#3389: tracsvn and gitea under ai bot attacks
----------------------+---------------------------
Reporter: robe | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: 2025 (robe)
Component: SysAdmin | Keywords:
----------------------+---------------------------
Both gitea and trac have been bogging down because of attacks from various
bots around the world presumably AI bots.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3389>
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+----------------------------
Reporter: robe | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: 2025 (robe)
Component: SysAdmin | Resolution:
Keywords: |
----------------------+----------------------------
Comment (by robe):
Per this suggestion
https://github.com/ai-robots-txt/ai.robots.txt/blob/main/docs/additional-
steps/bing.md
On osgeo7-nginx, I've revised /etc/nginx/proxy_protocol_params to have a
line
{{{
add_header X-Robots-Tag noarchive;
}}}
To hopefully block these AI bots. Both Bing AI
I've also added this block to the /etc/nginx/proxy_protocoal_params
nginx-block-ai-bots.conf
to try to block ai bots
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3389#comment:1>
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+----------------------------
Reporter: robe | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: 2025 (robe)
Component: SysAdmin | Resolution:
Keywords: |
----------------------+----------------------------
Comment (by robe):
Cloudflare also offers a bad bot fight mode and block ai bots. though
these may cause issues. Haven't tried them.
These are discussed here -
* Bot Fight Mode - https://developers.cloudflare.com/bots/get-started/bot-
fight-mode/
* Block AI Bots - https://developers.cloudflare.com/bots/get-started/bot-
management/#block-ai-bots
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/3389#comment:2>
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+----------------------------
Reporter: robe | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: 2025 (robe)
Component: SysAdmin | Resolution:
Keywords: |
----------------------+----------------------------
Comment (by strk):
I've installed, configured and enabled Anubis for trac and gitea in
production.
It implied using a custom build as the latest release of anubis (1.19.1)
doesn't support the `STRIP_BASE_PREFIX` configuration that we need for
Gitea.
What we need to do to "save" the work would be:
1. Adding install of Anubis via ansible to the nginx-proxy role (we'll
need to wait for 1.20 I guess)
2. Adding configuration of the gitea and trac anubis services in their
respective roles
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+----------------------------
Reporter: robe | Owner: sac-tickets@…
Type: task | Status: new
Priority: normal | Milestone: 2025 (robe)
Component: SysAdmin | Resolution:
Keywords: |
----------------------+----------------------------
Comment (by lnicola):
Enabling the Cloudflare proxying means letting them read all the traffic,
including LDAP credentials when people log in. I personally trust
Cloudflare, but I'm not giving them my passwords yet.
Anubis seems to work, and we could probably tweak things if the bots find
a way to bypass it. I'm not a fan of burning CPU that way, but Cloudflare
seems to have settled, at least in part, for the same approach with their
solution.
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+------------------------------------------------
Reporter: robe | Owner: sac-tickets@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2025-III (strk)
Component: SysAdmin | Resolution: fixed
Keywords: |
----------------------+------------------------------------------------
Changes (by robe):
* milestone: 2025 (robe) => Sysadmin Contract 2025-III (strk)
* resolution: => fixed
* status: new => closed
Comment:
works for me. seems cpu usage has gone down since and gitea and trac
aren't sluggish anymore.
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+------------------------------------------------
Reporter: robe | Owner: sac-tickets@…
Type: task | Status: reopened
Priority: normal | Milestone: Sysadmin Contract 2025-III (strk)
Component: SysAdmin | Resolution:
Keywords: |
----------------------+------------------------------------------------
Changes (by robe):
* resolution: fixed =>
* status: closed => reopened
Comment:
I should leave open since you still need to put in ansible right?
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+------------------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2025-III (strk)
Component: SysAdmin | Resolution:
Keywords: |
----------------------+------------------------------------------------
Changes (by robe):
* owner: sac-tickets@… => strk
* status: reopened => new
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.
#3389: tracsvn and gitea under ai bot attacks
----------------------+------------------------------------------------
Reporter: robe | Owner: strk
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2025-III (strk)
Component: SysAdmin | Resolution: fixed
Keywords: |
----------------------+------------------------------------------------
Changes (by strk):
* resolution: => fixed
* status: new => closed
Comment:
As of Making sure you're not a bot!
deployment/commit/c54002ac293c704912644b44708c2759f77e8ef2 everything
Anubis is under ansible.
--
Ticket URL: <Making sure you're not a bot!;
OSGeo <Gter - OSGeo;
OSGeo committee and general foundation issue tracker.