2026-02-13T08:24:22  <matrix-o-o> <Lubos Kocman> Good morning heroes, satus does open for me, events-o-o doesn't but status says it's okay.
2026-02-13T09:51:59  <matrix-o-o> <Lubos Kocman> One thing which is super unfortunate is unavailability of https://en.opensuse.org/openSUSE:Board_election together with rest of wiki, as we want to do kickoff of elections tomorrow.
2026-02-13T10:26:37  <acidsys> implemented rudimentary D?DoS protection on legacy login proxies now
2026-02-13T11:16:05  <henne> are you aware that everything times out?
2026-02-13T11:16:26  <henne> everything behind legacy proxy it seems
2026-02-13T11:16:53  <henne> (sorry my client disconnected I might have missed messages)
2026-02-13T11:20:15  <acidsys> yes like I said I implemented rudimentary mitigation but it will not help so much
2026-02-13T11:20:40  <acidsys> really the proper solution is to not realy on the legacy login proxy but to use OIDC with our normal frontend which has much better DoS protection
2026-02-13T11:22:14  <henne> what's the path to change this?
2026-02-13T11:22:38  <acidsys> well,  https://progress.opensuse.org/issues/122254 exists since a long time, but the few services which are remaining behind the legacy login proxy do not seem to have much maintainer interest to change it
2026-02-13T11:23:19  <henne> are you calling me lazy? ;-)
2026-02-13T11:23:46  <acidsys> I wouldn't call someone having their own priorities lazy :)
2026-02-13T11:24:55  <henne> try it, it's liberating ;-)
2026-02-13T11:25:23  <henne> oh well
2026-02-13T11:27:44  <henne> seems like the OBS login proxy is copying
2026-02-13T11:28:07  <henne> what's the difference?
2026-02-13T11:28:30  <acidsys> right the OBS ones could be removed from that ticket in the meanwhile
2026-02-13T11:38:05  <henne> k
2026-02-13T11:38:30  <henne> so what's the difference in DOS coping?
2026-02-13T11:39:23  <henne> I know we block many IP ranges (not sure if it's on the login proxy or on some other ha-proxy in between)
2026-02-13T11:39:34  <henne> maybe that's something to share?
2026-02-13T11:54:12  <acidsys> we have blocking on the openSUSE HAProxy side, but not so much on the legacy proxy in front, where the problem seems to be. there I also added drops for various offending source networks today but I'm not sure it's working, the rules generated SuSEfirewall2 (yes...) are not printing anything. mod_evasive does help a bit but not so much. I asked to implement the blocks on the ISP side
2026-02-13T11:54:13  <acidsys> together with zombie/botnet blocking instead, it should be done soon. I don't have much capacity right now to investigate much more, there's no proper montoring for the machine either
2026-02-13T11:55:35  <acidsys> if any specific suggestions regarding firewall or httpd, happy to check
2026-02-13T11:55:58  <acidsys> it's running in event mode so I'm also not sure why it's blocking so much
2026-02-13T12:30:01  <henne> pasted something to you in slack...
2026-02-13T13:07:08  <acidsys> was sent to me before, it's similar to what we have