when receiving a valid mod_qos session cookie. The variable may also be set by configuration using a or directive. VIP status lasts for the particular request only.
Client IP address: VIP identification may be stored at the server side on a per-client IP address basis. The , , , and directives are used to define when an IP address should be marked as a VIP user.

Directives:

Defines an HTTP response header which marks a user as a VIP. mod_qos creates a session for this user by setting a cookie, e.g., after successful user authentication. Tests optionally its value against the provided regular expression. Specify the action 'drop' if you want mod_qos to remove this control header from the HTTP response.
Defines an HTTP response header which marks a client source IP address as a VIP. Tests optionally its value against the provided regular expression. Specify the action 'drop' if you want mod_qos to remove this control header from the HTTP response.
Creates a VIP session for users which have been authenticated by the Apache server, e.g., by the standard mod_auth* modules. It works similar to the directive.
Marks a source IP address as a VIP if the user has been authenticated by the Apache server, e.g. by the standard mod_auth* modules. It works similar to the directive.
Defines the session life time for a VIP. It is only used for session based (cookie) VIP identification (not for IP based). Default is 3600 seconds.
A cookie is used to identify requests coming from a user which has been identified as a VIP. This directive defines a custom cookie name for the mod_qos session cookie. Default is MODQOS.
Defines the cookie path. Default is "/".
Secret key used for cookie encryption. This key must be defined when using the same session cookie for multiple web servers (load balancing) or the sessions should survive a server restart. By default, a random key is used which changes every server restart.

The following table shows if a rules may be deactivated for VIPs:

QS_ClientEventBlockCount	no
QS_ClientEventLimitCount	no
QS_ClientEventPerSecLimit	no
QS_ClientEventRequestLimit	no
QS_ClientPrefer	yes
QS_ClientSerialize	no
QS_ClientGeoCountryPriv	no
QS_CondLocRequestLimitMatch	yes
QS_CondEventLimitCount	no
QS_CondClientEventLimitCount	no
QS_DenyQueryBody	no
QS_PermitUriBody	no
QS_DenyEvent	no
QS_DenyPath	no
QS_DenyQuery	no
QS_DenyRequestLine	no
QS_EventKBytesPerSecLimit	yes
QS_EventPerSecLimit	yes
QS_EventRequestLimit	no
QS_EventLimitCount	no
QS_InvalidUrlEncoding	no
QS_LimitRequestBody	no
QS_LocKBytesPerSecLimit(Match)	yes
QS_LocRequestLimit(Match)	yes
QS_LocRequestPerSecLimit(Match)	yes
QS_MileStone	no
QS_RedirectIf	no
QS_PermitUri	no
QS_RequestHeaderFilter	no
QS_ResponseHeaderFilter	no
QS_SrvMaxConn	yes
QS_SrvMaxConnClose	no
QS_SrvMaxConnPerIP	yes*
QS_SrvMinDataRate	yes*
QS_SrvSerialize	no

Notes:
Directives marked by "*" allow you to disable VIP support.
Event based or conditional rules may evaluate the QS_VipRequest and QS_IsVipRequest variables to decide if the rule should be applied.

Variables

Environment variables are used on a per request level and implement additional control mechanisms. Variables may be set using the standard Apache module mod_setenvif

or mod_setenvifplus

. See also the directives in order to combine multiple variables to form new variables interpreted by mod_qos rules.

These are the variables recognized by mod_qos:

Defines the error page overriding the setting made by the directive.
Disables some restrictions for this request (see privileged Users). Requires the definition of a VIP header using the directive (this activates VIP verification). However, such an event does not create a VIP session. The user has the VIP status only for a single request.
The variable is set by mod_qos when receiving a valid VIP session cookie.
Applies dynamic connection keep-alive settings overriding the Apache directive settings.
Applies dynamic connection keep-alive settings overriding the Apache directive settings.
Alters the I/O timeout (while reading the request body / writing the response) of the current request overriding the Apache directive settings.

