Merge branch 'archwiki-simple-bot-protection' into 'master'

archwiki: Add simple challenge for Chinese IP addresses

See merge request !851

host_vars/wiki.archlinux.org/misc

@@ -2,3 +2,5 @@ filesystem: btrfs
 memcached_socket: "/run/memcached/archwiki.sock"
 wireguard_address: 10.0.0.22
 wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
+nginx_extra_modules:
+  - name: geoip2

roles/archwiki/defaults/main.yml

 archwiki_dir: '/srv/http/archwiki'
 archwiki_domain: 'wiki.archlinux.org'
 archwiki_nginx_conf: '/etc/nginx/nginx.d/archwiki.conf'
+archwiki_nginx_challenge_value: '41ce6c6'
 archwiki_user: 'archwiki'
 archwiki_repository: 'https://gitlab.archlinux.org/archlinux/archwiki.git'
 archwiki_version: '1.42.1-2'

roles/archwiki/templates/nginx.d.conf.j2

@@ -13,6 +13,32 @@ upstream archwiki {
     server unix://{{ archwiki_socket }};
 }
 
+# Challenge the client if the cookie "challenge" is not set to
+# the value of "archwiki_nginx_challenge_value".
+map $cookie_challenge $challenge_required2 {
+    default 1;
+    {{ archwiki_nginx_challenge_value }} 0;
+}
+
+# Challenge the client if it is requesting an "action view" and
+# $challenge_required2 is true.
+map $request_uri $challenge_required {
+    default         0;
+    ~^/index\.php\? $challenge_required2;
+}
+
+geoip2 /var/lib/GeoIP/GeoLite2-Country.mmdb {
+    auto_reload 60m;
+    $geoip2_data_country_iso_code country iso_code;
+}
+
+# Challenge the client if it is from China and $challenge_required is
+# true. This is enough to "throw off" some bots/crawlers from China.
+map $geoip2_data_country_iso_code $challenge {
+    default 0;
+    CN      $challenge_required;
+}
+
 server {
     listen       80;
     listen       [::]:80;
@@ -103,6 +129,11 @@ server {
 
     # normal PHP FastCGI handler
     location ~ ^/[^/]+\.php$ {
+        if ($challenge) {
+            add_header Set-Cookie "challenge={{ archwiki_nginx_challenge_value }}; SameSite=Strict";
+            return 303 $scheme://$server_name/$request_uri;
+        }
+
         try_files $uri =404;
         access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
         access_log   /var/log/nginx/{{ archwiki_domain }}/access.log.json json_main;

roles/nginx/defaults/main.yml

 letsencrypt_validation_dir: "/var/lib/letsencrypt"
 nginx_firewall_zone:
+nginx_extra_modules: []

roles/nginx/meta/main.yml

+dependencies:
+  - role: geoipupdate
+    when: "'geoip2' in (nginx_extra_modules | map(attribute='name') )"

roles/nginx/tasks/main.yml

 - name: Install nginx
   pacman: name=nginx,nginx-mod-brotli state=present
 
+- name: Install extra nginx modules
+  pacman: name={{ nginx_extra_modules | map(attribute='name') | map('regex_replace', '^', 'nginx-mod-') }} state=present
+
 - name: Install nginx.service snippet
   copy: src=nginx.service.d dest=/etc/systemd/system owner=root group=root mode=0644
 

roles/nginx/templates/nginx.conf.j2

@@ -2,6 +2,13 @@ worker_processes  auto;
 
 load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
+{% for module in nginx_extra_modules %}
+{% if module.so_name is not defined %}
+load_module /usr/lib/nginx/modules/ngx_http_{{ module.name }}_module.so;
+{% else %}
+load_module /usr/lib/nginx/modules/{{ module.so_name | replace('-', '_') }};
+{% endif %}
+{% endfor %}
 include toplevel-snippets/*.conf;
 
 events {