Separate perClientConnLimit for Cloudflare

[Zerg]

Hi,

When there is a Cloudflare in front of LiteSpeed for a domain and web page contains a lot of elements (images, css, js), user IPs are often blocked when perClientConnLimit->hardLimit is set, even to a high numbers, like 100 and useIpInProxyHeader is set to 2. Browser usually makes at most 6 connections to server, but Cloudflare can make even 100+ connections at once from single IP when web has over 100 elements. It would be good to be able to set different limit for IPs trusted to set IP in header (Cloudflare by default).

 

[serpent_driver]

Your feature request has no relevance for browsers because, as you yourself have noticed, the simultaneous download of sources in the browser is limited, although this limitation is not uniform. Firefox allows about twice as many concurrent requests as Chrome Browser. I think it is practically impossible that a browser with a "natural" surfing behavior is able to block requests because of too many simultaneous downloads. However, there are various browser plugins with which you can automatically download a large number of sources very quickly and at the same time. Only in such a case can I imagine requests being blocked.

 

[Zerg]

We have made tests with clean browser, without plugins. When connecting directly, everything is fine, when domain is behind Cloudflare, Cloudflare makes over 100 separate connections which are assigned to single user IP (useIpInProxyHeader) and user is blocked due to perClientConnLimit->hardLimit.

 

[serpent_driver]

May I ask how many 1000 sources are on 1 URL that can be downloaded at the same time with the browser?

 

[Zerg]

Usually those are shops with product list: ~20 .js, ~10 .css, ~77 images (icons, logos, products), fonts. Cloudflare just opens separate connection for every resource and all of them are fetched within a second. User IP is visible in domain logs (useIpInProxyHeader) and "bot detected for vhost [N/A], reason: OverConnHardLimit, block" in error.log. That's with perClientConnLimit->hardLimit set 100. Currently the only solution is to disable per client connection limit completely (or set it even higher) or tell user to not use Cloudflare.

 

[serpent_driver]

The default settings of Connection Hard Limit are very tolerant and are not usually exceeded by any browser with normal surf behavior and even with 100 static sources at the first request of 1 URL. If you now complain that this limit is set too low, it can only mean that you have changed the default settings. Everything else is illogical! Nevertheless, there is no reason to change or expand the Connection Hard Limit function, since your individual settings must obviously be the reason for any problems.

 

[Zerg]

Default limit is ok. This request was about separate limit for IPs that are being set from headers sent by trusted IPs (OnlyuseIpInProxyHeader=2 in httpd_config.xml or "Use Client IP in Header: Trusted IP" in web GUI). That's because people insist on using Cloudflare, and Cloudflare does not limit concurrent connections like browsers do, so there are 100+ concurrent connection at the same time on behalf of the client's IP address.

To check that, just use Cloudflare for domain, generate html with a lot of images and visit domain, IP will be blocked with "bot detected for vhost [N/A], reason: OverConnHardLimit, block" message. If there was a separate limit for connections from Cloudflare (trusted IPs), we could set it higher for Cloudflare, and keep default for direct connections.

 

[serpent_driver]

Maybe I'm misunderstanding you, but what role does Cloudflare play in your problem?!

 

[Zerg]

It's a shared hosting server, some people are using Cloudflare for their domains so connection looks like this:
Client browser -> Cloudflare -> Our Litespeed server
In that situation, client IP is visible in logs and not one belonging to Cloudflare, thanks to "Use Client IP in Header: Trusted IP" setting, which includes Cloudflare IPs by default. The problem is, while client browser makes probably at most 6 concurrent connections to Cloudflare, Cloudflare makes even 100 of them to our litespeed server, and all of them have client IP address in HTTP headers, so Litespeed thinks that client IP has just made 100 concurrent connections. Well, Cloudflare should not do that, but it's hard to convince them to behave properly.

 

[serpent_driver]

Sorry, I have to capitulate. Your problem description is not only very confusing, but also paradoxical. Especially since the problem cannot really be narrowed down if you also use CF in addition to the LSWS. However, I still don't see a problem with the LSWS if the default settings for the connection hard limit have not been reduced so much that a blockage can occur. You should therefore contact LiteSpeed Support via a support ticket. In this forum you will not get the hoped for help.