Erich Blume
fb6067b620
Default `general` zone (10r/s burst=20) is tuned for internet drive-by traffic. At the party, 30 guests scanning the splash QR from one venue-wifi NAT'd public IP would each fetch HTML + ~5 static assets within a few seconds — easily clearing burst=20, and the second-wave guests would see 503 with no auto-retry. New shower_general zone (50r/s burst=200) absorbs that simultaneous- load spike. Exploit scanners still trip it: the 45.88.138.44 burst we already saw in Loki fired ~30 req in 2s, well above the new sustained 50r/s when extrapolated, and burst=200 is still a hard cap on instantaneous spikes. Self-healing: `limit_req` is a token bucket — no persistent ban, nothing to manually flush. A guest who trips it auto-recovers within ~1s; tuning here is about not tripping it on legit traffic in the first place. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| fail2ban | ||
| alloy.river | ||
| Dockerfile | ||
| error.html | ||
| fly.toml | ||
| nginx.conf | ||
| start.sh | ||