blocking unwanted traffic from hitting gateway

Wil Schultz wschultz at bsdboy.com
Wed May 18 08:43:55 CDT 2011


On May 18, 2011, at 5:42 AM, Rogelio wrote:

> I've got about 1000 people hammering a Linux gateway with http
> requests, but only about 150 of them are authenticated users for the
> ISP.
> 
> Once someone authenticates, then I want their traffic to pass through
> okay.  But if they're not an authenticated user, I would like to
> ideally block those http requests (e.g. Google updater, AV scanners,
> etc) from ever tying up my web server.
> 
> Is there some sort of box I could put in front (e.g. OpenBSD pf in
> transparency mode) or maybe some sort of filter on the webserver?
> This solution would need to be tied into the authentication services
> so authenticated users hit the gateway.
> 
> -- 
> Also on LinkedIn?  Feel free to connect if you too are an open
> networker: scubacuda at gmail.com
> 

I use apache mod_rewrite in front of some stuff, there are a couple of examples where I look for a cookie and make sure it's set to some value before they can do something interesting. 
If the cookie doesn't exist, or if it's not set to the desired value, it goes somewhere else that's easily cacheable.

Here's an example, the cookie name is "loggedin" and the value is "true". If that doesn't match up it proxies over to login.jsp.

RewriteCond	%{HTTP_COOKIE} 	!loggedin=true
RewriteRule	^/(.*)			http://%{HTTP:Host}/login.jsp [P,L]

Good luck.

-wil



More information about the NANOG mailing list