Variable used to set the IP differentiated services code points (DiffServ / RFC 2474). This allows you to classify the network traffic when sending the response data to the client. "value" represents the 6-bit DSCP field as a decimal number (0 to 63).
Commonly used values:

DSCP	Class	DSCP	Class
0	none	8	Class selector 1
10	Assured forwarding 11	12	Assured forwarding 12
14	Assured forwarding 13	16	Class selector 2
18	Assured forwarding 21	20	Assured forwarding 22
22	Assured forwarding 23	24	Class selector 3
26	Assured forwarding 31	28	Assured forwarding 32
30	Assured forwarding 33	32	Class selector 4
34	Assured forwarding 41	36	Assured forwarding 42
38	Assured forwarding 43	40	Class selector 5
44	Voice admit	46	Expedited forwarding
48	Class selector 6	56	Class selector 7

Defines a number of milliseconds to delay the request processing.
The variable processed by the directive.
Variable processed by the directive.
The optional value defines the penalty points to increase the counter (default is 1).
(Default) variable processed by the directive.
The optional value defines the penalty points to increase the counter (default is 1).
The counter of the variable processed by the directive is reset if you set the same variable suffixed by , e.g. .
The counter of the variable processed by the , , , , and directives is decremented by the value set in the same variable suffixed by , e.g. decrements the value of the variable of the corresponding rule by 1. The variable is evaluated at the end of the request processing.
Variable processed by the directive.
Variable processed by the directive.
Variable processed by the , , and directives.
Variable processed by the directive.

Variables set by mod_qos which may be processed by conditional or event based rules, e.g., :

Number of concurrent connections for this server/virtual host. Value is set when using either the , , , or directive.
Note: value is calulcated when the client establishes the connection and remains the same for all HTTP requests performed on this connection.
Number of all concurrent connections for this Apache instance. Value is set when using either the , , , or directive.
Note: value is calulcated when the client establishes the connection and remains the same for all HTTP requests performed on this connection.
Number of IP connections open from the current IP address. Variable is available when using the directive.
Note: value is calulcated when the client establishes the connection and remains the same for all HTTP requests performed on this connection.
The variable is set for connections by clients which have been marked to be processed with low priority, see . The variable's value is determined when the client opens a new connection and its value represents the status flag of the tracked client attributes (hexadecimal). VIP status is ignored and the variable is always set even the IP has been marked as being VIP.
Variable is set when detecting a VIP request (either by cookie, IP address status, valid user, etc.). May be used by various event based directives.
The counter values of the variables used by the and directive are stored within the variable whose name is suffixed by , e.g. when limiting events.
The error code (number only) of a mod_qos log message that has occurred during a request.
ISO 3166 country code of client IPv4 address. Only available if the geographical database file has been loaded.
Note: You may use the directive to override the client's IP address based on the value within the defined HTTP request header (e.g., X-Forwarded-For) instead of taking the IP address of the client which has opened the TCP connection.

Sample of variable usage:
# privileged access for curl clients: BrowserMatch "curl" QS_VipRequest=yes # allows privileged access to a single resource: SetEnvIf Request_URI /app/start.html QS_VipRequest=yes # allows privileged access from a specified source address # or source address range: SetEnvIf Remote_Addr 172.18.3.32 QS_VipRequest=yes SetEnvIf Remote_Addr 192.168.10. QS_VipRequest=yes # set keep-alive timeout for MSIE version 5.x browser to 65 seconds: BrowserMatch "(MSIE 5\.)" QS_KeepAliveTimeout=65 # dynamic error page URL (per host error page): SetEnvIf Host ^([a-zA-Z0-9_\.\-]+) QS_ErrorPage=/error-docs/$1.html # external redirect to a sever hosting the error page: SetEnvIf Request_URI /app QS_ErrorPage=http://your.server.name/error.html

Conditional Rules

Conditional rules are only enforced if the variable matches the specified pattern.

Rule works similar to but it is only enforced for requests whose variable matches the specified condition (regular expression). Every request matching the defined pattern is counted, but the defined limitation is only enforced for those requests matching the specified condition.
Only one rule is evaluated per request.
Same as but requests are only blocked if the value of the variable matches the defined pattern (regex).
Defines the maximum number of the specified environment variable allowed within the defined time. Directive works similar as but requests are only blocked if the value of the variable matches the defined pattern (regex). Directive is allowed in global server context only.

Sample of conditional rules:
# set the conditional variable to spider if detecting a # "slurp" or "googlebot" search engine: BrowserMatch "slurp" QS_Cond=spider BrowserMatch "googlebot" QS_Cond=spider # limits the number of concurrent requests to two applications # (/app/b and /app/c) to 300 but does not allow access by a "spider" # if the number of concurrent requests exceeds the limit of 10: QS_LocRequestLimitMatch "^(/app/b/|/app/c/).*$" 300 QS_CondLocRequestLimitMatch "^(/app/b/|/app/c/).*$" 10 spider

Events

mod_qos may control the frequency of "events". An event may be any request attribute which can be represented by an environment variable. Such variables may be set by mod_setenvif

, mod_setenvifplus

, or by other Apache modules. Please consider the order of command execution to ensure that the necessary variables are set.

