Skip to content
Snippets Groups Projects
Verified Commit 314aa355 authored by Jelle van der Waa's avatar Jelle van der Waa :construction:
Browse files

Rate limit archlinux.org and fail2ban abusers

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.
parent 897923fd
No related branches found
No related tags found
No related merge requests found
Pipeline #9615 passed
......@@ -39,3 +39,6 @@ Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
The `rsslimit` zone is whitelisted from being banned with `ignoreregex`, as we
choose to not ban RSS abusers.
......@@ -10,6 +10,6 @@ fail2ban_jails:
sshd: true
postfix: false
dovecot: false
nginx_limit_req: false
nginx_limit_req: true
wireguard_address: 10.0.0.1
wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
# limit rss requests to 1 r/m
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
# limit general requests to 20 r/s to block DoS attempts.
limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=20r/s;
limit_req_status 429;
uwsgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=archwebcache:10m inactive=60m;
......@@ -193,5 +197,7 @@ server {
uwsgi_cache_revalidate on;
uwsgi_cache_key $cache_key;
add_header X-Cache-Status $upstream_cache_status;
limit_req zone=archweblimit burst=10 nodelay;
}
}
......@@ -10,4 +10,6 @@ action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*/error.log
findtime = 5min
bantime = 1hours
maxretry = 10
\ No newline at end of file
maxretry = 10
# Do not fail2ban archweb's rss limit.
ignoreregex = rsslimit
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment