Jump to content


Photo

@Wanwizard can you help with this?


  • Please log in to reply
25 replies to this topic

#1 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 09:01

I'm told you may be able to help with this issue.

 

We've been hosting EPG Importer files on a standalone dedicated server for years.

 

Anyway we can no longer keep paying for this server so I've moved the hosting back to the server that hosts OpenViX website, feeds etc... Problem we have is when these EPG files are hosted the server gets hammered like a DDOS attack.

 

Do you have a way of blocking requests from devices other than E2 boxes?



Re: @Wanwizard can you help with this? #2 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 11:05

I'm not sure I can be of any help, because our situation is rather different, we use CDN servers from our hosting provider, which are basically just caching proxies on OVH VPS in front of of the actual server.

 

They use this config (NGINX, replaced the upstrream hostname by xxxxxxxxxxxxx), which only accepts Python Twisted clients. It doesn't help with the hammering, but it does greatly reduce the bandwidth used and the load on the server.

 

Still, at peak time, the two servers still pump out around 200Mbps...

proxy_cache_path /data/rytecepg levels=1:2 keys_zone=cache_rytecepg:32m max_size=10g inactive=7d use_temp_path=off;

server {
    listen 80;
#    listen 443 ssl;
    listen [::]:80;
#    listen [::]:443 ssl;

    set $cache_uri $uri;
    server_name rytecepg.wanwizard.eu;

#    ssl_certificate /etc/nginx/certs/openpli-chained.crt;
#    ssl_certificate_key /etc/nginx/certs/openpli.key;
#    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#    ssl_prefer_server_ciphers on;
#    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

    access_log  /var/log/nginx/rytecepg-access.log main;
    error_log /var/log/nginx/rytecepg-error.log error;

    # last update timestamp, do not cache

    location ~ "^/LastUpdate.txt$" {
        proxy_set_header Host xxxxxxxxxxxxx;
        proxy_hide_header access-control-allow-origin;
        add_header Access-Control-Allow-Origin "*";

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_pass http://xxxxxxxxxxxxx;
    }

    # sources xml's

    location ~ "^/rytec\.sources\.xml\.\d{8}\.gz$" {

        # block concurrent connections
        limit_conn addr 1;
        limit_conn_status 429;

        # data should not be zipped, already compressed
        gzip off;

        # and doesn't expire
        expires off;

        proxy_set_header Host xxxxxxxxxxxxx;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_hide_header access-control-allow-origin;

        add_header Access-Control-Allow-Origin "*";
        add_header X-Cache $upstream_cache_status;

        proxy_hide_header X-Cache;
        proxy_ignore_headers Vary;
        proxy_ignore_headers Expires;
        proxy_ignore_headers Set-Cookie;
        proxy_ignore_headers Cache-Control;

        proxy_pass http://xxxxxxxxxxxxx;

        proxy_cache cache_rytecepg;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 5s;
        proxy_cache_valid 200 1h;
        proxy_cache_valid 404 1h;
        proxy_cache_revalidate on;
        proxy_cache_use_stale error timeout http_500 http_502 http_503;
        proxy_cache_key rytecepg$uri$is_args$args;
    }

    # default for all other files

    location / {

        # Zabbix monitoring
        if ($http_user_agent = "Zabbix") {
            return 200;
        }

        set $ret 0;

        # Python Twisted
        if ($http_user_agent = "Twisted Client") {
            set $ret 200;
        }
        if ($http_user_agent = "Twisted client") {
            set $ret 200;
        }

        if ($ret != 200) {
            return 403;
        }

        # limit concurrent connections
        limit_conn addr 4;
        limit_conn_status 429;

       # data should not be zipped
        gzip off;

        # and doesn't expire
        expires off;

        proxy_set_header Host xxxxxxxxxxxxx;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Accept-Encoding "";
        proxy_hide_header access-control-allow-origin;

        add_header Access-Control-Allow-Origin "*";
        add_header X-Cache $upstream_cache_status;

        proxy_hide_header X-Cache;
        proxy_ignore_headers Vary;
        proxy_ignore_headers Expires;
        proxy_ignore_headers Set-Cookie;
        proxy_ignore_headers Cache-Control;

        proxy_pass http://xxxxxxxxxxxxx;

        proxy_cache cache_rytecepg;
        proxy_cache_lock on;
        proxy_cache_lock_timeout 5s;
        proxy_cache_valid 200 10m;
        proxy_cache_valid 404 1h;
        proxy_cache_revalidate on;
        proxy_cache_use_stale error timeout http_500 http_502 http_503;
        proxy_cache_key rytecepg$uri$is_args$args;
    }

}

 


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #3 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 13:05

Thanks for that, but I don't think that will be a solution with our server.