Defines the number of concurrent events. Directive works similar to , but counts the requests having the same environment variable (and optionally matching its value, too) rather than those that have the same URL pattern.
Note: The counter's value is stored in the environment variable QS_EventRequestLimit_<env-variable>_Counter.
Defines how often requests may have the defined environment variable (literal string) set. It measures the occurrences of the defined environment variable on a request per seconds level and tries to limit this occurrence to the defined number. It works similar as , but counts only the requests with the specified variable (or without it if the variable name is prefixed by a "!"). If a request matches multiple events, the rule with the lowest bandwidth is applied. Events are limited by adding a delay to each request causing an event.
Throttles the download bandwidth of all requests having the defined variable set to the defined kbytes per second. Responses are slowed by adding a delay to each response (every 8kbytes). The delay calculation is based on an average request rate measurement. By default, no limitation is active. This directive should be used in conjunction with only (you must use the same variable name for both directives) to avoid too many concurrent requests.
Defines the maximum number of events allowed within the defined time. Requests causing the event are denied when reaching this limitation for the specified time (blocked at request level).
Notes:
The current counter value is propagated to the process environment within the variable .
See also if you want to enforce a rule under certain conditions only.
The event counter can be decremented by setting the environment .

Mulpiple built-in directives may be used to set or detect events (additional event variable processing could be configured using mod_setenvif

or mod_setenvifplus

Sets (or unsets) the environment "variable=value" (literal string) if variable1 (literal string) AND variable2 (literal string) are set in the request environment variable list (not case sensitive). This is used to combine multiple variables to a new event type.
This directive may be used on a per-server or location basis.
Sets the environment variable if the environment variable1's value matches the defined regular expression. .. within the value and are replaced by parenthesized subexpressions of the regular expression.
This directive may be used on a per-server or location basis.
Sets the defined variable with the value where the value string may contain other environment variables surrounded by "${" and "}". The variable is only set if all defined variables within the value have been resolved.
Directive works quite similar to the directive of the Apache module mod_setenvif , but the specified regex is applied against the query string portion of the request line. The directive recognizes the occurrences of $1..$9 within value and replaces them by the sub-expressions of the defined regex pattern.
This directive may be used on a per-server or location basis.
Sets the defined environment variable if the specified env-variables[1|2] are numerical or alphabetically (case insensitive) equal (), not equal () greater (), or less ().
This directive may be used on a per-location basis only.
Directive parsing the request payload using the Apache module mod_parp . It matches the request URL query and the HTTP request message body data as well (, , and ) and sets the defined process variable (quite similar to the directive). The directive recognizes the occurrences of $1..$9 within value and replaces them by the sub-expressions of the defined regex pattern. This directive activates mod_parp for every request to the virtual host. You may deactivate mod_parp for selected requests using the or directive: unset the variable "parp" to do so. Important: request message body processing requires that the server loads the whole request into its memory (at least twice the length of the message). You should limit the allowed size of the HTTP request message body using the directive when using !
Directive parsing the request body using the Apache module mod_parp . Specify the content types to process using the mod_parp directive and ensure that mod_parp is enabled using the or directive. You should limit the allowed size of HTTP requests message body using the directive when using mod_parp. The directive recognizes the occurrence of $1 within the variable value and replaces it by the sub-expressions of the defined regex pattern. The regular expressions is case insensitive.
Sets the defined variable in the request environment if the HTTP response status code matches the defined code. Default value is the status code, but you might override this by any other value. Directive may be used on a per-server or per-location basis.
A possible use case for this directive is the prevention of repetitive occurrence of unwanted response status codes in conjunction with the or directive.
When using the special variable , its value is set to "1" by default. There are also four "special codes" available to set the event:
- may be used to set events in order to limit the allowed number of rule violations.
- may be used to increment the event when closing connections due to the reach of the limitation configured by the directive.
- detects connections which are closed even no HTTP request has been received.
  Note: The event may happen silently (no log message) expect when using "debug". The parameter may be used to defend against SSL DoS attacks. Please pay attention to the fact that unused speculative TCP pre-connections of browsers may unintentionally cause this event as well.
- may be used to mark clients aborting the TCP connection before reading the whole HTTP response.
  Note: Connections may also be aborted by mod_qos if client reads the response too slow.
Adds the defined environment variable (e.g., ) if the response body contains the defined literal string. Used on a per- location level. Only one directive may be defined per-location (one search string per response). Prefixing the variably by a "!" lets the variable being removed (unset). You may set the environment variable if you want mod_qos to skip (not parsing) a request's response body.
Sets the environmet variable (env-variable2) if the regular expression (regex) matches against the value of the environment variable (env-variable). Occurrences of $1..$9 within the value are replaced by parenthesized subexpressions of the regular expression.
Sets the defined HTTP request header with the value of the specified environment variable if the variable is available.
The header is unset (removed from the request) if the header name is prefixed by a "!".
Sets the defined HTTP response header to the request environment variables. Deletes the specified header if the action 'drop' has been specified.
Sets the defined HTTP response header to the request environment variables if the specified regular expression (pcre, not case sensitive) matches the header value.
The request header of this name is removed.
The response header of this name is removed.
Redirects the client to the configured url if the regular expression (case insensitive) matches the value of the the environment variable. Occurrences of $1..$9 within the url are replaced by parenthesized subexpressions of the regular expression. The default status code used by this directive is 302 but you may prefix the url parameter by 307: or 301: to change it to a "307 Temporary Redirect" or "301 Moved Permanently" response. Directive may be used on a per-server or per-location basis.

