Forum has been very slow 2 days now...

[smatovic]

[..]
There is an 'sid' in the query string (session ID?), which suggests the requests come from someone who is logged on. But for each request from the same IP all sid are different.
[..]

Thanks for taking a look.

When you open the page for the first time or reject cookies then you get an sid in your url, sid for session id, after further browsing or log in it will be stored as sid in a cookie so it odes not appeasr in the url anymore.

--
Srdja

[smatovic]

Beside the apache log file one should take a look into the Munin monitoring tool (I gave the URL to the founders) to figure what the server bottleneck is. Munin monitors CPU load, RAM, disk, network, all four could cause the slowdowns we experience.

--
Srdja

[smatovic]

It seems the times of poor forum performance coinside with a huge number of GET requests (some 4/sec) from the IP gange 47.246.164.*. I now made an attempt to block those IPs by adding to the apache2.conf file:

Code: Select all

<RequireAll>
    Require all granted
    Require not ip 47.246.64.0/24
</RequireAll>

I am not sure whether this will have any effect without restarting the Apache server (which I am not sure how to do), or whether indeed it will work as intended, and whether this will then solve the problem.

Smart arse alert

One should not block manually single IP addresses or ranges (this is what ChessUSA did) but harden the Linux firewall against these. If one IP or IP range causes too many requests you can limit IP requests by configuring the firewall accordingly. I wrote back then a lil documentation in a text file on this and stored it on the the server plus emailed it to you founders.

--
Srdja

[hgm]

I now also posted a similar file (at normal ) for the busiest minute in an hour where trafic was low (13:00 - 14:00). I assume this reflects normal use.

[hgm]

[..]
There is an 'sid' in the query string (session ID?), which suggests the requests come from someone who is logged on. But for each request from the same IP all sid are different.
[..]

Thanks for taking a look.

When you open the page for the first time or reject cookies then you get an sid in your url, sid for session id, after further browsing or log in it will be stored as sid in a cookie so it odes not appeasr in the url anymore.

--
Srdja

I don't get it. If you request a page first time, you cannot have gotten anything yet. At best you get something in the data that you get in reply. But how would that end up in the url of a next request for the same page? Does the browser save it as a cookie, and then appends it to the next request to the site?

[smatovic]

[..]
There is an 'sid' in the query string (session ID?), which suggests the requests come from someone who is logged on. But for each request from the same IP all sid are different.
[..]

Thanks for taking a look.

When you open the page for the first time or reject cookies then you get an sid in your url, sid for session id, after further browsing or log in it will be stored as sid in a cookie so it odes not appeasr in the url anymore.

--
Srdja

I don't get it. If you request a page first time, you cannot have gotten anything yet. At best you get something in the data that you get in reply. But how would that end up in the url of a next request for the same page? Does the browser save it as a cookie, and then appends it to the next request to the site?

I am not into the details how phpBB code implements it, but this is what I can verify with my browser:

1. You request https://talkchess.com
2. In all web site links there is a sid in the url, the session id, e.g.:

viewforum.php?f=2&sid=ad23fbca1efef0640e1d1159bb169e48

3.a) If your client accepts cookies, and you click on any of those links, then the sid is stored in a cookie in your browser which is transmitted with every http header and there will be no sid anymore in the url
3.b) If your client rejects cookies, then the sid will be present in all following links in the url.

That being said, I do not know, how crawlers handle session ids in urls and cookies.

***edit***
You can google about session highjacking, therefore it is not recommended to share urls with parameters, but usually the session is bound to an IP address server wise, which helps.

--
Srdja