The best

最好的

• mod_evasive(Focused more on reducing DoS exposure)
• mod_cband(Best featured for 'normal' bandwidth control)

• mod_evasive（更专注于减少 DoS 暴露）
• mod_cband（“正常”带宽控制的最佳功能）

and the rest

其余的

• mod_limitipconn
• mod_bw
• mod_bwshare

• mod_limitipconn
• mod_bw
• mod_bwshare

As stated in this blogpost it seems possible to use mod_securityto implement a rate limit per second.

正如这篇博文中所述，似乎可以使用mod_security来实现每秒的速率限制。

The configuration is something like this:

配置是这样的：

SecRuleEngine On

<LocationMatch "^/somepath">
  SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog
  SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
  SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
  SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
  Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>

ErrorDocument 509 "Rate Limit Exceeded"

There are numerous way including web application firewalls but the easiest thing to implement if using an Apache mod.

有很多方法，包括 Web 应用程序防火墙，但如果使用 Apache mod，则最容易实现。

One such mod I like to recommend is mod_qos. It's a free module that is veryf effective against certin DOS, Bruteforce and Slowloris type attacks. This will ease up your server load quite a bit.

我喜欢推荐的一个这样的 mod 是mod_qos。这是一个免费模块，可以有效抵御 certin DOS、Bruteforce 和 Slowloris 类型的攻击。这将大大减轻您的服务器负载。

It is very powerful.

它非常强大。

The current release of the mod_qosmodule implements control mechanisms to manage:

mod_qos模块的当前版本实现了控制机制来管理：

• The maximum number of concurrent requests to a location/resource (URL) or virtual host.

• Limitation of the bandwidth such as the maximum allowed number of requests per second to an URL or the maximum/minimum of downloaded kbytes per second.

• Limits the number of request events per second (special request conditions).

• Limits the number of request events within a defined period of time.
• It can also detect very important persons (VIP) which may access the web server without or with fewer restrictions.

• Generic request line and header filter to deny unauthorized operations.

• Request body data limitation and filtering (requires mod_parp).

• Limits the number of request events for individual clients (IP).

• Limitations on the TCP connection level, e.g., the maximum number of allowed connections from a single IP source address or dynamic keep-alive control.

• Prefers known IP addresses when server runs out of free TCP connections.

• 对位置/资源 (URL) 或虚拟主机的最大并发请求数。

• 带宽限制，例如每秒对 URL 的最大允许请求数或每秒下载的最大/最小千字节数。

• 限制每秒请求事件的数量（特殊请求条件）。

• 在定义的时间段内限制请求事件的数量。
• 它还可以检测非常重要的人 (VIP)，这些人可以不受限制地或不受限制地访问 Web 服务器。

• 用于拒绝未经授权的操作的通用请求行和标头过滤器。

• 请求正文数据限制和过滤（需要 mod_parp）。

• 限制单个客户端 (IP) 的请求事件数。

• TCP 连接级别的限制，例如，来自单个 IP 源地址或动态保持活动控制的最大允许连接数。

• 当服务器用完可用的 TCP 连接时，首选已知 IP 地址。

This is a sample config of what you can use it for. There are hundreds of possible configurations to suit your needs. Visit the site for more info on controls.

这是您可以使用它的示例配置。有数百种可能的配置来满足您的需求。访问该站点以获取有关控件的更多信息。

Sample configuration:
# minimum request rate (bytes/sec at request reading):
QS_SrvRequestRate                                 120

# limits the connections for this virtual host:
QS_SrvMaxConn                                     800

# allows keep-alive support till the server reaches 600 connections:
QS_SrvMaxConnClose                                600

# allows max 50 connections from a single ip address:
QS_SrvMaxConnPerIP                                 50

# disables connection restrictions for certain clients:
QS_SrvMaxConnExcludeIP                    172.18.3.32
QS_SrvMaxConnExcludeIP                    192.168.10.

http://opensource.adnovum.ch/mod_qos/

http://opensource.adnovum.ch/mod_qos/

Sadly, mod_evasivewon't work as expected when used in non-prefork configurations (recent apache setups are mainly MPM)

遗憾的是，mod_evasive在非 prefork 配置中使用时不会按预期工作（最近的 apache 设置主要是 MPM）

In Apache 2.4, there's a new stock module called mod_ratelimit. For emulating modem speeds, you can use mod_dialup. Though I don't see why you just couldn't use mod_ratelimit for everything.

在 Apache 2.4 中，有一个名为mod_ratelimit的新库存模块。要模拟调制解调器速度，您可以使用mod_dialup。虽然我不明白为什么你不能对所有事情都使用 mod_ratelimit。

One more option - mod_qos

还有一种选择 - mod_qos

Not simple to configure - but powerful.

配置不简单 - 但功能强大。

http://opensource.adnovum.ch/mod_qos/

http://opensource.adnovum.ch/mod_qos/

Depends on why you want to rate limit.

取决于您为什么要限制速率。

If it's to protect against overloading the server, it actually makes sense to put NGINX in front of it, and configure rate limitingthere. It makes sense because NGINX uses much less resources, something like a few MB per ten thousand connections. So, if the server is flooded, NGINX will do the rate limiting(using an insignificant amount of resources) and only pass the allowed traffic to Apache.

如果是为了防止服务器过载，将 NGINX 放在它前面并在那里配置速率限制实际上是有意义的。这是有道理的，因为 NGINX 使用的资源要少得多，比如每万个连接几 MB。因此，如果服务器被淹没，NGINX 将进行速率限制（使用微不足道的资源）并且只将允许的流量传递给 Apache。

If all you're after is simplicity, then use something like mod_evasive.

如果您只追求简单，那么使用类似 mod_evasive 的东西。

As usual, if it's to protect against DDoS or DoS attacks, use a service like Cloudflare which also has rate limiting.

像往常一样，如果要防止 DDoS 或 DoS 攻击，请使用 Cloudflare 等也有速率限制的服务。