|
Home > Archive > Web Servers on Unix and Linux > September 2006 > blocking a particular Web directory of a domain?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
blocking a particular Web directory of a domain?
|
|
| news@celticbear.com 2006-09-20, 7:35 pm |
| We have a domain on our Apache 2.0.52 that is getting HUNDREDS of
requests for pages within a /blog/ directory a minute.
That directory is now gone, but the access_log is filling with 404
results for requests for contents of that missing directory.
I think it may be contributing to a SYN flood issue we're having.
I can't remove that domain from our virtualdir, but I want to be able
to stop requests for files in that dir before it gets as far as Apache
looking for it.
If that makes sense.
I can't see any way to make an IPTABLE rule that says deny port 80
requests for domain.com/blog/*, or anything like that. Is there a way
to get Apache to just altogether ignore those requests?
Thanks for any assistance!
-Liam
| |
| The Natural Philosopher 2006-09-21, 1:25 am |
| news@celticbear.com wrote:
> We have a domain on our Apache 2.0.52 that is getting HUNDREDS of
> requests for pages within a /blog/ directory a minute.
> That directory is now gone, but the access_log is filling with 404
> results for requests for contents of that missing directory.
> I think it may be contributing to a SYN flood issue we're having.
>
> I can't remove that domain from our virtualdir, but I want to be able
> to stop requests for files in that dir before it gets as far as Apache
> looking for it.
> If that makes sense.
>
> I can't see any way to make an IPTABLE rule that says deny port 80
> requests for domain.com/blog/*, or anything like that. Is there a way
> to get Apache to just altogether ignore those requests?
>
No. but you can alias or redirect it to something short and sweet with a
terse message in it.
There is no way that a request coming in has its CONTENT scanned at the
IP level: Some firewalls do content inspections, most do not.
> Thanks for any assistance!
> -Liam
>
| |
| Juha Laiho 2006-09-21, 1:21 pm |
| "news@celticbear.com" <news@celticbear.com> said:
>We have a domain on our Apache 2.0.52 that is getting HUNDREDS of
>requests for pages within a /blog/ directory a minute.
>That directory is now gone, but the access_log is filling with 404
>results for requests for contents of that missing directory.
>I think it may be contributing to a SYN flood issue we're having.
404s do not contribute to leftover SYNs. The SYN for the request that
generated the 404 will be ACKed before the request even arrives.
>I can't remove that domain from our virtualdir, but I want to be able
>to stop requests for files in that dir before it gets as far as Apache
>looking for it.
....
>Is there a way to get Apache to just altogether ignore those requests?
Not to ignore; Apache must respond in some way -- and anyway, to
determine whether the request is for /blog/ or not, Apache must
read it. However, it might be possible to direct Apache to not
log the request (with mod_rewrite, I think), which at least will
avoid cluttering the log.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
| |
| Steve Wolfe 2006-09-22, 1:28 am |
| > I can't see any way to make an IPTABLE rule that says deny port 80
> requests for domain.com/blog/*, or anything like that. Is there a way
> to get Apache to just altogether ignore those requests?
If you're willing to use the patch-o-matic interface, you can compile in a
string-matching module, you can indeed block those packets. Here's an
article on what you're looking for:
http://www.securityfocus.com/infocus/1531
steve
|
|
|
|
|