From fa328e2f85ce7eecb39f86f5b9e4e282bdb387f1 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Mon, 1 Mar 2021 23:07:08 +0100
Subject: [PATCH] Rate limit our archweb RSS feeds

Due to users misconfiguring their conky to query for rss updates every
second add proper rate limitting to all rss endpoints in nginx.
---
 roles/archweb/templates/nginx.d.conf.j2 | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/roles/archweb/templates/nginx.d.conf.j2 b/roles/archweb/templates/nginx.d.conf.j2
index 3bcc75567..bb35c435d 100644
--- a/roles/archweb/templates/nginx.d.conf.j2
+++ b/roles/archweb/templates/nginx.d.conf.j2
@@ -1,3 +1,7 @@
+# limit rss requests to 1 r/m
+limit_req_zone $binary_remote_addr zone=rsslimit:8m rate=1r/m;
+limit_req_status 429;
+
 upstream archweb {
     server unix:///run/uwsgi/archweb.sock;
 }
@@ -169,6 +173,14 @@ server {
         alias {{ archweb_retro_dir }};
     }
 
+    # Rate limit all RSS feeds
+    location ~ (^/feeds/|\.xml$) {
+        include uwsgi_params;
+        uwsgi_pass archweb;
+
+        limit_req zone=rsslimit burst=10 nodelay;
+    }
+
     location / {
         access_log   /var/log/nginx/{{ archweb_domain }}/access.log main;
         include uwsgi_params;
-- 
GitLab