 

I'm wondering if there's anyway to block Android devices, something like this maybe using a htaccess file: .htaccess - Android/iOS htaccess detection and redirecting - Stack Overflow



Re: @Wanwizard can you help with this? #4 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 13:37

This

        # Python Twisted
        if ($http_user_agent = "Twisted Client") {
            set $ret 200;
        }
        if ($http_user_agent = "Twisted client") {
            set $ret 200;
        }

        if ($ret != 200) {
            return 403;
        }

effectly blocks all clients not using Python twisted, this is basically a "block all except", instead of an "allow all except".

 

You can do the same in Apache, something like

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ! "Twisted Client" [NC]
RewriteCond %{HTTP_USER_AGENT} ! "Twisted client" [NC]
RewriteRule ^ - [F,L]

which will return a 403 for all requests with other user agents. (the C and c checks are because of different twisted versions).
 


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #5 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 13:41

According to our provider, it blocks quite a lot.

 

This is from today on one of the CDN nodes:

[admin@cdn2 nginx]# grep -c " 200 " rytecepg-access.log
57540

[admin@cdn2 nginx]# grep -c " 403 " rytecepg-access.log
187788

[admin@cdn2 nginx]# grep -c " 404 " rytecepg-access.log
11307

which is about 75% blocked...


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #6 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 13:44

BTW, it might be something we all should look into.

 

Instead of Willy having to update lots of different servers (with public FTP access, brrrrr), why not have one master server (like we use) which is updated by Willy but not publicly accessable, and have all other EPG nodes simply run an nginx caching proxy?


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #7 doglover

  • Rytec EPG Team
  • 17,393 posts

+658
Excellent

Posted 10 October 2024 - 15:31

A lot of the problems start with IPTV players which want EPG.

 

Some of these can be configured, to retrieve EPG each time you switch a channel.  Since each of our files contain a number of channels (some over 300 channels)  so each time you request one of these channels, the complete file is being downloaded.  Up to 300 times, if you start zapping.

 

Secondly, Kodi EPG plug-ins can all be setup to download EPG at regular intervals, like once each hour.  Which is overkill as the EPG is refreshed only once a day in the morning.

Teaching all Kodi adepts to only download the EPG once a day is likely to be impossible.

 

Rytec EPG has 69 XMLTV files.

Most user can do with selecting less than 20 files.  But there are always guys who will select the lot.

 

Why not set a limit how much files each IP-address can download in a day. Once the limit is reached, the IP-address will be blocked for the rest of the day.
f.i. a limit of 40 files per IP-address would be enough for each user.  There are 5 mirrors, so if one blocks them, they can download 40 files from each of the other mirrors.  (if all the mirrors have the same limitation)

 

I am no network specialist.  So I do not have any idea how to implement this.


~~Rytec Team~~
Maxytec Multibox SE OpenPli (used as mediaplayer)
Mutant HD2400 OpenPli
Vu+ Duo OpenPli (backup)

Synology NAS

Sat: 13E, 19.2E, 23.5E and 28.2E
*Pli/Rytec EPG POWERED*


Re: @Wanwizard can you help with this? #8 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 15:58

This

        # Python Twisted
        if ($http_user_agent = "Twisted Client") {
            set $ret 200;
        }
        if ($http_user_agent = "Twisted client") {
            set $ret 200;
        }

        if ($ret != 200) {
            return 403;
        }

effectly blocks all clients not using Python twisted, this is basically a "block all except", instead of an "allow all except".

 

You can do the same in Apache, something like

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ! "Twisted Client" [NC]
RewriteCond %{HTTP_USER_AGENT} ! "Twisted client" [NC]
RewriteRule ^ - [F,L]

which will return a 403 for all requests with other user agents. (the C and c checks are because of different twisted versions).
 

 

I'm testing out that htaccess now, thx. I'll report back.



Re: @Wanwizard can you help with this? #9 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 16:07

Actually looks like that htaccess blocks e2 boxes too:

 

login as: root
root@192.168.11.49's password:
--2024-10-10 16:03:56--  http://openvix.co.uk.../LastUpdate.txt
Resolving openvix.co.uk... 176.31.181.161
Connecting to openvix.co.uk|176.31.181.161|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2024-10-10 16:03:56 ERROR 500: Internal Server Error.
 
