mod_cband to the Rescue
Submitted by Scott Dowdle on Mon, 2007-01-01 09:08.
apache | reviews
status pageThe problem: A webserver with a lot of files that are to be public... and the public is downloading too much, too fast, too often... in what seems to be a malicious fashion... especially since everyone seems to be using multi-threaded download accelerators.
Solution: mod_cband
Read more for a better explanation of the problem and the steps needed to install mod_cband.
Client Side
What is a multi-threaded download accelerator? If you or someone you know is a Microsoft Windows user, perhaps you have heard of FlashGet. For Linux, there is aget. Just what do these programs do? Let's imagine that you want to download one or more .iso images of the latest version of your favorite Linux distribution. You've found a website that has the images you are looking for. With a multi-threaded download accelerator you can download faster by making multiple (often 10-20), simultaneous connections to the server with each connection being a chunk of the file being downloaded.
Server Side
Here's what it looks like from the webserver's perspective:
221.0.97.17 - - [24/Dec/2006:04:21:27 -0700] "GET /windows/eclipse-SDK-3.2.1-win32.zip HTTP/1.1" 206 91040039 "http://img.cs.montana.edu/windows/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.0.97.17 - - [24/Dec/2006:04:21:59 -0700] "GET /windows/eclipse-SDK-3.2.1-win32.zip HTTP/1.1" 206 90999383 "http://img.cs.montana.edu/windows/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
221.0.97.17 - - [24/Dec/2006:04:21:09 -0700] "GET /windows/eclipse-SDK-3.2.1-win32.zip HTTP/1.1" 206 3958262 "http://img.cs.montana.edu/windows/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
I've only shown three entries... but in reality, there are 10-20 simultaneous connections. Depending on how big the target file is and what size the client makes the chunks, there can be hundreds of log entries for a single downloaded file. If there are 10 hosts downloading, that translates to 100-200 connections with a separate httpd process servicing each of them. That is a lot of system resources and it is going to be a lot of bandwidth too.
Notice the 206 result code. If you see a lot of those in your log, you are getting hit by download accelerators. Here's what 206 means:
206 - Partial Content
A status code of 206 is a response to a request for part of a document. This is used by advanced caching tools, when a user agent requests only a small part of a page, and just that section is returned.
The machine I was having a problem with was really handling the load just fine. In fact, I didn't even notice anything out of the ordinary. I happen to run monit on the server in question. Not to go off on too much of a tangent, monit is a really handy application which can be configured to watch the desired server applications and take certain actions if certain thresholds are met. Every couple of days, I was getting emails from monit telling me that it had restarted apache because it had reached the configured max number of processes which I had set to 100.
All of those connections totaled up can be a significant chunk of bandwidth. That was the real problem... all of the bandwidth the machine was handing out continuously to the outside world. I setup the server to be an httpd based file server mostly for machines on the LAN so I could access all of the Linux .isos as well as run various distro repositories for doing software installs and updates. It was intended to save bandwidth since all of my lab machines would do everything over the LAN rather than having to download from the Internet. I also want to be able to access everything from off the LAN.
The Goal
Sure, I could password protect everything but I wanted it to be a public resource... but now the public was really abusing the machine. Surely there must be a way to set limits with apache to :
- Limit the number of simultaneous connections per client
- Limit the amount of bandwidth a client can consume
- Limit how much a client can download over a given period
- Limit the amount of bandwidth the server will commit to off LAN downloads
- Differentiate between clients on the LAN and those off such that limits do not apply (or a different set of limits apply)
The apache 1.x series had mod_throttle but it had since been abandoned and was not compatible with the apache 2.x series. After a little bit of searching, I learned about mod_cband. Here is a slightly modified description of mod_cband taken from mod_cband site:
mod_cbandis an Apache 2 module provided to solve the problem of limiting users' and virtualhosts' bandwidth usage. The current versions can set virtualhosts' and users' bandwidth quotas, maximal download speed (like inmod_bandwidth), requests-per-second speed and the maximal number of simultanous IP connections (like inmod_limitipconn)
mod_cbandis especially handy for use by hosting companies which would like to limit data transfer for their users, such as "10 Gb of traffic per month". There already wasmod_curbmodule, which can limit data transfers, but it doesn't work with virtualhosts and Apache 2.
What follows isn't intended to be a HOWTO, as it is not indepth enough, but it will serve as an introduction.
