3 Reasons not to use Apache mod rewrite

After reading this discussion on Slashdot regarding an anti-virus agent pretending to be Internet Explorer and flooding sites with requests I waited to see a response come from an Apache fan on using mod_rewrite to detect and stop the flood of useless traffic coming from these robots. It was sure to come, particularly after the first post in the discussion pointed out how to use an iRule to detect and "nuke from orbit" these nasty little requests. I was not disappointed.

It's not the case that the solution won't work. It will, and it's certainly a viable solution. At least if you're only running 2 or 3 web servers. And you don't care about the need to interrupt service to implement the solution. And you aren't worried about potentially introducing errors into the server configuration. And you're aren't running IIS or some other web server.

There are a few very good reasons not to use Apache mod_rewrite for this kind of situation.

  1. It's less efficient.
    mod_rewrite requires that the server respond to the useless request, which means it's chewing up valuable resources on the server and the network that could be used to handle legitimate requests. Using mod_rewrite gains very little when you're attempting to stop useless traffic and requests from overloading your network or web servers because the traffic has to reach the servers and the web servers have to respond.

    Not only is it less efficient in terms of computing resources, but it's less efficient for administrators to develop, test, and deploy the solution on every server. That takes time, time that could certainly be spent doing other administrative tasks.

    By implementing the same "detect and nuke" functionality on the load-balancer (application delivery controller) you (a) prevent the traffic from flooding your network, (b) conserve resources on the server that can be used to serve legitimate requests, and (c) can implement the solution much faster as it only needs to be implemented once rather than once per server.
  2. It only works in homogeneous environments.
    If you're running all Apache web servers, great. But very few environments are standardized on a single web server platform.

    By implementing the same "detect and nuke" functionality on the load-balancer (application delivery controller) you can prevent the consumption of resources on all web server platforms at the same time without needing to implement 2,3, or more different solutions on the web servers.
  3. It requires an interruption to services.  
    In order to deploy a mod_rewrite solution the Apache configuration file must be modified and Apache restarted. That means all connected clients will have their service interrupted, and if there's an error or some other problem with the configuration it will result in down time. Either administrators need to quiesce (bleed) the connections off before restarting, or they need to simply hit the reset button without concern for connected clients. Depending on the services running on the affected server, that can be bad news for business.

    By implementing the same "detect and nuke" functionality on the load-balancer (application delivery controller) you won't need to restart the web servers nor interrupt service. Because the load-balancer is managing the connections and handling the inspection of requests, the servers don't need to be restarted and connection management can be handled by the application delivery controller.

So basically, if you're running a small, homogenous server farm and don't care about downtime/interruptions to service then using Apache mod_rewrite to solve this - or a similar - problem then go ahead and use mod_rewrite. But if you're in charge of a lot more servers, and it's a heterogeneous environment, and you can't interrupt service then you should be seriously considering implementing this kind of functionality in your application delivery controller instead.

Once again, just because you can, doesn't mean you should.

 

Published Jul 07, 2008
Version 1.0
  • @Nojan

     

     

    It is a workaround, but it doesn't resolve the inefficiency with requiring the web server to respond to useless requests. Of all the reasons to let a proxy/ADC inspect requests offloading tedious work like rejecting illegitimate/meaningless requests is likely the best one. When a server is slowing down and consuming resources the answer to this problem and others like it should be to stop the requests _before_ they reach the web server, at the edge.

     

  • @Harold

     

    Awesome suggestion. Would you care to share the appropriate config? That would be most helpful.

     

     

    @dfguy

     

    As Eowyn told the Witch King, "I am no man." But thanks for sharing your opinion.

     

     

    Lori
  • Mike,

     

     

    Graceful is the implementation of quiescence (bleed off) for Apache, hence the reason I mentioned the need to "wait" for connections to be taken down before restarting. That won't break the connections, but the eventual restart still interrupts service, as it were, depending on how long it takes the server to come back up online. It's unlikely to cause downtime, because it's generally very quick, but the potential to interrupt service with downtime due to a misconfiguration or error in the rewrite rule is there.

     

     

    Lori
  • Heh. Go for it! If you optimize it we can post it here as a better solution. ;-)

     

     

    Lori
  • Yeah, I saw that too. I was initially drawn as a user of AVG. Was I wrong to want to optimize his iRule? :^)