Sample of event rules:
# marks clients coming from the internal network: SetEnvIf Remote_Addr ^192\.168\. QS_Intra # marks clients neither coming from the internal network # nor are VIP clients as low priority clients: QS_SetEnvIf !QS_VipRequest !QS_Intra QS_LowPrio=1 # limits the request rate for low priority (neither VIP nor internal) # clients (and no more than 400 concurrent requests for them): QS_EventPerSecLimit QS_LowPrio 100 QS_EventRequestLimit QS_LowPrio 400 # detects the variable "file" within the query portion of the URL: QS_SetEnvIfQuery file=([a-zA-Z]*) QS_LowPrio=$1 # combine variables and propagate them to the application via HTTP header: SetEnvIf Content-Length ([0-9]*) QS_Length=$1 QS_SetEnv QS_Type "length=${QS_Length}; file=${QS_LowPrio}" QS_SetReqHeader X-File QS_Type # limit the max. body size since mod_parp loads the whole message into # the memory servers's: QS_LimitRequestBody 131072 # body pattern detection, example limits the maximum number of concurrent # requests posting "id=1234" to ten: QS_SetEnvIfParp id=([0-9]*) PARP_PATTERN=$1 QS_EventRequestLimit PARP_PATTERN=1234 10 # but ignore requests to the location /main/ (any sub-locations): SetEnvIf Request_URI /main/.* !parp

Request Level, Generic Filter

These filters are defined on a per- location

level and are used to restrict access to resources in general, independent of server resource availability. New rules are added by defining a rule id prefixed by a '+'. Rules are merged to sub-locations. If a rule should not be active for a sub-location, the very same rule must be defined, but instead, the rule id must be prefixed with a '-'. The filter rules are implemented as Perl-compatible regular expressions (pcre) and are applied to the decoded URL components (un-escaped characters, e.g., %20 is a space). The generic request filter ignores the VIP status of a client.
Note: Compile mod_qos with the preprocessor definition to enable the decoding hooks defined in if you intend to implement additional decodings by other Apache modules.

