Y Soft

6.21. Configure denial of service filtering for web UI

Introduction

SAFEQ Cloud server has a possibility to enable denial of service (DoS) filtering to prevent the system from being overloaded by excessive amounts of requests. DoS filter can be enabled for on-premise primary server by editing the configuration file: /opt/SAFEQ Cloud/conf/application.conf.

DoS filter configuration

Multiple DoS filters can be defined under app.dos-filters section in the application configuration file. By default there is one filter defined called default:

To activate the particular DoS filter it must be specified in the dos-filter parameter under web section:

Comment out the dos-filter = "" line (add the # sign) and uncomment the dos-filter = ${app.dos-filters.default} (remove the # sign).

Save the file and restart the server with systemctl restart hcp-server command.

DoS filter parameters

The following parameters control the behavior of the filter:

  • max-requests-per-sec – Maximum number of requests from a connection per second. Requests in excess of this are first delayed, then throttled. Default is 25.
  • delay-ms – Delay imposed on all requests over the rate limit, before they are considered at all: 100 (ms) = Default, -1 = Reject request, 0 = No delay
  • max-wait-ms – Length of time, in ms, to blocking wait for the throttle semaphore. Default is 50 ms.
  • throttled-requests – Number of requests over the rate limit able to be considered at once. Default is 5.
  • throttle-ms – Length of time, in ms, to async wait for semaphore. Default is 30000.
  • max-request-ms – Length of time, in ms, to allow the request to run. Default is 30000.
  • max-idle-tracker-ms – Length of time, in ms, to keep track of request rates for a connection, before deciding that the user has gone away, and discarding it. Default is 30000.
  • track-sessions – If true, usage rate is tracked by session if a session exists. Defaults to true.
  • remote-port – If true and session tracking is not used, then rate is tracked by IP and port (effectively connection). Defaults to false.
  • ip-whitelist – A comma-separated list of IP addresses that will not be rate limited.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment