-
I recently faced dealing with some badbots and scrapers,  it was in a LAMP stack with varnish at the edge.  I decided to deal with it in varnish, as I always try handle as many tasks at the edge as I can, and leave apache to serve php.

 So, I thought about the problem a bit, and decided to use a token bucket, nothing unusual about that. (I had to modify the source to allow passing values instead of defaulting to 1 token).  However I went a bit further and decided that different pages are 'worth' more than others, i.e. they are more sensitive.  For example, accessing the homepage vs accessing account pages.  This required a patch of the throttle mod to allow you to pass the 'cost' of a page, so more than 1 token is removed from the bucket.  For now it just logs, but I intend to send a user that is exceeding the request rate to a different backend server that will give them fake data to devalue their scraping.

 you could detect user agent strings or other patterns and use as a multiplier , so bad user agent will multiply the tokens to be removed by say 5.  you could do the same with cookies too.

 sample config below

 vcl 4.0;
import var;
import vsthrottle;
import std;
# Default backend definition. Set this to point to your content server.
backend default {
    .host = "127.0.0.1";
    .port = "8080";
}

 sub vcl_recv {

         # set weights on pages using regex patterns

var.set_int("sensitivity", 1);
       
        if (req.url ~ "^/browse/?") {
                var.set_int("sensitivity", 10);
        } elsif (req.url ~ "^/stats/?") {
                var.set_int("sensitivity", 20);
        } elsif (req.url ~ "^/account/?") {
                var.set_int("sensitivity", 30);
        }

         # now, lets see if they have enough credit in their token bucket to ask for this page
        # token bucket is set to 150 tokens, and is measured for 10 seconds

         if (vsthrottle.is_denied(client.identity, var.get_int("sensitivity") , 150, 10s)) {

           # Client has exceeded credit limit, lets do things like;
# set req.backend = fakedataserver;
# maybe set a http header into the get request to add to apache logs ?
std.syslog(180, "RECV: " + req.http.host + req.url+ client.identity);
return (synth(429, "Too Many Requests"));
        }

 }

 sub vcl_backend_response {
}

 sub vcl_deliver {
}

Comments

Post a Comment

Popular posts from this blog

Baileys liquor Chocolate Chip and Cream desert

-
Simple and very very very yummy. Prepare today for tomorrow 1-2 pks (14 biscuits approx but depends on size) of really good quality double chocolate chip cookies 100ml Baileys Cream Liqueur 250ml Cream, whipped Chocolate Shavings, Drops to decorate, or Cadburys Flake broken up, or sprinkle of cocoa Use a 9" spring form tin otherwise its tricky to remove the finished cake Pour the Bailey into a bowl One by one, dip or soak (depending on how strong you want it) the biscuits into the Baileys Once each on is soaked place in the tin until you have a layer Cover and spread evenly the freshly whipped cream Repeat the dipping processing and make another layer on top of the cream Cover and spread with cream again Sprinkle with the chocolate shavings or drops or flake etc to decorate Leave in the fridge overnight to allow the biscuits to absorb the cream mixture Remove from fridge just before serving and enjoy !!! (Increase quantities of Baileys and biscuits as required) Serve as is without
Read more

nginx decode base64 url for use with imgproxy

-
 i've been testing imgproxy, to handle our image serving needs, and it looks good. our existing servers are php based, and we sign and encode our urls for images.  To test out imgproxy , I wanted to simply drop it in as a replacement for our servers by sending a % of traffic.  There are many ways to do this, varnish was one, with custom code, but nginx is our go-to web server, so I had to find a way to have nginx sit in front of imgproxy and rewrite the decoded url. I settled on using njs, the cut down version of javascript that plugs into nginx as a loadable module.  Then use proxy_pass to pass the uri to javascript that will return the imgproxy compatable url, and proxy to it. a sample url would be http://foo.bar/images/c2lnbmF0dXJlZm9vaHR0cDovL3MzLWV1LXdlc3QtMS5hbWF6b25hd3MuY29tL215YnVja2V0b2ZwaG90b3MvcGhvdG9fb2ZfYV9jYXQ1fHx8MTIwMHgxMjAwfHx8fHx8fHw==.jpeg it has a sig, a bucket url, and parameters like image size. Getting nginx setup nginx.conf load_module modules/ngx_http_js
Read more

using t1n1wall, opnsense or pfsense on Google Compute Engine GCE

-
I have been doing some work in GCP recently, both appengine , and GCE.  We wanted to make sure all our instances were on private ips and only the LBs had internet ips. This gave us the problem of how to allow our instances reach the internet for updates or for api calls outside. In AWS you had a NAT gateway, but in GCP this doesn't exist. So I set about looking at the easiest way to do NAT from a private IP subnet to a Public address.  I am very familiar with m0n0wall and t1n1wall and a tiny bit with pfsense and less with opnsense. The tl;dr is that all these distributions ship an image which within the distribution there is a disk image.  Taking this internal image, renaming it and re-compressing it is all you need to do to get it working in GCE. you can configure it via the serial port using these instructions  There are guides out there around doing things with Linux and stuff, but you can skip that step. I took the latest version of t1n1wall 2.11 , got the simple a
Read more