Generic request line (method, path, query, and protocol) filter used to deny access for requests matching the defined expression (pcre, case insensitive). The action taken for matching rules is either 'log' (access is granted but the rule match is logged) or 'deny' (access is denied).
Generic abs_path (see RFC 2616 section 3.2.2) filter used to deny access for requests matching the defined expression (pcre, case insensitive). The action taken for matching rules is either 'log' (access is granted but the rule match is logged) or 'deny' (access is denied).
Generic query (see RFC 2616 section 3.2.2) filter used to deny access for requests matching the defined expression (pcre, case insensitive). The action taken for matching rules is either 'log' (access is granted but the rule match is logged) or 'deny' (access is denied).
Enforces correct URL decoding in conjunction with the , , and directives. Default is "off" which means that an incorrect encoding does stop request processing.
Enables additional string decoding functions which are applied before matching and directives. Default is URL decoding (%xx, \\xHH, '+').
Available additional decodings:
- : unicode decoding for MS IIS (%uXXXX and \uXXXX) encoded characters.
Rule matching requests having the defined process environment variable set (or NOT set if prefixed by a '!'). The action taken for matching rules is either 'log' (access is granted but the rule match is logged) or 'deny' (access is denied).
Generic URL (path and query) filter implementing a request pattern whitelist. Only requests matching at least one pattern are allowed. If a pattern has been defined and the request does not match any rule, the request is denied. All rules must define the same action. pcre is case sensitive. You may use the utility to generate rules based on access log files.
Disables inheritance of and directives (pattern definitions) to a location.
Filters request headers using validation rules provided by mod_qos. Suspicious headers (not matching the pattern or those which are too long) are normally dropped (removed from the request). Abnormal headers cause request blocking. Only the defined headers are allowed (whitelist). Custom rules (additional headers or different pattern/size definitions) may be added using the directive.
This directive has three different operation modes: 'on' (activated), 'off' (disabled), and 'size' (activated). The operation mode enabled by 'size' does not check the header values against the patterns but limits the maximum length of request header values only (similar to the Apache directive but with an individual rule for each header field). This directive may be used on a per-server or per-location level.
Notes:
Header validation is also useful to avoid bypassing of / (if configured on a per-location level) directive settings as request headers have higher priority than environment variables for those directives and therefore a header sent a by client can override an environment variable having the same name.
You might also configure blacklist rules (delete unwanted headers) using the or directive.
Used to add custom request header filter rules, e.g., to override the internal rules (different pcre or size) or to add additional headers which should be allowed. Definitions are made globally (outside VirtualHost). The list of all loaded rules is shown at server startup when using "debug". pcre is case sensitive. The size parameter defines the maximum length of a header value. The action 'drop' removes a header not matching the pcre, the action 'deny' rejects a request including such a header not matching the pcre.
Filters response headers using validation rules provided by mod_qos. Suspicious headers (not matching the pattern or those which are too long) are removed from the response. Only the defined headers are allowed. Filter is activated ('on' or 'silent') or deactivated ('off').
Used to add custom response header filter rules, e.g., to override the internal rules (different pcre or size) or to add additional headers which should be allowed. Definitions are made globally (outside VirtualHost). A list of all loaded rules is shown at server startup when using "debug". pcre is case sensitive. The size parameter defines the maximum length of a header value.

Sample configuration:
QS_ErrorPage /error-docs/qs_error.html # add a custom request header rule: QS_RequestHeaderFilterRule UA-CPU drop "^[a-zA-Z0-9]+$" 20 # enable header validation: QS_RequestHeaderFilter on <Location /> # don't allow access to the path /app/admin.jsp: QS_DenyPath +admin deny "^/app/admin.jsp$" # allow printable characters only within the request line: QS_DenyRequestLine +printable deny ".*[\x00-\x19].*" </Location>

Body data filtering requires mod_parp which processes the request's message body of the following HTTP request content types: , , and . The content type may be processed by the built-in JSON parser of mod_qos. The body data is transformed into a request query and may be filtered using the and directives.

Enables request body data filtering for the directive.
Enables request body data filtering for the directive.
Limits the allowed size of an HTTP request message body. This directive may be placed anywhere in the configuration. Alternatively, the limitation may be set as an environment variable using mod_setenvif (overriding the directive settings).

Set the variable if the request body data has to be deflated (compressed data) using mod_deflate

Sample configuration:
# configure the audit log writing the request body data to a file # (use this log to generate whitelist rules using qsfilter2 # when QS_PermitUriBody has been enabled) # format: # %h: # The remote host (used to filter by IP address). # %>s: # The HTTP response status code. # %{qos-loc}n # The matching Location to generate the rules for. # %{qos-path}n%{qos-query}n # The request data required by qsfilter2 to generate rules. CustomLog logs/qsaudit_log "%h %>s %{qos-loc}n %{qos-path}n%{qos-query}n" # enable json parser PARP_BodyData application/json QS_RequestHeaderFilter on # limit the max. body size since mod_parp loads the whole message into the # servers's memory: SetEnvIfNoCase Content-Type application/x-www-form-urlencoded QS_LimitRequestBody=131072 SetEnvIfNoCase Content-Type multipart/form-data QS_LimitRequestBody=131072 SetEnvIfNoCase Content-Type multipart/mixed QS_LimitRequestBody=131072 SetEnvIfNoCase Content-Type application/json QS_LimitRequestBody=65536 # enable mod_deflate input filter for compressed request body data: SetEnvIfNoCase Content-Encoding (gzip|compress|deflate) QS_DeflateReqBody <Location /app> # don't allow a certain string pattern within the request query or # the request message body data: QS_DenyQueryBody on QS_DenyQuery +s01 deny "(EXEC|SELECT|INSERT|UPDATE|DELETE)" </Location>

