From 4a46def68deec00519097da85429fc8a1a0bafc5 Mon Sep 17 00:00:00 2001
From: wj25czxj47bu6q <96372288+wj25czxj47bu6q@users.noreply.github.com>
Date: Sun, 9 Feb 2025 03:40:22 -0700
Subject: [PATCH] Implement NGINX ratelimiting

---
 etc/nginx/conf.d/matrix-client.conf     | 73 +++++++++++++++++++++++++
 etc/nginx/conf.d/matrix-federation.conf | 22 ++++++++
 etc/nginx/conf.d/synapse.conf           | 37 -------------
 etc/nginx/nginx.conf                    | 29 ++++++++++
 usr/share/nginx/html/ratelimited.json   |  1 +
 5 files changed, 125 insertions(+), 37 deletions(-)
 create mode 100644 etc/nginx/conf.d/matrix-client.conf
 create mode 100644 etc/nginx/conf.d/matrix-federation.conf
 delete mode 100644 etc/nginx/conf.d/synapse.conf
 create mode 100644 etc/nginx/nginx.conf
 create mode 100644 usr/share/nginx/html/ratelimited.json

diff --git a/etc/nginx/conf.d/matrix-client.conf b/etc/nginx/conf.d/matrix-client.conf
new file mode 100644
index 0000000..666bc1b
--- /dev/null
+++ b/etc/nginx/conf.d/matrix-client.conf
@@ -0,0 +1,73 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name matrix.arcticfoxes.net;
+
+    include /etc/nginx/ssl.conf;
+    include /etc/nginx/proxy.conf;
+    include /etc/nginx/headers.conf;
+
+    client_max_body_size 0;
+
+    # CORS
+    proxy_hide_header Access-Control-Allow-Origin;
+    add_header        Access-Control-Allow-Origin "*" always;
+    proxy_hide_header Access-Control-Allow-Methods;
+    add_header        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+    proxy_hide_header Access-Control-Allow-Headers;
+    add_header        Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization" always;
+    if ($request_method = OPTIONS) {
+        return 204;
+    }
+    access_log off;
+
+    # https://element-hq.github.io/synapse/v1.123/usage/configuration/config_documentation.html#listeners
+    location ~ ^/_matrix/(?:client|media|static)/ {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_client.log main;
+
+        limit_req zone=accesstoken burst=50;
+        limit_req zone=accesstoken_write burst=5 nodelay;
+        limit_req zone=ip burst=250;
+        limit_req zone=ip_write burst=25 nodelay;
+        limit_req_status 429;
+        error_page 429 /ratelimited.json;
+        limit_req_log_level info;
+    }
+
+    location ^~ /_synapse/admin {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_client.log main;
+    }
+
+    location = /health {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_client.log main;
+    }
+
+    location / {
+        return 404;
+        access_log /var/log/nginx/access_client_invalid.log main;
+    }
+
+    location = /ratelimited.json {
+        internal;
+        root /usr/share/nginx/html;
+        access_log /var/log/nginx/access_client_ratelimited.log main;
+    }
+}
+
+map $request_method $limit_key_accesstoken_write {
+    GET "";
+    default $http_authorization;
+}
+limit_req_zone $http_authorization zone=accesstoken:100m rate=25r/s;
+limit_req_zone $limit_key_accesstoken_write zone=accesstoken_write:100m rate=3r/s;
+
+map $request_method $limit_key_ip_write {
+    GET "";
+    default $binary_remote_addr;
+}
+limit_req_zone $binary_remote_addr zone=ip:10m rate=125r/s;
+limit_req_zone $limit_key_ip_write zone=ip_write:10m rate=15r/s;
diff --git a/etc/nginx/conf.d/matrix-federation.conf b/etc/nginx/conf.d/matrix-federation.conf
new file mode 100644
index 0000000..e0e7f55
--- /dev/null
+++ b/etc/nginx/conf.d/matrix-federation.conf
@@ -0,0 +1,22 @@
+server {
+    listen 8448 ssl;
+    listen [::]:8448 ssl;
+
+    server_name matrix.arcticfoxes.net;
+
+    include /etc/nginx/ssl.conf;
+    include /etc/nginx/proxy.conf;
+
+    client_max_body_size 0;
+
+    # https://element-hq.github.io/synapse/v1.123/usage/configuration/config_documentation.html#listeners
+    location ~ ^/_matrix/(?:federation|media|key)/ {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_federation.log main;
+    }
+
+    location / {
+        return 404;
+        access_log /var/log/nginx/access_federation_invalid.log main;
+    }
+}
diff --git a/etc/nginx/conf.d/synapse.conf b/etc/nginx/conf.d/synapse.conf
deleted file mode 100644
index 3298db4..0000000
--- a/etc/nginx/conf.d/synapse.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    # For the federation port
-    listen 8448 ssl;
-    listen [::]:8448 ssl;
-
-    server_name matrix.arcticfoxes.net;
-
-    include /etc/nginx/ssl.conf;
-    include /etc/nginx/proxy.conf;
-    include /etc/nginx/headers.conf;
-
-    client_max_body_size 0;
-
-    location ~ ^/_matrix/client/r0/rooms/([^/]*)/report/(.*)$ {
-      # Abuse reports should be sent to Mjölnir.
-
-      # Add CORS, otherwise a browser will refuse this request.
-      include /etc/nginx/headers.conf;
-      add_header 'Access-Control-Allow-Credentials' 'true' always;
-      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-      add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since' always;
-      add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
-      add_header 'Access-Control-Max-Age' 1728000; # cache preflight value for 20 days
-
-      # Alias the regexps, to ensure that they're not rewritten.
-      set $room_id $1;
-      set $event_id $2;
-      proxy_pass http://127.0.0.1:8081/api/1/report/$room_id/$event_id;
-    }
-
-    location / {
-        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
-    }
-}
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
new file mode 100644
index 0000000..a85d6f1
--- /dev/null
+++ b/etc/nginx/nginx.conf
@@ -0,0 +1,29 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format main '$time_iso8601: [$status] $request ("$http_user_agent" $remote_addr)';
+    access_log /var/log/nginx/access.log main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/usr/share/nginx/html/ratelimited.json b/usr/share/nginx/html/ratelimited.json
new file mode 100644
index 0000000..6e329e8
--- /dev/null
+++ b/usr/share/nginx/html/ratelimited.json
@@ -0,0 +1 @@
+{"errcode":"M_LIMIT_EXCEEDED","error":"You are being ratelimited"}