Installing mod_cband
Download the LATEST source for mod_cband. At the time of writing, it was 0.9.7.5.
wget http://cband.linux.pl/download/mod-cband-0.9.7.5.tgz
Before you try to compile mod_cband, make sure httpd-devel is installed. I'm working with CentOS machines (some even inside of an OpenVZ VPS) and I didn't have httpd-devel installed... nor did I have a compiler... so I just did the following:
yum install httpd-devel
yum did its job by figuring out all of the dependecies, downloading everything and installing it. In my particular instance, it translated into about 12 packages totalling approximately 15MB which took about 1-2 minutes.
Extract mod-cband-0.9.7.5.tgz wherever you want (I like /usr/src). cd into the directory where the source is and do the following:
./configure
make
make install
The whole process only took about a minute. The make install part even modified the /etc/httpd/conf/httpd.conf such that apache would load mod_cband. Before I restart apache though, I'll make a few more changes to its config.
After mod_cband was installed, I removed httpd-devel and all of the dependencies that were installed with it... as I don't like to have a compiler on a webserver... as that can be used by hackers to compile their own kits if they find a way to exploit apache or some bad PHP code. The contents of /var/log/yum.log comes in handy for reversing things. :)
Configuring mod_cband
mod_cband does everything from a Virtual Host perspective... so if your apache isn't running any virtual hosts at all, you'll need to configure at least one... which would act a the default site. Most of the configuration for mod_cband is done within the <VirtualHost></VirtualHost> container but there are some settings that are global and outside of the virtualhost stuff. Insert the following somewhere in your config:
CBandScoreFlushPeriod 1
CBandRandomPulse On
Here's what my virtual host container for the server in question looks like:
<VirtualHost 10.0.0.25>
ServerName www.example.com
ServerAdmin root@localhost
DocumentRoot /var/www/html
CBandScoreboard /var/www/scoreboard
CBandClassRemoteSpeed lan_class 1024kb/s 50 100
CBandRemoteSpeed 25kb/s 3 3
<Location /cband-status>
SetHandler cband-status
</Location>
</VirtualHost>
Please note that I make reference to lan_class which is a global definition so it is contained outside of the virtual host container and looks like this:
<CBandClass lan_class>
CBandClassDst 10.0/16
</CBandClass>
You can define as many classes as you like if you have the desire. After a class is defined, you may refer to it in a virtual host container.
I'm not going to bother to explain what each mod_cband configuration directive means. That is what the documentation is for... and it does a much better job than I could. To summarize, lan_class is a mask for all of the IP addresses for all of the machines on our LAN. The CBandClassRemoteSpeed and CBandRemoteSpeed specify limits for the max bandwidth, number of requests per second, and number of connections.
Remember, whenever you change the apache config, restart httpd for the change to take affect. The <Location> section specifics a URL that can be used to get to the mod_cband status page which you can browse to to see all kinds of status and running totals.
Here's what it looks like:
You should be able to get a glimpse of some of the stuff you can do with mod_cband as well as imagine what monitoring features it gives you with the status page.
Conclusion
mod_cband did everything I wanted it to do, was easy to install and configure and just works. So far as features go, I've only scratched the surface with my needs... as it offers a ton of other features that are well suited to hosting companies who want to put limits on the bandwidth their virtual hosts use. If you have the need or desire, give it a try and let us know how your experience went.
| Attachment | Size |
|---|---|
| mod-cband-0.9.7.5.tgz | 69.06 KB |
» Scott Dowdle's blog | login to post comments
Using mod_cband and mod_cache
Submitted by Vincenzo D'Amore (not verified) on Wed, 2010-06-09 04:32.
I have mod_cache used in conjunction with mod_cband. But when we enable mod_cache mod_cband are overridden. Any idea in order to define the order of execution (I suppose first mod_cache and after mod_cband)?
Thanks
» login to post comments
application of mod_cband per <location>?
Submitted by szal (not verified) on Tue, 2010-03-02 17:11.
i'd be interested in having those code changes by David Crosby, could we chat? there is/are several issues that seem to arise with mod_cband 0.9.7.5 as it is.
anyway, i was wondering if mod_cband can be used per a location or files context? (http://httpd.apache.org/docs/2.2/mod/core.html#location)
for example:
location /acertainrelativefile.ext|acertainfolderlocation ::cband directives here for throttle, connections etc.:: /location
or maybe (http://httpd.apache.org/docs/2.2/mod/core.html#files)
files acertainfile.ext ::cband directives here for throttle, connections etc.:: /files
the point is i only want to apply connection limits to certain areas of the site so connections aren't counted for access elsewhere...possible?
» login to post comments
mod_cband site back again
Submitted by Scott Dowdle on Wed, 2010-03-03 21:02.
The site for mod_cband came back a little over a year ago so I recommend you contact the developers to ask your question. I'm not sure. I know it works on a host/domain basis but am not sure about location.
» login to post comments
Unable to download mod_cband...
Submitted by Jason (not verified) on Wed, 2008-08-27 06:38.
I know it's not your app, but I tried to download it using the URL you provided (and tried to go to http://cband.linux.pl to see if there was a newer version) and it seems that cband.linux.pl is down completely. I found an older copy on sourceforge (0.9.6.1). I found another website (wareseeker.com) that claimed to offer 0.9.7.5 for download, and they just redirected to cband.linux.pl. I was wondering if you'd be willing to host the file on your site or if you could send it to me and I could host it off one of my accounts where you could link to it for people reading this article.
» login to post comments
mod_cband site down?
Submitted by Scott Dowdle on Wed, 2008-08-27 07:37.
Jason,
Thanks for bringing that to my attention. Before we start making decisions about alternative hosting sites, let's see if we can get in touch with the mod_cband author. The domain the cband host was part of is still around, and seems quite active (linux.pl) so let's try to find out what happened.
Any idea how long the site has been down? Perhaps he had a hard drive failure or something.
In the mean time, I have the source code and I have attached it to the main article.
» login to post comments
mod_cbcand installation
Submitted by odalton (not verified) on Thu, 2008-08-07 09:12.
is there any easy to follow install mod c band using the apt-get package manager - its such a pain having to do everything through the cmd.
Im making a web portal that streams video and i want to sniff how much bandwidth the user has before i give them a stream.
Is this possible.. does c_mod work on apache 2
» login to post comments
mod_cband in distro repos?
Submitted by Scott Dowdle on Sat, 2008-08-09 09:44.
Umm, no... to the best of my knowledge you have to compile mod_cband from source... and yes it works with Apache 2.
» login to post comments
Bandwidth control
Submitted by shijin (not verified) on Wed, 2008-08-06 01:11.
Hello,
I am developing a we application and , i have to manage the bandwidth of each download attempt by using PHP code.
For each download request , i have to check the user type and get available bandwidth from the database and process the downloading..
I was using lighttpd sever for achieve the same.Since My server is now not supporting lightpd , i have use Apache.
Can i able to use mod_cband to manage the bandwidth pragmatically , or any other option in Apache , so that i can control the bandwidth using my PHP code
Thanks
» login to post comments
mod_cband for PHP applications
Submitted by Scott Dowdle on Wed, 2008-08-06 07:16.
I believe mod_cband is written in C... and while code/design reuse might be possible if you adapt it to PHP, mod_cband doesn't really have the ability to scale up and down bandwidth limits dynamically... or at least I don't recall it having that ability. It is mostly used for static limits and works quite well. Check out the mod_cband website and the documentation that is available for a better understanding of how it works and what its capabilities are.
Good luck with your project.
» login to post comments
Problems with mod_cband
Submitted by Nino (not verified) on Thu, 2007-05-10 11:30.
I'm having problems with mod_cband. When i use some web stress tool like hammerhead enormous number of connections are open on my web server ie. 5000. Not all of them are established, but 500 of them are. In cband setup i have set CBandRemoteSpeed 1024kb/s 5 10, and on cband status page i can only see 2-5 connection for the IP from which requests have been sent. This practicaly kills my web server, so i suppose cband doesn't work as it should. Anyone can help? Thx.
Nino
P.S. I'm using Apache 2.2.3
» login to post comments
Troubleshooting
Submitted by Scott Dowdle on Thu, 2007-05-10 12:56.
I'm not sure what to tell you other than to contact the mod_cband developer(s) and see what they have to say. I haven't done any benchmarking nor stress testing.
» login to post comments
modifying mod_cband
Submitted by David Crosby (not verified) on Tue, 2008-12-30 09:21.
I have been modifying mod_cband source to use it for a slightly different purpose, but I haven't stress tested it, I have added the feature to dynamically allocate a bandwidth to an IP address, as I wanted to limit the quantity of data downloaded based on an unknown IP address. The problem I had was that the virtual host configuration groups IP addresses and subnets together and it comes out of the same bandwidth limit, so one IP address could use up the bandwidth for everyone else, unless you have different classes, but as you may not know all the IP addresses it can be tricky to do that. So I have dynamically given each IP address a bandwidth limit based on the configuration for the given class.
I would be interested in knowing about other details of faults so I could fix them. I have based my updates on version 0.9.7.5
» login to post comments
global limit for 500 virtualhost
Is there anyway to do global configuration to limit all accounts (not one by one)