You may enable request body filtering for arbitrary content types:

Sample configuration:
# sample (using the raw body parser of mod_parp) which denies XML documents # containing the pattern "<code>delete</code>": PARP_BodyData text/xml SetEnvIfNoCase Content-Type text/xml.* parp SetEnvIfNoCase Content-Type application/xml QS_LimitRequestBody=65536 QS_SetEnvIfBody <code>delete</code> DENYACTION <Location /app/web> QS_DenyEvent +BADCODE deny DENYACTION </Location>

Milestones

You may define a number of resources (request line patterns) as milestones. A client must access these resources in the correct order as they are defined within the server configuration. A client is not allowed to skip these milestones (but may access any other resource not covered by a milestone in between requests to milestones).

Defines request line patterns a client must access in the defined order as they are defined in the configuration file. The optional 'thinktime' parameter defines the minimal elapse time (in seconds) between two milestones. Milestones are defined on a per-server basis, outside location . Access to milestones is tracked by a dedicated session cookie (QSSCD).
Defines the time in seconds within which a client must reach the next milestone. Default are 3600 seconds.

Sample configuration:
# four milestones: # 1) client must start with /app/index.html # 2) and then read some images (e.g. media used within the first page) # 3) before posting data to /app/register # 4) afterwards, the user may download zip files QS_MileStone deny "^GET /app/index.html" QS_MileStone deny "^GET /app/images/.*" QS_MileStone deny "^POST /app/register*" QS_MileStone deny "^GET /app/.*\.zip HTTP/..."

Connection Level Control

The module features the following directives to control server access on a per-server (TCP connection) level. These directives must only be used in the global server context and for port based virtual hosts. Virtual hosts neither defining , , nor are using the base server's settings and counters. And do not use these three directives for name based virtual hosts!

Defines the maximum allowed number of concurrent TCP connections for this server (virtual host).
Defines the maximum number of connections for this server (virtual host) supporting HTTP keep-alive. If the number of concurrent connections exceeds this threshold, the TCP connections gets closed after each request. You may specify the number of connections as a percentage of if adding the suffix '%' to the specified value.
Note: It's also possible to control the Keep-Alive settings dynamically using the and environment variables.
Defines the maximum number of connections per source IP address for this server (virtual host). The "connections" argument defines the number of busy connections of the server (all virtual hosts) to enable this limitation, default is 0 (which means that the limitation is always enabled, even the server is idle).
Defines an IP address or address range to be excluded from connection level control restrictions (trusted proxy servers). An address range must end with a "." or ":".
Tells the directive to ignore (if set to "on") the VIP status of clients. Default is "off", which means that gets disabled for VIPs.
Defines the minimum upload/download throughput a client must generate (the bytes sent/received by the client per seconds). This bandwidth is measured while receiving request data (in: request line, header fields, or body), sending response data (out: header fields, body) and during keep-alive (enforce keep-alive). The client connection is closed if the client does not fulfill this required minimal data rate and the IP address of the causing client is marked in order to be handled with low priority (see the directive). The "max bytes per second" activates dynamic minimum throughput control: The required minimal throughput is increased in parallel to the number of concurrent clients sending/receiving data (starts increasing when reaching the "connections" threshold) as a percentage of the "max bytes per second" which maximum is reached when the number of sending/receiving clients is equal to the setting. The "connections" argument is used to specify the number of busy TCP connections a server must have to enable this feature (used to disable the rule enforcement on idle servers).
This directives must only be used in the global server context.
Same as but enforcing a minimal upload (reading request) throughput only.
Disables the or enforcement for a virtual host.
Disables the or enforcement for a connection when the defined process environment variable is set. The '+' prefix is used to add a variable to the configuration while the '-' prefix is used to remove a variable. Directive may be used on a per-server or a per-location basis.
Defines the sampling rate used to measure the data throughput. Default is 5 seconds or the value you have used for while compiling the module. Increase this value if you want to compensate bandwidth variations.
This directives must only be used in the global server context.
Note: It might also be increased to avoid too many error messages generated by a rule for clients opening unused TCP pre-connections which might happen if Apache's directive is set to higher value than this sample rate.
Tells the directive to ignore (if set to "on") the VIP status of clients. Default is "off", which means that gets disabled for VIPs.
Ensures that not more than one request having the variable set is processed at the same time by serializing them (process one request after each other). Default is "off".
Note: Maximum wait time for a request is defined by the optional timeout parameter (in seconds). The default is 300 seconds.
Throttling the download bandwidth: mod_qos does not support bandwidth limitation on a per connection basis but you might use the filter provided by the Apache module mod_ratelimit to implement a bandwidth rate limitation for connections.

