archwiki: simple challenge for CN

host_vars/wiki.archlinux.org/misc

@@ -2,3 +2,5 @@ filesystem: btrfs
 memcached_socket: "/run/memcached/archwiki.sock"
 wireguard_address: 10.0.0.22
 wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
+nginx_extra_modules:
+  - geoip2

roles/archwiki/templates/nginx.d.conf.j2

@@ -13,6 +13,20 @@ upstream archwiki {
     server unix://{{ archwiki_socket }};
 }
 
+map $cookie_challenge $authenticated {
+    default 1;
+    41ce6c6 0;
+}
+
+geoip2 /var/lib/GeoIP/GeoLite2-Country.mmdb {
+    $geoip2_data_country_iso_code country iso_code;
+}
+
+map $geoip2_data_country_iso_code $challenge {
+    default 0;
+    CN      $authenticated;
+}
+
 server {
     listen       80;
     listen       [::]:80;
@@ -47,6 +61,11 @@ server {
     root {{ archwiki_dir }}/public;
     index index.php;
 
+    location = /challenge {
+        add_header Set-Cookie "challenge=41ce6c6; SameSite=Strict";
+        return 303 $scheme://$server_name/$arg_return;
+    }
+
     # Block search bot that apparently never heared the term rate limiting
     if ($http_user_agent ~ "Bytespider$" ) {
         return 403;
@@ -103,6 +122,10 @@ server {
 
     # normal PHP FastCGI handler
     location ~ ^/[^/]+\.php$ {
+        if ($challenge) {
+            return 303 $scheme://$server_name/challenge?return=$request_uri;
+        }
+
         try_files $uri =404;
         access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
         access_log   /var/log/nginx/{{ archwiki_domain }}/access.log.json json_main;