I am running this docker image: https://github.com/nextcloud/docker with a cloudflare tunnel, meaning the webserver would see all the traffic coming from a single ip in 172.16.0.0/12 .
The documentation says:
The apache image will replace the remote addr (IP address visible to Nextcloud) with the IP address from X-Real-IP if the request is coming from a proxy in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 by default
So I thought that this is a not a problem, as other docker images can also automagically figure out the real IP address from traffic coming from cloudflare tunnels.
In the beginning it worked fine, then it was SLOW. Like 2 full minutes to load new feeds on news, waiting ages to complete a sync, and so on. I rebooted the server on those instances, and then it worked fine for a day.
So because at the time i was running it on unraid, i blamed the lag on that OS + my weird array of HDDs with decades of usage on them. Migrated to debian on a nvme array and… same lag!
Wasted hours trying to use caddy+fpm instead of apache and it’s the same, worked fine for a day, then it was slow again.
Then I wondered: what if the program is “smart” and throttles it by itself without any warning to the admin if it thinks that an ip address is sending too many requests?
Modified the docker compose like this:
nextcloud:
image: nextcloud
became
nextcloud:
build: .
and I created a Dockerfile with
FROM nextcloud
RUN apt update -y && apt upgrade -y
RUN apt install -y libbz2-dev
RUN docker-php-ext-install bz2
RUN a2enmod rewrite remoteip
COPY remoteip.conf /etc/apache2/conf-enabled/remoteip.conf
That’s not a ddos. Not even close. Your ISP would be getting involved if it were.
You don’t even need to do a distributed dos against a home system since your bandwidth is so easy to overcome. A single EC2 instance could flood your standard home network.
it’s not a distributed denial of service but a single bot asking the same fucking wordpress page every 100ms is still a denial of service on my poor home server. In one click i was able to ban the whole asian continent without too much effort
Has it “denied service” to you? I’d be genuinely surprised. Are you on dial-up? I’ve run servers on my home network for “never you mind how long” and have never had a denial of service due to bot traffic.
Yes, I got lots of lag due to WordPress using all the CPU time to elaborate the same page over and over again.
I could have wasted some days to setup a cache proxy and other stuff but for a website with 10 monthly visitors is overkill, is faster to block everyone else outside the target. If someone is visiting from Russia or China they have 120% a malicious intent in my case, so no need to serve content
Ahh - I see. That’s why I keep telling people “a raspberry pi is not a server”. :-)
As a self-hoster I would still recommend figuring out how to setup something as simple as any of the available WordPress plugins that do caching though. “Being lazy” and “Self-hosting” will end in tears.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
Tell this to the Russian bots that are hammering my personal site for some reason.
It’s way easier to make a rule “no Russia” or even “only my country”
That’s not a ddos. Not even close. Your ISP would be getting involved if it were.
You don’t even need to do a distributed dos against a home system since your bandwidth is so easy to overcome. A single EC2 instance could flood your standard home network.
it’s not a distributed denial of service but a single bot asking the same fucking wordpress page every 100ms is still a denial of service on my poor home server. In one click i was able to ban the whole asian continent without too much effort
Has it “denied service” to you? I’d be genuinely surprised. Are you on dial-up? I’ve run servers on my home network for “never you mind how long” and have never had a denial of service due to bot traffic.
Yes, I got lots of lag due to WordPress using all the CPU time to elaborate the same page over and over again.
I could have wasted some days to setup a cache proxy and other stuff but for a website with 10 monthly visitors is overkill, is faster to block everyone else outside the target. If someone is visiting from Russia or China they have 120% a malicious intent in my case, so no need to serve content
Ahh - I see. That’s why I keep telling people “a raspberry pi is not a server”. :-)
As a self-hoster I would still recommend figuring out how to setup something as simple as any of the available WordPress plugins that do caching though. “Being lazy” and “Self-hosting” will end in tears.
Getting brute forced by bots isn’t a DOS attack.