Connection Limit - how to handle proxy servers

[IanD]

Hi,

My ISP (one the biggest in the UK) has started routing traffic to my website through a transparent proxy server.

This is fine except LiteSpeed is blocking the requests due to the connection limit.

I'm seeing:

[*.*.*.*] is over per client soft connection limit: 15 for 17 seconds, close connection!

Many times in the log files. I presume this is happening for many other requests from other proxy servers too.

I know I could just 'up' the connection limit, but then I wouldn't have the DDoS protection.. so I want the connection limit for an individual client but as you can see, this is causing a problem for proxy servers.

Any advice please!

Many thanks,

Ian

 

[mistwang]

http://www.litespeedtech.com/docs/webserver/config/security/#accessControl_allow
add that IP with trailing "T".

 

[IanD]

Thanks - yes I've done that for this IP address and it works.

I'm looking for more a general solution though.. I only knew about this IP being blocked because it's MY isp!

I'm thinking there is no reason loads of transparent proxy servers are being blocked for the same reason - that I'm just not aware of.

I can see many IPs being blocked throughout the day but I've always just presumed they were automated scripts / DDoS or something. But my proxy entries look exactly the same, so now I'm not sure.

Is there any solution? Except disable the connection throttling..

What happens if I use 'Use Client IP in Header' enabled?

Would LiteSpeed then use the real client IP address and not the proxy IP address?

 

[mistwang]

What happens if I use 'Use Client IP in Header' enabled?

Would LiteSpeed then use the real client IP address and not the proxy IP address?

Yes, if the proxy send "x-forworded-for" request header.

 

[IanD]

Thanks - unfortunately after looking at this, I can't enable the 'Use Client IP in Header' option because then someone could fake their IP address.

Due to the nature of my site, I can't allow the possibility of this.

So.. back to my original question.

Which I'm starting to think there is no solution for. But what does everyone else do? This must affect everyone who uses Connection Limits, I'm not the only site who has users connecting through transparent proxies!

I could increase the Connection Limit to something which would allow 100's of concurrent users to connect via the same proxy - but that's as good as turning it off..