# This is an extract of a real life configuration # # It reads an nginx's access.log in the following format: # log_format '$remote_addr - $remote_user [$time_local] ' # '$host ' # '"$request" $status $bytes_sent ' # '"$http_referer" "$http_user_agent"'; # # I can't make my access.log public for obvious privacy reasons. # # On the opposite of heavy-load.yml, this test is closer to real-life regex complexity. # # It has been created to test the performance improvements of # the previous commit: ad6b0faa30c1af84360f66074a917b4bf6cda10a # # On this test, most lines don't match anything, so most time is spent matching regexes. concurrency: 0 patterns: ip: ignore: - 192.168.1.253 - 10.1.1.1 - 10.1.1.5 - 10.1.1.4 - 127.0.0.1 - ::1 regex: (?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])) untilEOL: regex: .*$ streams: nginx: cmd: - cat - /tmp/access.log filters: directusFailedLogin: actions: ban: cmd: - sleep - 0.01 unban: after: 4h cmd: - sleep - 0.01 regex: - ^ .* "POST /repertoire/auth/login HTTP/..." 401 [0-9]+ .https://babos.land - ^ .* "POST /pompeani.art/auth/login HTTP/..." 401 [0-9]+ .https://edit.ppom.me - ^ .* "POST /leborddeleau/auth/login HTTP/..." 401 [0-9]+ .https://edit.ppom.me - ^ .* "POST /5eroue/auth/login HTTP/..." 401 [0-9]+ .https://edit.ppom.me - ^ .* "POST /edit/auth/login HTTP/..." 401 [0-9]+ .https://edit.ppom.me - ^ .* "POST /auth/login HTTP/..." 401 [0-9]+ .https://edit.ppom.fr retry: 6 retryperiod: 4h gptbot: actions: ban: cmd: - sleep - 0.01 unban: after: 4h cmd: - sleep - 0.01 regex: - ^.*"[^"]*AI2Bot[^"]*"$ - ^.*"[^"]*Amazonbot[^"]*"$ - ^.*"[^"]*Applebot[^"]*"$ - ^.*"[^"]*Applebot-Extended[^"]*"$ - ^.*"[^"]*Bytespider[^"]*"$ - ^.*"[^"]*CCBot[^"]*"$ - ^.*"[^"]*ChatGPT-User[^"]*"$ - ^.*"[^"]*ClaudeBot[^"]*"$ - ^.*"[^"]*Diffbot[^"]*"$ - ^.*"[^"]*DuckAssistBot[^"]*"$ - ^.*"[^"]*FacebookBot[^"]*"$ - ^.*"[^"]*GPTBot[^"]*"$ - ^.*"[^"]*Google-Extended[^"]*"$ - ^.*"[^"]*Kangaroo Bot[^"]*"$ - ^.*"[^"]*Meta-ExternalAgent[^"]*"$ - ^.*"[^"]*Meta-ExternalFetcher[^"]*"$ - ^.*"[^"]*OAI-SearchBot[^"]*"$ - ^.*"[^"]*PerplexityBot[^"]*"$ - ^.*"[^"]*Timpibot[^"]*"$ - ^.*"[^"]*Webzio-Extended[^"]*"$ - ^.*"[^"]*YouBot[^"]*"$ - ^.*"[^"]*omgili[^"]*"$ slskd-failedLogin: actions: ban: cmd: - sleep - 0.01 unban: after: 4h cmd: - sleep - 0.01 regex: - ^ .* "POST /slskd/api/v0/session HTTP/..." 401 [0-9]+ .https://ppom.me - ^ .* "POST /kiosque/api/v0/session HTTP/..." 401 [0-9]+ .https://babos.land retry: 3 retryperiod: 1h suspectRequests: actions: ban: cmd: - sleep - 0.01 unban: after: 4h cmd: - sleep - 0.01 regex: - ^ .*"GET /(?:[^/" ]*/)*wp-login\.php - ^ .*"GET /(?:[^/" ]*/)*wp-includes - '^ .*"GET /(?:[^/" ]*/)*\.env ' - '^ .*"GET /(?:[^/" ]*/)*config\.json ' - '^ .*"GET /(?:[^/" ]*/)*info\.php ' - '^ .*"GET /(?:[^/" ]*/)*owa/auth/logon.aspx ' - '^ .*"GET /(?:[^/" ]*/)*auth.html ' - '^ .*"GET /(?:[^/" ]*/)*auth1.html ' - '^ .*"GET /(?:[^/" ]*/)*password.txt ' - '^ .*"GET /(?:[^/" ]*/)*passwords.txt ' - '^ .*"GET /(?:[^/" ]*/)*dns-query ' - '^ .*"GET /(?:[^/" ]*/)*\.git/ '