diff --git a/docs/fail2ban.md b/docs/fail2ban.md
index fa6fcb338a33cb1ebe51863be2c9162d80022d99..cc96bc2d034a0e424429ddd8562e8ec5e19c5596 100644
--- a/docs/fail2ban.md
+++ b/docs/fail2ban.md
@@ -39,3 +39,6 @@ Add `fail2ban_jails` dict with `dovecot: true` to the host's `host_vars`.
 The nginx_limit_req jail is not enabled on any server. This jail bans IPs based repeated errors on nginx error log. Default blocking is 1 hour(s). Adding to a host:
 
 Add `fail2ban_jails` dict with `nginx_limit_req: true` to the host's `host_vars`.
+
+The `rsslimit` zone is whitelisted from being banned with `ignoreregex`, as we
+choose to not ban RSS abusers.
diff --git a/host_vars/archlinux.org/misc b/host_vars/archlinux.org/misc
index ced9db72580c4826005a60a04f176f86063309dd..6c832727cae5294a6058ebf80a196812edbca05e 100644
--- a/host_vars/archlinux.org/misc
+++ b/host_vars/archlinux.org/misc
@@ -10,6 +10,6 @@ fail2ban_jails:
   sshd: true
   postfix: false
   dovecot: false
-  nginx_limit_req: false
+  nginx_limit_req: true
 wireguard_address: 10.0.0.1
 wireguard_public_key: 0Vx7jfWinpTPHKPxvmKtZlp3hcLebawz+vQM8EIEm1k=
diff --git a/roles/archweb/templates/nginx.d.conf.j2 b/roles/archweb/templates/nginx.d.conf.j2
index 74201a624fbfa3c6c837b329d5c578bb756ca84f..c1ac77b62177e1e07c7df78228478360a0d674cd 100644
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -1,5 +1,9 @@
 # limit rss requests to 1 r/m
 limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
+
+# limit general requests to 20 r/s to block DoS attempts.
+limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=20r/s;
+
 limit_req_status 429;
 
 uwsgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=archwebcache:10m inactive=60m;
@@ -193,5 +197,7 @@ server {
         uwsgi_cache_revalidate on;
         uwsgi_cache_key $cache_key;
         add_header X-Cache-Status $upstream_cache_status;
+
+        limit_req zone=archweblimit burst=10 nodelay;
     }
 }
diff --git a/roles/fail2ban/templates/nginx-limit-req.jail.j2 b/roles/fail2ban/templates/nginx-limit-req.jail.j2
index 63a6ad37df971b4aa6bd0cf28f42fb5dfd0082a6..0189fc2a31e31c082883527c8ecc7874973d2ae1 100644
--- a/roles/fail2ban/templates/nginx-limit-req.jail.j2
+++ b/roles/fail2ban/templates/nginx-limit-req.jail.j2
@@ -10,4 +10,6 @@ action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
 logpath = /var/log/nginx/*/error.log
 findtime = 5min
 bantime = 1hours
-maxretry = 10
\ No newline at end of file
+maxretry = 10
+# Do not fail2ban archweb's rss limit.
+ignoreregex = rsslimit