[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Limiting outbound connections with a reverse proxy?


Depending on the extent of the bugs this might or might not be useful - but you could use firewall rules to limit the number of connections allowed in (or out, depending on what would make more sense for you).   Depending on your OS you will have different options available to you, but on FreeBSD with IPFW you'd look at doing something like this:

From man ipfw:
     To limit the number of connections a user can open you can use the fol-
     lowing type of rules:

           ipfw add allow tcp from my-net/24 to any setup limit src-addr 10
           ipfw add allow tcp from any to me setup limit src-addr 4

     The former (assuming it runs on a gateway) will allow each host on a /24
     network to open at most 10 TCP connections.  The latter can be placed on
     a server to make sure that a single client does not use more than 4
     simultaneous connections.




Neil Neely
Senior Systems Engineer
FRII

On Jan 2, 2008, at 3:40 AM, Marco Marongiu wrote:

Hello there, and happy new year wherever you are!

We have a service that (just now) they say can't handle more than 10
connections per second. And they can't change it.

On the other side there is a service consumer that is multi-istanciated,
multi-threaded and batch-oriented. And when the batch starts it tries to
open far more than 10 connections per second.

Resource-limiting the service has made it looping and duplicating
requests (yes, it is a bug; we are looking into it with developers and
vendor support, but in the meanwhile we are having backlog that needs to
be worked on), making the problem bigger rather than solving it.

I know this kind of problems should be faced by development teams in
advance instead of let them fall at the sysadmin level. But here we go.

I thought that a possible solution could be putting a reverse proxy
between the two, so that the proxy accepts and enqueues the requests and
forwards them to the service at no more than 10 per second.

I had a look at Pound (http://www.apsis.ch/pound/index_html), but it
seems it can't do any resource limit on the outbound traffic.

I'll keep researching about that, but if in the meanwhile someone could
point us to a reverse proxy that can do that -or even a completely
different solution that I didn't consider-, that could be great.

Ciao and thanks
--Marco