Articles in this section

How to limit HTTP request rate (by Useragent) via Plesk?

Vladimir Levchuk
Updated
kb: how-to Plesk Obsidian for Linux

Question

  • How to limit the rate of requests for a certain file coming from the same IP?
  • How to limit the rate of requests for a certain file coming from various IPs in a predefined time-frame?

Answer

This functionality is not yet implemented in Plesk. Please consider submitting a request on features.plesk.com portal.

Workarounds:

Via Nginx

Implementing the limit via limit_req_zone nginx directive will require ngx_http_limit_req_module compilation, as nginx installed with Plesk is not compiled with it (can be verified with nginx -V command output).

Installation of additional Nginx modules is not supported in Plesk. However, there is a thread on the Plesk forum with discussion and suggestions on how to install additional modules:

PLESK_WARN: Apply the solution from this thread at your own will and risk.

Via ModSecurity direcitves:

  1. Navigate to Apache 2 directory and download the example ModSecurity rule:

    • Ubuntu/Debian:

    # mkdir /etc/apache2/conf.d/ && cd /etc/apache2/conf.d/ && wget https://www.atomicorp.com/examples/01_modsecurity.conf

    • On RHEL-like (RHEL/CentOS/AlmaLinux/Rocky Linux/CloudLinux):

    # mkdir /etc/httpd/conf.d/ && cd /etc/httpd/conf.d/ && wget https://www.atomicorp.com/examples/01_modsecurity.conf

  2. Create a custom directory for the rule:

  • Ubuntu/Debian:

    # mkdir /etc/apache2/modsecurity.custom.d/

    • On RHEL-like (RHEL/CentOS/AlmaLinux/Rocky Linux/CloudLinux):

    # mkdir /etc/httpd/modsecurity.custom.d/

  1. Using vi (or other editor) create a file /etc/apache2/modsecurity.custom.d/99_zzz_custom.conf (Ubuntu/Debian) or /etc/httpd/modsecurity.custom.d/99_zzz_custom.conf (RHEL-like)
  2. Insert the following content into it (can be adjusted based on the needs):
# Limit client hits by user agent
 SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit" \
     "id:400009,phase:2,nolog,pass,setvar:global.ratelimit_facebookexternalhit=+1,expirevar:global.ratelimit_facebookexternalhit=3"
 SecRule GLOBAL:RATELIMIT_FACEBOOKEXTERNALHIT "@gt 1" \
  "chain,id:4000010,phase:2,pause:300,deny,status:429,setenv:RATELIMITED,log,msg:'RATELIMITED BOT'"
 SecRule REQUEST_HEADERS:User-Agent "@pm facebookexternalhit"
 Header always set Retry-After "3" env=RATELIMITED
 ErrorDocument 429 "Too Many Requests"

PLESK_INFO: As per the rule functionality, it should be customized according to your needs. To determine rule syntax, it is necessary to identify what kind of crawler/bot is scanning the site - this requires specific knowledge in IT security. Please also consider checking ModSecurity Reference Manual (v2.x), as it might be useful.

  1. Check if the rule syntax is correct:

# apache2ctl -t

Syntax OK message should be provided. If not, remove or edit the file.

  1. Apply the changes by restarting Apache 2 service:

    • On Ubuntu/Debian:

    # systemctl restart apache2

    • On RHEL-like (RHEL/CentOS/AlmaLinux/Rocky Linux/CloudLinux):

    # systemctl restart httpd

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.