Recently our translate service has been receiving a lot of requests that did not seem legitimate.
The result was that weblate was slow or blocking some requests.
A first action was to put a limit on the requests using the proxy server Nginx to 5r/s. This blocked some requests but the overflow still happened.
As many of those requests where on the static files of Weblate, the idea was to use our CDN to serve them. So after having proposed a patch to support CDN configuration, a new version of weblate was deployed with this configuration.
This reduced a lot the trafic on the server but still not enough to avoid overload of the service.
By the way we put restriction to allow only the CDN and upptime to request static files directly from the server and idem for documentation website.
Finally we decided to go with a radical solution by banning the networks responsible of this traffic on port 80 and 443: 47.239.0.0/16, 47.76.0.0/16 and 47.79.0.0/16 (all from Alibaba Cloud) from moretus (you can find the affected services on Infrastructure listing).
The rule is in place since 10h and it has already blocked more than 2M pkts. But the load has came back to normal.
If you are affected by this ruling, please speak up.
