Implement NGINX ratelimiting

etc/nginx/conf.d/matrix-client.conf

@@ -0,0 +1,73 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name matrix.arcticfoxes.net;
+
+    include /etc/nginx/ssl.conf;
+    include /etc/nginx/proxy.conf;
+    include /etc/nginx/headers.conf;
+
+    client_max_body_size 0;
+
+    # CORS
+    proxy_hide_header Access-Control-Allow-Origin;
+    add_header        Access-Control-Allow-Origin "*" always;
+    proxy_hide_header Access-Control-Allow-Methods;
+    add_header        Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
+    proxy_hide_header Access-Control-Allow-Headers;
+    add_header        Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization" always;
+    if ($request_method = OPTIONS) {
+        return 204;
+    }
+    access_log off;
+
+    # https://element-hq.github.io/synapse/v1.123/usage/configuration/config_documentation.html#listeners
+    location ~ ^/_matrix/(?:client|media|static)/ {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_client.log main;
+
+        limit_req zone=accesstoken burst=50;
+        limit_req zone=accesstoken_write burst=5 nodelay;
+        limit_req zone=ip burst=250;
+        limit_req zone=ip_write burst=25 nodelay;
+        limit_req_status 429;
+        error_page 429 /ratelimited.json;
+        limit_req_log_level info;
+    }
+
+    location ^~ /_synapse/admin {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_client.log main;
+    }
+
+    location = /health {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_client.log main;
+    }
+
+    location / {
+        return 404;
+        access_log /var/log/nginx/access_client_invalid.log main;
+    }
+
+    location = /ratelimited.json {
+        internal;
+        root /usr/share/nginx/html;
+        access_log /var/log/nginx/access_client_ratelimited.log main;
+    }
+}
+
+map $request_method $limit_key_accesstoken_write {
+    GET "";
+    default $http_authorization;
+}
+limit_req_zone $http_authorization zone=accesstoken:100m rate=25r/s;
+limit_req_zone $limit_key_accesstoken_write zone=accesstoken_write:100m rate=3r/s;
+
+map $request_method $limit_key_ip_write {
+    GET "";
+    default $binary_remote_addr;
+}
+limit_req_zone $binary_remote_addr zone=ip:10m rate=125r/s;
+limit_req_zone $limit_key_ip_write zone=ip_write:10m rate=15r/s;

etc/nginx/conf.d/matrix-federation.conf

@@ -0,0 +1,22 @@
+server {
+    listen 8448 ssl;
+    listen [::]:8448 ssl;
+
+    server_name matrix.arcticfoxes.net;
+
+    include /etc/nginx/ssl.conf;
+    include /etc/nginx/proxy.conf;
+
+    client_max_body_size 0;
+
+    # https://element-hq.github.io/synapse/v1.123/usage/configuration/config_documentation.html#listeners
+    location ~ ^/_matrix/(?:federation|media|key)/ {
+        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
+        access_log /var/log/nginx/access_federation.log main;
+    }
+
+    location / {
+        return 404;
+        access_log /var/log/nginx/access_federation_invalid.log main;
+    }
+}

etc/nginx/conf.d/synapse.conf

@@ -1,37 +0,0 @@
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    # For the federation port
-    listen 8448 ssl;
-    listen [::]:8448 ssl;
-
-    server_name matrix.arcticfoxes.net;
-
-    include /etc/nginx/ssl.conf;
-    include /etc/nginx/proxy.conf;
-    include /etc/nginx/headers.conf;
-
-    client_max_body_size 0;
-
-    location ~ ^/_matrix/client/r0/rooms/([^/]*)/report/(.*)$ {
-      # Abuse reports should be sent to Mjölnir.
-
-      # Add CORS, otherwise a browser will refuse this request.
-      include /etc/nginx/headers.conf;
-      add_header 'Access-Control-Allow-Credentials' 'true' always;
-      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
-      add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since' always;
-      add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
-      add_header 'Access-Control-Max-Age' 1728000; # cache preflight value for 20 days
-
-      # Alias the regexps, to ensure that they're not rewritten.
-      set $room_id $1;
-      set $event_id $2;
-      proxy_pass http://127.0.0.1:8081/api/1/report/$room_id/$event_id;
-    }
-
-    location / {
-        proxy_pass http://unix:/var/lib/matrix-synapse/matrix-synapse.sock:;
-    }
-}

etc/nginx/nginx.conf

@@ -0,0 +1,29 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format main '$time_iso8601: [$status] $request ("$http_user_agent" $remote_addr)';
+    access_log /var/log/nginx/access.log main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

usr/share/nginx/html/ratelimited.json

@@ -0,0 +1 @@
+{"errcode":"M_LIMIT_EXCEEDED","error":"You are being ratelimited"}