Merge branch 'aurweb-rate-limit' into 'master'

Rate limit aurweb as archweb See merge request archlinux/infrastructure!732

Merge branch 'aurweb-rate-limit' into 'master'
385cbd1d · Leonidas Spyropoulos · c8a32ef1 · 9cae0479 · 385cbd1d · 385cbd1d
Verified Commit 385cbd1d authored 1 year ago by Leonidas Spyropoulos
--- a/host_vars/aur.archlinux.org/misc
+++ b/host_vars/aur.archlinux.org/misc
 filesystem: btrfs
+fail2ban_jails:
+  sshd: true
+  postfix: false
+  dovecot: false
+  nginx_limit_req: true
 memcached_socket: "/run/memcached/aurweb.sock"
 sshd_enable_includes: true
 wireguard_address: 10.0.0.2

--- a/roles/aurweb/templates/nginx.d.conf.j2
+++ b/roles/aurweb/templates/nginx.d.conf.j2
@@ -9,6 +9,10 @@ upstream smartgit {
 # limit Git requests to block Git DoS attempts.
 # # grep aurwebgitlimit /var/log/nginx/aur.archlinux.org/error.log | awk '{ print $14 }' | sort | uniq | sort
 limit_req_zone $binary_remote_addr zone=aurwebgitlimit:10m rate=30r/m;
+
+# limit general requests to 20 r/s to block DoS attempts.
+limit_req_zone $binary_remote_addr zone=aurweblimit:10m rate=20r/s;
+
 limit_req_status 429;

 server {
@@ -131,5 +135,7 @@ server {
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Ssl on;
+
+        limit_req zone=aurweblimit burst=10 nodelay;
    }
 }