X-Git-Url: https://git.openstreetmap.org./nominatim.git/blobdiff_plain/5502c223756ed755edae9670497f1456e528d3f0..a446ea5ffc2e3c559d93f3c4f242ff7a579f0860:/utils/cron_banip.py diff --git a/utils/cron_banip.py b/utils/cron_banip.py index d716affb..53f5e5f1 100755 --- a/utils/cron_banip.py +++ b/utils/cron_banip.py @@ -52,6 +52,9 @@ LOGFILE= BASEDIR + '/log/restricted_ip.log' WHITELIST = '' # space-separated list of IPs manually blocked BLACKLIST = '' +# user-agents that should be blocked from bulk mode +# (matched with startswith) +UA_BLOCKLIST = () # time before a automatically blocked IP is allowed back BLOCKCOOLOFF_PERIOD='1 hour' @@ -61,8 +64,11 @@ BULKCOOLOFF_PERIOD='15 min' BULKLONG_LIMIT=8000 BULKSHORT_LIMIT=2000 BLOCK_UPPER=19000 -BLOCK_LOADFAC=300 -BULK_LOADFAC=100 +BLOCK_LOWER=4000 +BLOCK_LOADFAC=380 +BULK_LOADFAC=160 +BULK_LOWER=1500 +MAX_BULK_IPS=85 # # END OF DEFAULT SETTINGS @@ -73,11 +79,6 @@ try: except IOError: pass -# determine current load -fd = open("/proc/loadavg") -avgload = int(float(fd.readline().split()[1])) -fd.close() - # read the previous blocklist WHITELIST = set(WHITELIST.split()) if WHITELIST else set() prevblocks = [] @@ -99,25 +100,36 @@ try: except IOError: pass #ignore non-existing file -# current number of bulks -numbulks = len(prevbulks) - -BLOCK_LIMIT = BLOCK_UPPER - BLOCK_LOADFAC * (numbulks - 30) -BULKLONG_LIMIT = BULKLONG_LIMIT - BULK_LOADFAC * (avgload - 16) - +# determine current load +fd = open("/proc/loadavg") +avgload = int(float(fd.readline().split()[2])) +fd.close() +# DB load conn = psycopg2.connect('dbname=nominatim') cur = conn.cursor() +cur.execute("select count(*)/60 from new_query_log where starttime > now() - interval '1min'") +dbload = int(cur.fetchone()[0]) + +BLOCK_LIMIT = max(BLOCK_LOWER, BLOCK_UPPER - BLOCK_LOADFAC * (dbload - 75)) +BULKLONG_LIMIT = max(BULK_LOWER, BULKLONG_LIMIT - BULK_LOADFAC * (avgload - 14)) +if len(prevbulks) > MAX_BULK_IPS: + BLOCK_LIMIT = max(3600, BLOCK_LOWER - (len(prevbulks) - MAX_BULK_IPS)*10) +# if the bulk pool is still empty, clients will be faster, avoid having +# them blocked in this case +if len(prevbulks) < 10: + BLOCK_LIMIT = 2*BLOCK_UPPER + # get the new block candidates cur.execute(""" - SELECT ipaddress, max(count) FROM + SELECT ipaddress, max(count), max(ua) FROM ((SELECT * FROM - (SELECT ipaddress, sum(CASE WHEN type = 'search' THEN 3 ELSE 1 END) as count FROM new_query_log + (SELECT ipaddress, sum(case when endtime is null then 1 else 1+1.5*date_part('epoch',endtime-starttime) end) as count, substring(max(useragent) from 1 for 30) as ua FROM new_query_log WHERE starttime > now() - interval '1 hour' GROUP BY ipaddress) as i WHERE count > %s) UNION - (SELECT ipaddress, count * 4 FROM - (SELECT ipaddress, sum(CASE WHEN type = 'search' THEN 2 ELSE 1 END) as count FROM new_query_log + (SELECT ipaddress, count * 3, ua FROM + (SELECT ipaddress, sum(case when endtime is null then 1 else 1+1.5*date_part('epoch',endtime-starttime) end) as count, substring(max(useragent) from 1 for 30) as ua FROM new_query_log WHERE starttime > now() - interval '10 min' GROUP BY ipaddress) as i WHERE count > %s)) as o GROUP BY ipaddress @@ -125,12 +137,22 @@ cur.execute(""" bulkips = {} emergencyblocks = [] +useragentblocks = [] for c in cur: if c[0] not in WHITELIST and c[0] not in BLACKLIST: - if c[1] > BLOCK_UPPER and c[0] not in prevbulks: + # check for user agents that receive an immediate block + missing_agent = not c[2] + if not missing_agent: + for ua in UA_BLOCKLIST: + if c[2].startswith(ua): + missing_agent = True + break + if (missing_agent or c[1] > BLOCK_UPPER) and c[0] not in prevblocks: newblocks.add(c[0]) - if c[0] not in prevblocks: + if missing_agent: + useragentblocks.append(c[0]) + else: emergencyblocks.append(c[0]) else: bulkips[c[0]] = c[1] @@ -151,15 +173,16 @@ for ip in prevblocks: deblockcandidates.add(ip) for ip in prevbulks: - if ip in bulkips: - if bulkips[ip] > BLOCK_LIMIT: - newblocks.add(ip) - newlyblocked.append(ip) + if ip not in newblocks: + if ip in bulkips: + if bulkips[ip] > BLOCK_LIMIT: + newblocks.add(ip) + newlyblocked.append(ip) + else: + newbulks.add(ip) + del bulkips[ip] else: - newbulks.add(ip) - del bulkips[ip] - else: - debulkcandidates.add(ip) + debulkcandidates.add(ip) # cross-check deblock candidates if deblockcandidates: @@ -182,6 +205,7 @@ if debulkcandidates: cur.execute(""" SELECT DISTINCT ipaddress FROM new_query_log WHERE ipaddress IN ('%s') AND starttime > now() - interval '%s' + AND starttime > date_trunc('day', now()) """ % ("','".join(debulkcandidates), BULKCOOLOFF_PERIOD)) for c in cur: @@ -212,6 +236,8 @@ if bulkips: fd.write(logstr % ('new bulks:', ', '.join(bulkips.keys()))) if emergencyblocks: fd.write(logstr % ('dir.block:', ', '.join(emergencyblocks))) +if useragentblocks: + fd.write(logstr % (' ua block:', ', '.join(useragentblocks))) if newlyblocked: fd.write(logstr % ('new block:', ', '.join(newlyblocked))) fd.close()