Santa must’ve thought I was nice.
(Pro-tip: his server has a weak password.)
I read Yann Esposito’s blog post, How I protect my forgejo instance from AI Web Crawlers, and think that’s a great idea. My main concern with the crawlers is that they’re horribly written and behave poorly. My own Forgejo server was getting slammed with about 600,000 crawler requests per day. This little server is where I share tiny personal projects like my Advent of Code solutions. I wouldn’t expect any project there to get more than a handful of queries per day, but suddenly I was serving 10 requests per second. That’s not a lot compared to any popular website, but that’s a lot for this service, on this tiny VPS, on my shoestring budget.
Worse, the traffic patterns were flat-out abusive. All the content on this site comprises nearly static Git repositories. The scrapers try things like:
- For every Git commit, fetch the version of every file in the repository at that commit.
- See
git blamefor every file at every commit. - Attempt to download the archive of each repo at every commit.
- Run every possible pull request search filter combination.
- Run every possible issue search filter combination.
- Fetch each of those URLs at random from some residential IP in Brazil that had not ever accessed my server before.
My first huge success at cutting through the flurry of bad traffic was with deploying Anubis. You know those anime girl pictures you see before accessing lots of web pages now? Well, those are part of a highly effective bot blocker. There’s a reason you’re seeing more and more of them.
And this morning, I also adapted Yann’s idea for my server which runs behind Caddy instead of Nginx. I made a file named /etc/caddy/shibboleth like this (but with the cookie name suitably altered to a random local value):
@needs_cookie {
not {
header User-Agent *git/*
}
not {
header User-Agent *git-lfs/*
}
not {
header X-Runner-Uuid *
}
not {
header Cookie *Yogsototh_opens_the_door=1*
}
}
handle @needs_cookie {
header Content-Type text/html
respond 418 {
body `<script>document.cookie = "Yogsototh_opens_the_door=1; Path=/;"; window.location.reload();</script>`
}
}
Note the extra X-Runner-Uuid line that Yann did’t have. This allows my Forgejo Action Runners to connect without going through the cookie handshake.
Then I added a line to the configurations for services I wanted to protect, like:
myserver.example.com {
root * /path/to/files
...
import shibboleth
}
This way I can easily reuse the snippet for any of those services.
Thanks for the great idea, Yann!
It’s about time for the annual attempt to migrate from OmniFocus to Reminders, which will probably fail spectacularly, as usual, reminding me (heh) why I’m glued to OF in the first place.
This is practically doomed and yet the season seems to demand the token effort.
I’ve heard friends talking about trying Zyn nicotine pouches and I want to shake them. They were created by a brand of Philip Morris, who spent decades claiming that cigarettes aren’t bad for you.
“But Zyn isn’t bad for you! There are studies!” Mmm-hmm. Tell me more about these objective third-party studies. I wouldn’t believe a nicotine industry study claiming water is wet, and if you would, then shame on you. Have you learned nothing?
A popular public transit app’s year end recap labeled me “Lord Tool, the Bus Punk”.
Uh, alright, I guess?
The dentist’s office has full-blown novels in the waiting room, which bodes ill for expected waiting times.
2 weeks in and GitHub still hasn’t replied to my urgent support ticket for a security-related audit log request, except to close it twice and make me re-open it.
And we pay good money for this privilege.
We’re this close to me asking my CTO if I can pilot a Forgejo POC.
I released v1.4.4 of Frozen BBS. It adds a ping command, a configurable delay between long reply pages, and an indicator of boards that have unread messages. It also removes message and DM and user bio limits, which are unnecessary since the pager can cope with longer texts.
Hey you.
My coworker Secret Santa gets me.
