1 files changed, 122 insertions, 0 deletions

diff --git a/config/services/web/searx/filtron/default.nix b/config/services/web/searx/filtron/default.nix
new file mode 100644
index 0000000..cc637c3
--- /dev/null
+++ b/config/services/web/searx/filtron/default.nix
@@ -0,0 +1,122 @@
+{ ... }:
+
+{
+  services.filtron = {
+    enable = true;
+    rules = [
+      {
+        name = "roboagent limit";
+        filters = [
+          "Header:User-Agent=(curl|cURL|Wget|python-requests|Scrapy|FeedFetcher|Go-http-client|Ruby|UniversalFeedParser)"
+        ];
+        limit = 0;
+        stop = true;
+        actions = [
+          { name = "log"; }
+          {
+            name = "block";
+            params = { message = "Rate limit exceeded"; };
+          }
+        ];
+      }
+      {
+        name = "botlimit";
+        filters = [
+          "Header:User-Agent=(Googlebot|bingbot|Baiduspider|yacybot|YandexMobileBot|YandexBot|Yahoo! Slurp|MJ12bot|AhrefsBot|archive.org_bot|msnbot|MJ12bot|SeznamBot|linkdexbot|Netvibes|SMTBot|zgrab|James BOT)"
+        ];
+        limit = 0;
+        stop = true;
+        actions = [
+          { name = "log"; }
+          {
+            name = "block";
+            params = { message = "Rate limit exceeded"; };
+          }
+        ];
+      }
+      {
+        name = "suspiciously frequent IP";
+        filters = [ ];
+        interval = 600;
+        limit = 30;
+        aggregations = [ "Header:X-Forwarded-For" ];
+        actions = [{ name = "log"; }];
+      }
+      {
+        name = "search request";
+        filters = [ "Param:q" "Path=^(/|/search)$" ];
+        interval = 61;
+        limit = 999;
+        subrules = [
+          {
+            name = "missing Accept-Language";
+            filters = [ "!Header:Accept-Language" ];
+            limit = 0;
+            stop = true;
+            actions = [
+              { name = "log"; }
+              {
+                name = "block";
+                params = { message = "Rate limit exceeded"; };
+              }
+            ];
+          }
+          # {
+          #   name = "suspiciously Connection=close header";
+          #   filters = [ "Header:Connection=close" ];
+          #   limit = 0;
+          #   stop = true;
+          #   actions = [
+          #     { name = "log"; }
+          #     {
+          #       name = "block";
+          #       params = { message = "Rate limit exceeded"; };
+          #     }
+          #   ];
+          # }
+          {
+            name = "IP limit";
+            interval = 61;
+            limit = 9;
+            stop = true;
+            aggregations = [ "Header:X-Forwarded-For" ];
+            actions = [
+              { name = "log"; }
+              {
+                name = "block";
+                params = { message = "Rate limit exceeded"; };
+              }
+            ];
+          }
+          {
+            name = "rss/json limit";
+            filters = [ "Param:format=(csv|json|rss)" ];
+            interval = 121;
+            limit = 2;
+            stop = true;
+            actions = [
+              { name = "log"; }
+              {
+                name = "block";
+                params = { message = "Rate limit exceeded"; };
+              }
+            ];
+          }
+          {
+            name = "useragent limit";
+            interval = 61;
+            limit = 199;
+            aggregations = [ "Header:User-Agent" ];
+            actions = [
+              { name = "log"; }
+              {
+                name = "block";
+                params = { message = "Rate limit exceeded"; };
+              }
+            ];
+          }
+        ];
+      }
+    ];
+  };
+}