Client Level Control

Client level control rules are applied per client (IP source address). These directives must only be used in the global server context.

Defines the number of individual clients managed by mod_qos. Default is 50'000 concurrent IP addresses. Each client requires about 150 bytes memory on a 64bit system (depending on how many events you have configured). Client IP source address store survives graceful server restart. The maximum value is 10'000'000.
Defines the allowed number of concurrent requests coming from the same client source IP address having the variable set.
Note: You may use the directive to override the client's IP address based on the value within the defined HTTP request header (e.g., X-Forwarded-For) instead of taking the IP address of the client which has opened the TCP connection.
Defines how often a client may cause a per second. Such events are requests having the variable set, e.g., defined by using the directive. The rule is enforced by adding a delay to requests causing the event (similar to the directive).
Defines the maximum number of events allowed within the defined time (default is 600 seconds). Client IP is blocked when reaching this counter for the specified time (blocked at connection level: user might not always get a user friendly error response).
Notes:
You may use to exclude an IP address from being processed by this limitation (e.g. for trusted clients connecting via a proxy server). An address range must end with a "." or ":".
The counter can be decremented by setting the environment variable .
Defines the maximum number of requests having the defined environment variables ( by default) set allowed within the defined time (default is 600 seconds). Requests from client IP's reaching this limitation are denied for the specified time (blocked at request level).
Notes:
The value of the variable defines the penalty points by which the counters are increased. Default (empty or non-numeric value) is 1 (increment per request).
You may use the directive to determine the client's IP address based on the defined HTTP request header (e.g., X-Forwarded-For) instead of taking the IP address of the client which has opened the TCP connection. The header must only contain a single IP address.
You might also use a pseudo IP address by creating a hash from the header's value if you prefix the header name by a '#', e.g. to use the HTTP basic auth header. as the pseudo IP address. The special name creates a pseudo IP from the SSL client certificate's subject and issuer DN.
The current value of this counter is stored within the variable suffixed by , e.g. for further processing by other rules.
The remaining time (in seconds) is stored within the variabled suffixed by , e.g. to be used within SSI error pages.
The counter can be reset by setting the environment variable which name is suffixed by , e.g. .
The counter can be decremented by setting the environment variable which name is suffixed by , e.g. .
Adding/removing events (configuration changes) require a server restart (graceful restart is not supported).
Only the default rule () is accessibly by the status viewer (you may use the console to view other variables alternatively).
See also if you want to enforce a rule under certain conditions only.
Serializes requests having the variable set if they are coming from the same IP address.
Notes:
You may use the directive to override the client's IP address based on the value within the defined HTTP request header (e.g., X-Forwarded-For) instead of taking the IP address of the client which has opened the TCP connection.
Maximum wait time for a request is 5 minutes.
Accepts only VIP and high priority clients when the server has less than 80% (or the defined percentage) of free TCP connections. The server continues dropping more and more clients (also those with few penalty points) the higher the number of connections grows.
Use the or directive in order to identify VIP clients.
The distinction between high and low priority clients is made based on penalty points which are calculated based of these attributes:
- Data transfer behavior (clients sending data slowly / their transfer rate) (0x01).
- Accessing "unusual" content types (see and ) (0x00 unknown / 0x02 normal / 0x04 unusual).
- Causing events blocking / limiting them (0x08 block / 0x10 limit).
- If their connections get closed due to timeouts (0x20).
HTTP requests causing a client to get marked as "low priority" have the "r;" event within the mod_qos_ev variable set. You may use the status viewer to determine which client addresses are identified as low priority clients. Feature is disabled if directive is not set.
A low priority flag is cleared after 24h hours. Clients identified by are excluded from connection restrictions. Filter is applied on connection level blocking clients even before the server starts reading the HTTP request data.
Defines the allowed variation from a "normal" client (average) behavior when enabling the directive. Default is 20%.
Defines the distribution of HTTP response content types a client normally receives when accessing the server. Can only be used in conjunction with the directive. defines the allowed deviation from these values. mod_qos normally learns the average behavior automatically by default (you can see the learned values within the status viewer or by enabling the log messages) but you may specify a static configuration using this directive in order to avoid influences by a high number of abnormal clients. Default is automatic self-learning.
Defines the path to the geographical database file. The file is a Comma Separated Value (CSV) format file (example). Each line contains the following fields:
- Double quoted beginning of the address range, e.g. "1052272128" for 62.184.102.0
- Double quoted ending of the address range, e.g. "1052272543" for 62.184.103.159.
- Double quoted ISO 3166 country code, e.g. "FR" for France.
The variable contains the country code for the client's IP address.
Note: You may use the directive to override the client's IP address based on the value within the defined HTTP request header (e.g., X-Forwarded-For) instead of taking the IP address of the client which has opened the TCP connection to evaluate this variable.
Defines a comma separated list of country codes for origin client IPv4 address which are allowed to access the server even if the number of busy TCP connections reaches the defined number of connections.
Uses the geographical database loaded by .

