Verified Commit dbd68aa2 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Rate limit mediawiki API endpoint

Our API endpoint was being abused by a malicious user which send about
20 req/s, as php-fpm uses a pool of workers this easily over burdens
them and also gives the server a constant 100% CPU load.

Applying a rate limit succesfully negates this issue.
parent 53520a8a
Pipeline #7276 passed with stage
in 31 seconds
fastcgi_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=wiki:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
# rate limit API endpoint
limit_req_zone $binary_remote_addr zone=api_zone:10m rate=5r/s;
limit_req_status 429;
upstream archwiki {
server unix://{{ archwiki_socket }};
}
......@@ -81,6 +85,17 @@ server {
add_header X-Cache $upstream_cache_status;
}
# mediawiki API endpoint
location ~ ^/api\.php {
limit_req zone=api_zone burst=10 delay=5;
try_files $uri =404;
access_log /var/log/nginx/{{ archwiki_domain }}/access.log main;
access_log /var/log/nginx/{{ archwiki_domain }}/access.log.json json_main;
fastcgi_pass archwiki;
fastcgi_index index.php;
include fastcgi.conf;
}
# normal PHP FastCGI handler
location ~ ^/[^/]+\.php$ {
try_files $uri =404;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment