next.forgejo.org: block depending on user agent

2024-11-25 04:01:12 +00:00 · 2024-10-22 12:59:33 +02:00 · 2024-10-22 12:59:33 +02:00 · 92f39f169d
parent f5861bf000
commit 92f39f169d
2 changed files with 33 additions and 1 deletions
--- a/k8s-forgejo.md
+++ b/k8s-forgejo.md
@ -20,4 +20,4 @@

 ## Pod

- `../k3s-host/subst.sh forgejo-values.yml | helm upgrade forgejo-$name -f - -f $name-values.yml -f $name-secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --install`
+- `../k3s-host/subst.sh forgejo-values.yml | helm upgrade forgejo-$name -f - -f $name-values.yml -f crawler-block-values.yml -f $name-secrets.yml oci://code.forgejo.org/forgejo-helm/forgejo --atomic --wait --install`
--- a/k8s-forgejo/crawler-block-values.yml
+++ b/k8s-forgejo/crawler-block-values.yml
@ -0,0 +1,32 @@
+extraDeploy:
+  - apiVersion: traefik.io/v1alpha1
+    # https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-crd/#kind-ingressroute
+    kind: IngressRoute
+    metadata:
+      name: forgejo-crawler
+      annotations:
+        kubernetes.io/ingress.class: traefik
+    spec:
+      entryPoints:
+        - web
+        - websecure
+      routes:
+        # https://doc.traefik.io/traefik/v3.1/routing/routers/#rule
+        - match: Host(`next.forgejo.org`) && HeaderRegexp(`user-agent`, `DataForSeoBot`)
+          kind: Rule
+          priority: 1000
+          services:
+            - name: noop@internal
+              kind: TraefikService
+          middlewares:
+            - name: forgejo-crawler-blocker
+      tls:
+        secretName: tls-forgejo-next-ingress-http
+  - apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: forgejo-crawler-blocker
+    spec:
+      ipAllowList:
+        sourceRange:
+          - 127.0.0.1/32