Verified Commit 314aa355 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Rate limit and fail2ban abusers

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
parent 897923fd
Pipeline #9615 passed with stage
in 1 minute and 2 seconds
......@@ -39,3 +39,6 @@ Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
The `rsslimit` zone is whitelisted from being banned with `ignoreregex`, as we
choose to not ban RSS abusers.
......@@ -10,6 +10,6 @@ fail2ban_jails:
sshd: true
postfix: false
dovecot: false
nginx_limit_req: false
nginx_limit_req: true
wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
# limit rss requests to 1 r/m
limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
# limit general requests to 20 r/s to block DoS attempts.
limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=20r/s;
limit_req_status 429;
uwsgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=archwebcache:10m inactive=60m;
......@@ -193,5 +197,7 @@ server {
uwsgi_cache_revalidate on;
uwsgi_cache_key $cache_key;
add_header X-Cache-Status $upstream_cache_status;
limit_req zone=archweblimit burst=10 nodelay;
......@@ -10,4 +10,6 @@ action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/*/error.log
findtime = 5min
bantime = 1hours
maxretry = 10
\ No newline at end of file
maxretry = 10
# Do not fail2ban archweb's rss limit.
ignoreregex = rsslimit
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment