Rate limit mediawiki API endpoint

Our API endpoint was being abused by a malicious user which send about 20 req/s, as php-fpm uses a pool of workers this easily over burdens them and also gives the server a constant 100% CPU load. Applying a rate limit succesfully negates this issue.

Rate limit mediawiki API endpoint
dbd68aa2 · Jelle van der Waa · 53520a8a · dbd68aa2
Verified Commit dbd68aa2 authored 3 years ago by Jelle van der Waa
--- a/roles/archwiki/templates/nginx.d.conf.j2
+++ b/roles/archwiki/templates/nginx.d.conf.j2
 fastcgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=wiki:100m inactive=60m;
 fastcgi_cache_key "$scheme$request_method$host$request_uri";

+# rate limit API endpoint
+limit_req_zone $binary_remote_addr zone=api_zone:10m rate=5r/s;
+limit_req_status 429;
+
 upstream archwiki {
    server unix://{{ archwiki_socket }};
 }
@@ -81,6 +85,17 @@ server {
        add_header X-Cache $upstream_cache_status;
    }

+    # mediawiki API endpoint
+    location ~ ^/api\.php {
+        limit_req zone=api_zone burst=10 delay=5;
+        try_files $uri =404;
+        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log main;
+        access_log   /var/log/nginx/{{ archwiki_domain }}/access.log.json json_main;
+        fastcgi_pass   archwiki;
+        fastcgi_index  index.php;
+        include        fastcgi.conf;
+    }
+
    # normal PHP FastCGI handler
    location ~ ^/[^/]+\.php$ {
        try_files $uri =404;