jvdmr
Allow in `<If>` and `<LocationMatch>` context
Many thanks for forking and continuing developing this most useful module!
Currently, mod_evasive can’t be used inside <If> or <LocationMatch>. A situation where we often want the capability of mod_evasive, however, is on dynamic pages which can’t be cached.
It’d be really nice if this module can work with such path-based conditional logic.
I think my desire is the same:
I have one site which can load 100's of images per page. They are static, and I don't mind those. My wish is for mod_evasive to just affect the cgi generation.
So, I don't know if a DosWhitelistMIME image/* would be easy to add, but if not, LocationMatch would do the job!
Our workaround for now is to issue a JS challenge through Cloudflare for requests not coming from known bots and not having a referer header. Price: small non-interactive delay for human visitors.
I got around the problem by moving all the images to a different virtual host, and modifying the html appropriately - you can have separate mod_evasive settings for virtual hosts.
No offence, but I hate the JS challenge stuff, even more so as the particular site I'm referring to is intentionally a no-JS-required site!
moving all the images to a different virtual host, and modifying the html appropriately
That's clever!
Veering off the topic a bit, I'd also love to hear what you would use for email obfuscation, sans JS.
Thanks! As for email obfuscation, I don't do it. I just rely on my email servers (which I also run) to filter spam.
It's not ideal, but it works for me. One thing I'll never do is "blackhole" an email - if my system thinks it's spam, it will be rejected at source. If it can't do that, it will be delivered. Nothing worse than legitimate mail getting lost without either sender or receiver knowing.
I use spamhaus blocklists, and block some dodgy domains manually. If things get bad, I deliver non-whitelisted email to a different email box, I can then periodically go through that and if there is legitimate mail, move it to the main mailbox, which then also whitelists the address.
Wouldn't things be easier if all people were nice? :-)
P.S. I'm not against JS itself, but I consider that if possible, it an enhancer, not a requirement.
Again, this isn't a criticism of people who do use it - I understand the frustration driving people to its use for both email protection, dos protection, and other stuff, I just prefer to avoid it myself if possible.
I got around the problem by moving all the images to a different virtual host, and modifying the html appropriately - you can have separate mod_evasive settings for virtual hosts.
Can I ask how you've done this? I effectively need to whitelist a specific vhost (Matomo triggers mod_evasive almost immediately!) to reduce the false positives.
@websnail Apologies for the delay - I missed the notification for you comment.
I just overrode the setting in the virtualhost to set a stupidly high threshold.
So, in the main httpd.conf, I have:
<IfModule evasive20_module>
# DOSHashTableSize 3097
#
# DOSPageCount 2
# DOSPageInterval 1
# DOSSiteCount 50
# DOSSiteInterval 1
#
# DOSBlockingPeriod 10
DOSHashTableSize 3097
DOSPageCount 5
DOSPageInterval 5
DOSSiteCount 100
DOSSiteInterval 10
DOSBlockingPeriod 60
DOSLogDir /var/log/www/mod_evasive
</IfModule>
Then in the virtual host I want to whitelist:
# Disable mod_evasive for our avatars:
<IfModule evasive20_module>
DOSHashTableSize 3097
DOSPageCount 5
DOSPageInterval 5
DOSSiteCount 10000
DOSSiteInterval 10
DOSBlockingPeriod 60
</IfModule>
I left DOSPageCount low because clients have no business reloading the same URL, but I assume you could set that really high also if you wanted.
I assume (I can't remember now) that I didn't need to repeat the value of items I wasn't actually changing, but I felt it looked clearer including them all)
I'm sure there's a cleaner way of doing it, but this works for me!
Let me know if you need further help.
Cheers, Jamie