From b1ecff74e3295d3d7a04d51df08abf74d54c99fc Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Apr 10 2024 20:57:05 +0000 Subject: Block Wiki index.php queries without language header Recently lots of malicious traffic hitting index.php on the various language wikis is observed, originating from quickly changing IP networks and utilizing random user agents. Upon analysis of a pattern to block, modern web browsers were found to always incorporate a "Accept-Language" header, whilst bots/scripts do not. A filter is implemented on the relevant requests, returning 406 if no "Accept-Language" header is present. This does inhibit tools such as curl and wget as well, however use of such towards index.php is not common, and if needed, the header can easily be added by legitimate users. Signed-off-by: Georg Pfuetzenreuter --- diff --git a/pillar/cluster/atlas/init.sls b/pillar/cluster/atlas/init.sls index 697f26a..4cba976 100644 --- a/pillar/cluster/atlas/init.sls +++ b/pillar/cluster/atlas/init.sls @@ -61,6 +61,8 @@ haproxy: httprequests: - deny: - deny_status 429 if annoying_clients + - return: + - status 406 if odd_clients host_mediawiki path_indexphp http-misc: bind: diff --git a/pillar/cluster/atlas/services.sls b/pillar/cluster/atlas/services.sls index b046e24..2a52d10 100644 --- a/pillar/cluster/atlas/services.sls +++ b/pillar/cluster/atlas/services.sls @@ -210,6 +210,9 @@ haproxy: acls: # daffy1 # daffy2 - src_login src 2a07:de40:b280:86::11 2a07:de40:b280:86::12 - annoying_clients req.hdr_ip(X-Forwarded-For) -f /etc/haproxy/blacklists/networks -n + - odd_clients req.hdr_cnt(Accept-Language) 0 + + - path_indexphp path_beg /index.php - host_dale hdr(host) events.opensuse.org - host_dale hdr(host) events-test.opensuse.org