archweb: rate limit /mirrors/status/json endpoint

This is by far our most popular endpoint and some folks hit us with one request per 5 seconds which leads to 6GB of daily traffic. Rate limit them the same as broken RSS readers.

archweb: rate limit /mirrors/status/json endpoint
6352e3db · Jelle van der Waa · e581c85f · 6352e3db
Verified Commit 6352e3db authored 9 months ago by Jelle van der Waa
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
 # limit rss requests to 1 r/m
 limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;

+# limit mirrors/status/json requests to 1 r/m
+limit_req_zone $binary_remote_addr zone=mirrorstatuslimit:8m rate=1r/m;
+
 # limit general requests to 10 r/s to block DoS attempts.
 limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=10r/s;

@@ -191,6 +194,19 @@ server {
        limit_req zone=rsslimit burst=10 nodelay;
    }

+    # Rate limit mirror status json endpoint
+    location /mirrors/status/json {
+        include uwsgi_params;
+        uwsgi_pass archweb;
+
+        uwsgi_cache archwebcache;
+        uwsgi_cache_revalidate on;
+        uwsgi_cache_key $cache_key;
+        add_header X-Cache-Status $upstream_cache_status;
+
+        limit_req zone=mirrorstatuslimit burst=10 nodelay;
+    }
+
    # Temporary redirects
    location /people/trusted-user-fellows/ {
        return 301 /people/package-maintainer-fellows/;