Sample configuration:
# allows not more than 20 events/penalty points per 10 minutes: QS_ClientEventBlockCount 20 # don't allow a client to access /app/start.html more than # 20 times within 10 minutes: SetEnvIf Request_URI /app/start.html QS_Block=1 # don't allow more than 4 "403" status code responses # (forbidden) for a client within 10 minutes: QS_SetEnvIfStatus 403 QS_Block=5

Log Messages

Error Log

mod_qos writes messages to Apache's error log when detecting a rule violation. Each error message is prefixed by an id: . These error codes (number only) are also written to the error notes (Apache's note as well as the variable) in order to be processed within error pages using server-side includes (SSI).

mod_qos(00x): initialisation event mod_qos(01x): request level control event mod_qos(08x): request level control event mod_qos(02x): vip session event mod_qos(03x): connection level event mod_qos(04x): generic filter event mod_qos(14x): generic filter event mod_qos(05x): bandwidth limitation event mod_qos(06x): client control event mod_qos(16x): client control event mod_qos(07x): console errors mod_qos(08x): initialisation/resource errors mod_qos(10x): geo errors

Access Log

mod_qos adds event variables to the request record which may be added to access log messages.

Status event message of mod_qos. It's a single letter which is used to signalize an event: "D"=denied, "S"=pass due to an available VIP session, "V"=create VIP session (cookie), "v"=marks an IP as VIP, "K"=connection closed (no keep-alive), "T"=dynamic keep-alive, "r"=IP is marked as a slow/bad client, "L"=means a request slowdown, "u"=request without a user tracking cookie, and "s" is used for serialized requests. The letter "A" for connection abort is set if the status code detection has been configured.
The number of concurrent requests to a location matching the , , , , , , , or directive.
This event shows the number of concurrent connections to this server. Only available if the directive is used.
The user id which is available when enabling user tracking.
User tracking is based on a unique identifier generated by mod_unique_id . This unique identifier is stored as a cookie. The user tracking feature is enabled by setting the directive.
Options of the directive are:
- The argument defining the name of the user tracking cookie.
- The specifies a local error document which is shown if a user does not accept the cookie (enforcement).
  You may disable this enforcement for certain clients by setting the environment variable at server level (outside Location), e.g., to allow crawlers not supporting cookies to access your site.
  This option can be used to ensure whether a client/browser accepts cookies at all which might be a requirement of your application.
- defines optionally the domain attribute for the Set-Cookie header.
- The flag indicates that a short lived (per session) cookie shall be created which won't be stored by the browser permanently.
Notes:
ignores the directive.
The cookie is secured by the and you should set this directive to have a constant key.
When using the additional option , the client (browser) has to interpret Javascript used within the cookie check page to fetch the cookie and to execute the redirect back to the initially requested page (adding Javascript to the cookie challenge).
The following SSI variables can be used:
: Query string to call (ajax) the cookie page again to obtain the cookie.
: Name of the cookie.
: Initial page to redirect to.
This is a unique request id generated by mod_unique_id. mod_qos uses this id to mark messages written to the error log. So it might be useful to log the environment variable as well, in order to correlate errors to access log messages.
Connecton correlation id used to mark all messages belonging to the same TCP connection.

Источник: http://mod-qos.sourceforge.net/

Tcp no delay mod download