update nginx config with recent bot activities

DCOR-dev · Apr 16, 2024 · 866b265 · 866b265
1 parent 6ed2320
commit 866b265
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/docs/sec_self_hosting/installation.rst b/docs/sec_self_hosting/installation.rst
@@ -69,6 +69,16 @@ please create this directory with
 
 .. _selfhost_object_storage:
 
+
+Scratch Space
+=============
+It is important that you have some scratch space of at least 100 GB available
+on you system, so that the `ckanext-dc_serve` extension can create temporary
+condensed datasets before uploading them to S3. By default, the cache is
+located at `/data/tmp/ckanext-dc_serve` and is editable via the configuration
+option `ckanext.dc_serve.tmp_dir`.
+
+
 Object Storage
 ==============
 You should use a cloud storage provider that you trust instead of setting this

diff --git a/docs/sec_self_hosting/nginx_ckan_config.conf b/docs/sec_self_hosting/nginx_ckan_config.conf
@@ -14,7 +14,7 @@ server {
     ssl_certificate "/etc/ssl/certs/dcor.mpl.mpg.de.cert";
     ssl_certificate_key "/etc/ssl/private/dcor.mpl.mpg.de.key";
 
-    # Uncoment to avoid robots (only on development machines)
+    # Uncomment to avoid robots (only on development machines)
     #location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }
 
     # Block outdated versions of DCOR-Aid.
@@ -27,6 +27,16 @@ server {
         deny all;
     }
 
+    # file extensions that should not be used on a CKAN instance
+    location ~* \.(aspx|gif|html?|php\d?|pl|rar|sql|tar|tar.gz|zip)$ {
+      return 404;
+    }
+
+    # Spammers often use GET requests with parameters (?), discard except for API
+    location ~ ^(/(dataset|group|organization|user).*\?)  {
+        return 404;
+    }
+
     # Do not cache downloads of .rtdc data
     location ~ \.(rtdc)$ {
         proxy_pass http://127.0.0.1:8080$request_uri;
@@ -51,11 +61,6 @@ server {
         gzip off;
     }
 
-    # file extensions that should not be used on a CKAN instance
-    location ~* \.(aspx|gif|html?|php\d?|pl|rar|sql|tar|tar.gz|zip)$ {
-      return 404;
-    }
-
     # static/fully cached locations
     location ~ ^/(api/i18n|base/|favicon.ico$|fonts|images/.*\.(png|jpg)$|webassets) {
         proxy_pass http://127.0.0.1:8080;
@@ -109,7 +114,7 @@ server {
         proxy_set_header Connection "";
     }
 
-    # GET allow-list for ckan-related directories (cached if user not logged-in)
+    # GET allow-list for ckan-related directories
     location ~ ^/($|about$|contact$|dashboard|dataset|imprint$|privacy$|revision) {
         limit_except GET {
               deny all;