Merge pull request #535 from NixOS/nginx-abuse-502-etc

hydra: abuse handling, branded 502 error; prometheus: alert on full zfs pool

Author: mweinelt

build/haumea/postgresql.nix

@@ -34,7 +34,7 @@
       log_statement = "none";
 
       # pgbadger-compatible logging
-      log_transaction_sample_rate = 1.0e-2;
+      log_transaction_sample_rate = 0.01;
       log_min_duration_statement = 5000;
       log_checkpoints = "on";
       log_connections = "on";
@@ -80,8 +80,8 @@
       # benefit from frequent vacuums, so this should
       # help. In particular, I'm thinking the jobsets
       # pages.
-      autovacuum_vacuum_scale_factor = 2.0e-2;
-      autovacuum_analyze_scale_factor = 1.0e-2;
+      autovacuum_vacuum_scale_factor = 0.02;
+      autovacuum_analyze_scale_factor = 0.01;
 
       shared_preload_libraries = "pg_stat_statements";
       compute_query_id = "on";

build/hydra-proxy.nix

@@ -1,5 +1,27 @@
-{ config, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
+let
+  bannedUserAgentPatterns = [
+    "Trident/"
+    "Android\\s[123456789]\\."
+    "iPod"
+    "iPad\\sOS\\s"
+    "iPhone\\sOS\\s[23456789]"
+    "Opera/[89]"
+    "(Chrome|CriOS)/(\\d\\d?\\.|1[01]|12[4])"
+    "(Firefox|FxiOS)/(\\d\\d?\\.|1[01]|12[012345679]\\.)"
+    "PPC\\sMac\\sOS"
+    "Windows\\sCE"
+    "Windows\\s95"
+    "Windows\\s98"
+    "Windows\\sNT\\s[12345]\\."
+  ];
+in
 {
   networking.firewall.allowedTCPPorts = [
     80
@@ -27,20 +49,43 @@
       worker_connections 1024;
     '';
 
+    appendHttpConfig = ''
+      map $http_user_agent $badagent {
+        default 0;
+        ${lib.concatMapStringsSep "\n" (pattern: ''
+          ~${pattern} 1;
+        '') bannedUserAgentPatterns}
+      }
+    '';
+
     virtualHosts."hydra.nixos.org" = {
       forceSSL = true;
       enableACME = true;
 
       extraConfig = ''
+        error_page 502 /502.html;
         error_page 503 /503.html;
-        location = /503.html {
+        location ~ /(502|503).html {
           root ${./nginx-error-pages};
           internal;
         }
       '';
 
+      # Ask robots not to scrape hydra, it has various expensive endpoints
+      locations."=/robots.txt".alias = pkgs.writeText "hydra.nixos.org-robots.txt" ''
+        User-agent: *
+        Disallow: /
+        Allow: /$
+      '';
+
       locations."/" = {
         proxyPass = "http://127.0.0.1:3000";
+        extraConfig = ''
+          if ($badagent) {
+            access_log /var/log/nginx/abuse.log;
+            return 403;
+          }
+        '';
       };
 
       locations."/static/" = {

build/nginx-error-pages/502.html

@@ -0,0 +1,63 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <title>Error 502 - hydra.nixos.org</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <link
+      rel="stylesheet"
+      href="https://nixos.org/bootstrap/css/bootstrap.min.css"
+    />
+    <link
+      rel="stylesheet"
+      href="https://nixos.org/bootstrap/css/bootstrap-responsive.min.css"
+    />
+    <style>
+      body {
+        padding-top: 0;
+        margin-top: 4em;
+        margin-bottom: 4em;
+      }
+      body > div {
+        max-width: 800px;
+      }
+      h1 {
+        margin: 0 auto;
+        text-align: center;
+      }
+      p {
+        text-align: center;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container jumbotron">
+      <div class="jumbotron">
+        <p class="lead">
+          <a href="https://nixos.org/nixos">
+            <img
+              src="https://nixos.org/logo/nixos-hires.png"
+              width="500px"
+              alt="logo"
+            />
+          </a>
+        </p>
+
+        <h1>HTTP Error 502</h1>
+
+        <p class="lead">This service is currently unavailable!</p>
+      </div>
+      <hr>
+      <div class="help">
+        <p>
+          You can check the following resources for further informations:<br>
+          <a href="https://prometheus.nixos.org/alerts">Alerts</a> |
+          <a href="https://grafana.nixos.org/">Dashboards</a> |
+          <a href="https://github.com/NixOS/infra/issues">Issues</a> |
+          <a href="https://matrix.to/#/#infra:nixos.org">Chatroom</a>
+        </p>
+      </div>
+    </div>
+  </body>
+</html>

build/pluto/prometheus/exporters/zfs.nix

@@ -1,3 +1,7 @@
+{
+  pkgs,
+  ...
+}:
 {
   services.prometheus = {
     scrapeConfigs = [
@@ -14,5 +18,28 @@
         ];
       }
     ];
+    ruleFiles = [
+      (pkgs.writeText "node-exporter.rules" (
+        builtins.toJSON {
+          groups = [
+            {
+              name = "zfs";
+              rules = [
+                {
+                  alert = "ZfsPoolFull";
+                  expr = ''
+                    (zfs_pool_free_bytes / zfs_pool_size_bytes) * 100 < 15
+                  '';
+                  for = "30m";
+                  labels.severity = "warning";
+                  annotations.summary = "ZFS pool {{ $labels.pool }} on {{ $labels.instance }} has only {{ $value }}% free space.";
+                  annotations.grafana = "https://grafana.nixos.org/d/rYdddlPWk/node-exporter-full?orgId=1&var-job=node&var-node={{ $labels.instance }}";
+                }
+              ];
+            }
+          ];
+        }
+      ))
+    ];
   };
 }