Rate limit archlinux.org and fail2ban abusers

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.

docs/fail2ban.md

@@ -39,3 +39,6 @@ Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
 The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
 
 Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
+
+The `rsslimit` zone is whitelisted from being banned with `ignoreregex`, as we
+choose to not ban RSS abusers.

host_vars/archlinux.org/misc

@@ -10,6 +10,6 @@ fail2ban_jails:
   sshd: true
   postfix: false
   dovecot: false
-  nginx_limit_req: false
+  nginx_limit_req: true
 wireguard_address: 10.0.0.1
 wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=

roles/archweb/templates/nginx.d.conf.j2

 # limit rss requests to 1 r/m
 limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
+
+# limit general requests to 20 r/s to block DoS attempts.
+limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=20r/s;
+
 limit_req_status 429;
 
 uwsgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=archwebcache:10m inactive=60m;
@@ -193,5 +197,7 @@ server {
         uwsgi_cache_revalidate on;
         uwsgi_cache_key $cache_key;
         add_header X-Cache-Status $upstream_cache_status;
+
+        limit_req zone=archweblimit burst=10 nodelay;
     }
 }

roles/fail2ban/templates/nginx-limit-req.jail.j2

@@ -10,4 +10,6 @@ action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
 logpath = /var/log/nginx/*/error.log
 findtime = 5min
 bantime = 1hours
-maxretry = 10
\ No newline at end of file
+maxretry = 10
+# Do not fail2ban archweb's rss limit.
+ignoreregex = rsslimit