From 6352e3db5228ff05e04dde3a39020e61e908a08d Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Sun, 2 Jun 2024 13:07:34 +0200
Subject: [PATCH] archweb: rate limit /mirrors/status/json endpoint

This is by far our most popular endpoint and some folks hit us with one
request per 5 seconds which leads to 6GB of daily traffic. Rate limit
them the same as broken RSS readers.
---
 roles/archweb/templates/nginx.d.conf.j2 | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/roles/archweb/templates/nginx.d.conf.j2 b/roles/archweb/templates/nginx.d.conf.j2
index 76bd944cd..a3b6993a7 100644
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -1,6 +1,9 @@
 # limit rss requests to 1 r/m
 limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
 
+# limit mirrors/status/json requests to 1 r/m
+limit_req_zone $binary_remote_addr zone=mirrorstatuslimit:8m rate=1r/m;
+
 # limit general requests to 10 r/s to block DoS attempts.
 limit_req_zone $binary_remote_addr zone=archweblimit:10m rate=10r/s;
 
@@ -191,6 +194,19 @@ server {
         limit_req zone=rsslimit burst=10 nodelay;
     }
 
+    # Rate limit mirror status json endpoint
+    location /mirrors/status/json {
+        include uwsgi_params;
+        uwsgi_pass archweb;
+
+        uwsgi_cache archwebcache;
+        uwsgi_cache_revalidate on;
+        uwsgi_cache_key $cache_key;
+        add_header X-Cache-Status $upstream_cache_status;
+
+        limit_req zone=mirrorstatuslimit burst=10 nodelay;
+    }
+
     # Temporary redirects
     location /people/trusted-user-fellows/ {
         return 301 /people/package-maintainer-fellows/;
-- 
GitLab