[140704] in North American Network Operators' Group
Re: blocking unwanted traffic from hitting gateway
daemon@ATHENA.MIT.EDU (Wil Schultz)
Wed May 18 09:44:07 2011
From: Wil Schultz <wschultz@bsdboy.com>
In-Reply-To: <BANLkTikPQkcFNuajh3csxXyOkxNeHa_A3A@mail.gmail.com>
Date: Wed, 18 May 2011 06:43:55 -0700
To: scubacuda@gmail.com
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On May 18, 2011, at 5:42 AM, Rogelio wrote:
> I've got about 1000 people hammering a Linux gateway with http
> requests, but only about 150 of them are authenticated users for the
> ISP.
>=20
> Once someone authenticates, then I want their traffic to pass through
> okay. But if they're not an authenticated user, I would like to
> ideally block those http requests (e.g. Google updater, AV scanners,
> etc) from ever tying up my web server.
>=20
> Is there some sort of box I could put in front (e.g. OpenBSD pf in
> transparency mode) or maybe some sort of filter on the webserver?
> This solution would need to be tied into the authentication services
> so authenticated users hit the gateway.
>=20
> --=20
> Also on LinkedIn? Feel free to connect if you too are an open
> networker: scubacuda@gmail.com
>=20
I use apache mod_rewrite in front of some stuff, there are a couple of =
examples where I look for a cookie and make sure it's set to some value =
before they can do something interesting.=20
If the cookie doesn't exist, or if it's not set to the desired value, it =
goes somewhere else that's easily cacheable.
Here's an example, the cookie name is "loggedin" and the value is =
"true". If that doesn't match up it proxies over to login.jsp.
RewriteCond %{HTTP_COOKIE} !loggedin=3Dtrue
RewriteRule ^/(.*) http://%{HTTP:Host}/login.jsp =
[P,L]
Good luck.
-wil=
