Switch to using generic and git http ratelimiting

2024-11-08 09:23:59 +00:00 · 2024-11-08 09:23:59 +00:00 · b1fccc5838
commit b1fccc5838
parent 02c4cc6fbc
2 changed files with 8 additions and 3 deletions
--- a/config/haproxy/APKBUILD
+++ b/config/haproxy/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgrel=3
+pkgrel=5
 depends="redxen-secret-letsencrypt-full redxen-data-haproxy-errorpages"
 checkdepends="haproxy"
 source="main.cfg"
@ -14,5 +14,5 @@ check() {
 }

 sha512sums="
-5bef0e00aa130980a16d3050c4b1d0de06b7e5f8651eecb03a8c67beeb53fff8cb3d71d057fa8a74c62b966f978db7e744f205b0e543da847e30ea3da809c239  main.cfg
+a105b4f1ddb9bc6dd0352a30f2e953093cf5ab412fe5888fa30cc8ab8d0d7e1bed59b8d2d6740f294156087cdce5b5b017b1b4d6eda6e28646bb591fc1d28d08  main.cfg
 "
--- a/config/haproxy/main.cfg
+++ b/config/haproxy/main.cfg
@ -80,7 +80,6 @@ frontend http

 	stick-table type ipv6 size 100k expire 1h store http_req_rate(1m)
 	http-request track-sc0 src
-	http-request deny deny_status 429 if { sc_http_req_rate(0) gt 120 }

 	http-response set-header X-Forwarded-Proto https
 	http-response set-header X-XSS-Protection 1;\ mode=block
@ -99,6 +98,12 @@ frontend http
 	acl packs     hdr_beg(host) -i packages.redxen
 	acl cal       hdr_beg(host) -i      cal.redxen

+	# Heavily rate-limit HTTP git
+	http-request deny deny_status 429 if git { sc_http_req_rate(0) gt 30 }
+
+	# Rate-limit anything too heavy
+	http-request deny deny_status 429 if { sc_http_req_rate(0) gt 900 }
+
 	redirect location https://en.uncyclopedia.co/wiki/South_Africa code 302 if fedi
 	redirect prefix /web code 302 if btdaemon root