@aoanla hmmm, possibly.

Might try when I'm back from vacation. @cadey based on the above description do you think Anubis would make a difference?

I guess I could try when I'm back from travel, and see where it works or doesn't.

Quick look says: should help with human web endpoints, will do nothing for API endpoints... This may be ok, so long as I secure the API to known clients beforehand rather than leave those public.

@bri7 from nginx I'm logging every tcp, http, and TLS field that is exposed advertising to the docs... Literally everything.

I'm formatting that as Json lines in the log output.

I'm then sending that to Loki.

And analysing via a Grafana dashboard.

I need some plugins too for nginx, the geoip one for getting ASNs for direct traffic, but some sites are behind Cloudflare so I also log their heads which gives me asn and country too.

In the early days of attacks, ASNs were useful as blocks. But now I see a lot of consumer ISPs involved and asn blocking is less useful. Countries aren't that useful to block at all... And it's often wrong, i.e. China shows up in Marseilles or Singapore based on where submarine cables go.

The problem is this churns all my caches, which then means a higher compute load as nothing is in cache, which after a while will knock the site offline.

Wish I could force Cloudflares TCP turtle on them (a TCP tarpit for H2 requests that I don't believe it was ever used as it was made as an experiment internally, but would be perfect for this).

I can't even rate limit effectively, as 1k requests per IP over a 30 minute window flies under the radar of systems, any rate limit would false positive on real users.