summaryrefslogtreecommitdiff
path: root/utils/templates
diff options
context:
space:
mode:
Diffstat (limited to 'utils/templates')
-rw-r--r--utils/templates/etc/filtron/rules.json119
-rw-r--r--utils/templates/lib/systemd/system/filtron.service29
2 files changed, 148 insertions, 0 deletions
diff --git a/utils/templates/etc/filtron/rules.json b/utils/templates/etc/filtron/rules.json
new file mode 100644
index 000000000..634f5f2d6
--- /dev/null
+++ b/utils/templates/etc/filtron/rules.json
@@ -0,0 +1,119 @@
+[{
+ "name":"suspiciously frequent queries",
+ "filters":[
+ "Param:q",
+ "Path=^(/|/search)$"
+ ],
+ "interval":120,
+ "limit":9,
+ "actions":[
+ {"name":"log"}
+ ]
+ },
+ {
+ "name":"search request",
+ "filters":[
+ "Param:q",
+ "Path=^(/|/search)$"
+ ],
+ "interval":120,
+ "limit":19,
+ "actions":[
+ {
+ "name":"block",
+ "params":{
+ "message":"common rate limit exceeded"
+ }
+ }
+ ],
+ "subrules":[
+ {
+ "name":"roboagent limit",
+ "interval":60,
+ "limit":3,
+ "filters":[
+ "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby)"
+ ],
+ "actions":[
+ {"name":"log"},
+ {
+ "name":"block",
+ "params":{
+ "message":"rate limit exceeded"
+ }
+ }
+ ]
+ },
+ {
+ "name":"botlimit",
+ "interval":60,
+ "limit":0,
+ "stop":true,
+ "filters":[
+ "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"
+ ],
+ "actions":[
+ {"name":"log"},
+ {
+ "name":"block",
+ "params":{
+ "message":"rate limit exceeded"
+ }
+ }
+ ]
+ },
+ {
+ "name":"IP limit",
+ "interval":60,
+ "limit":13,
+ "stop":true,
+ "aggregations":[
+ "Header:X-Forwarded-For"
+ ],
+ "actions":[
+ {"name":"log"},
+ {
+ "name":"block",
+ "params":{
+ "message":"rate limit exceeded"
+ }
+ }
+ ]
+ },
+ {
+ "name":"rss/json limit",
+ "interval":60,
+ "limit":13,
+ "stop":true,
+ "filters":[
+ "Param:format=(csv|json|rss)"
+ ],
+ "actions":[
+ {"name":"log"},
+ {
+ "name":"block",
+ "params":{
+ "message":"rate limit exceeded"
+ }
+ }
+ ]
+ },
+ {
+ "name":"useragent limit",
+ "interval":60,
+ "limit":13,
+ "aggregations":[
+ "Header:User-Agent"
+ ],
+ "actions":[
+ {"name":"log"},
+ {
+ "name":"block",
+ "params":{
+ "message":"rate limit exceeded"
+ }
+ }
+ ]
+ }
+ ]
+}]
diff --git a/utils/templates/lib/systemd/system/filtron.service b/utils/templates/lib/systemd/system/filtron.service
new file mode 100644
index 000000000..3b0c6edcc
--- /dev/null
+++ b/utils/templates/lib/systemd/system/filtron.service
@@ -0,0 +1,29 @@
+[Unit]
+
+Description=${SERVICE_NAME}
+After=syslog.target
+After=network.target
+
+[Service]
+
+Type=simple
+User=${SERVICE_USER}
+Group=${SERVICE_GROUP}
+WorkingDirectory=${SERVICE_HOME}
+ExecStart=${SERVICE_HOME}/go-apps/bin/filtron -api '${FILTRON_API}' -listen '${FILTRON_LISTEN}' -rules '${FILTRON_RULES}' -target '${FILTRON_TARGET}'
+
+Restart=always
+Environment=USER=${SERVICE_USER} HOME=${SERVICE_HOME}
+
+# Some distributions may not support these hardening directives. If you cannot
+# start the service due to an unknown option, comment out the ones not supported
+# by your version of systemd.
+
+ProtectSystem=full
+PrivateDevices=yes
+PrivateTmp=yes
+NoNewPrivileges=true
+
+[Install]
+
+WantedBy=multi-user.target
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-21 01:34:44 +0000