--2024-10-10 16:05:03--  http://openvix.co.uk...channels.xml.xz
Resolving openvix.co.uk... 176.31.181.161
Connecting to openvix.co.uk|176.31.181.161|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2024-10-10 16:05:03 ERROR 500: Internal Server Error.


Re: @Wanwizard can you help with this? #10 OpenSourcerer

  • Senior Member
  • 35 posts

+1
Neutral

Posted 10 October 2024 - 16:18

Because you haven't allowed wget. It will work if you use epgimport which uses python Twisted Client.



Re: @Wanwizard can you help with this? #11 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 16:44

Ok, thanks, I'll give it a try.



Re: @Wanwizard can you help with this? #12 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 17:34

Because you haven't allowed wget. It will work if you use epgimport which uses python Twisted Client.

 

Exactly, that was the point of this excersise! ;)


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #13 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 17:39

Why not set a limit how much files each IP-address can download in a day. Once the limit is reached, the IP-address will be blocked for the rest of the day.
f.i. a limit of 40 files per IP-address would be enough for each user.  There are 5 mirrors, so if one blocks them, they can download 40 files from each of the other mirrors.  (if all the mirrors have the same limitation)

 

I am no network specialist.  So I do not have any idea how to implement this.

 

That is very complex, requires a lot of IP tracking, and it still means you serve data (which uses bandwidth) to clients you don't want to send a single byte to.

 

Also, if I have one Enigma box and three Android stream boxes in my home network, all 4 will connect with the same public IP, so the android boxes will quickly use up my allowance, and Enigma can't download anymore because my IP is blocked for the rest of the day.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #14 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 17:53

Anyway to manually run Epgimporter via telnet and force it to my server to test if it will still download?



Re: @Wanwizard can you help with this? #15 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 18:18

Don't think so.

 

You can force it to go to your server by editing /etc/enigma2/epgimport/rytec.sources.xml and remove all the other servers, or add those hostnames to /etc/hosts with a 127.0.0.1 IP, so the download would fail for them.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #16 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 18:41

This seems to also, thx to Ev0:

 

Un-hash the wget lines to test and allow wget.

#SetEnvIfNoCase User-Agent .*wget.* systems 
#SetEnvIfNoCase User-Agent .*Wget.* systems
SetEnvIfNoCase User-Agent .*Twisted Client.* systems 
SetEnvIfNoCase User-Agent .*Twisted client.* systems  
Order Deny,Allow 
Deny from All 
Allow from env=systems


Re: @Wanwizard can you help with this? #17 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 10 October 2024 - 18:43

Don't think so.

 

You can force it to go to your server by editing /etc/enigma2/epgimport/rytec.sources.xml and remove all the other servers, or add those hostnames to /etc/hosts with a 127.0.0.1 IP, so the download would fail for them.

Thanks, I'll try that tomorrow. I run it on a box and log it in Telnet.



Re: @Wanwizard can you help with this? #18 WanWizard

  • PLi® Core member
  • 70,542 posts

+1,812
Excellent

Posted 10 October 2024 - 18:47

This seems to also, thx to Ev0

 

Yup, that works too. Note that the "Order / Deny / Allow" syntax depends on your Apache version.


Currently in use: VU+ Duo 4K (2xFBC S2), VU+ Solo 4K (1xFBC S2), uClan Usytm 4K Ultimate (S2+T2), Octagon SF8008 (S2+T2), Zgemma H9.2H (S2+T2)

Due to my bad health, I will not be very active at times and may be slow to respond. I will not read the forum or PM on a regular basis.

Many answers to your question can be found in our new and improved wiki.


Re: @Wanwizard can you help with this? #19 Sicilian

  • Senior Member
  • 466 posts

0
Neutral

Posted 11 October 2024 - 06:17

Well sadly this didn't help, completely killed the server. So I've got no choice but to take it offline for now until a solution can be found.



Re: @Wanwizard can you help with this? #20 littlesat

  • PLi® Core member
  • 57,181 posts

+698
Excellent

Posted 11 October 2024 - 10:01

With the option '--user-agent=' you can still work-a-round it when using wget....


WaveFrontier 28.2E | 23.5E | 19.2E | 16E | 13E | 10/9E | 7E | 5E | 1W | 4/5W | 15W



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users