From 28408f25057f11c8f5129f321020fe46db60155c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Fri, 21 Nov 2025 00:29:07 +0100
Subject: [PATCH] hydra-proxy: WIP block some http user agent(s)

---
 build/hydra-proxy.nix | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/build/hydra-proxy.nix b/build/hydra-proxy.nix
index bf49c96b..b3ad6503 100644
--- a/build/hydra-proxy.nix
+++ b/build/hydra-proxy.nix
@@ -1,9 +1,15 @@
 {
   config,
+  lib,
   pkgs,
   ...
 }:
 
+let
+  bannedUserAgentPatterns = [
+    "Chrome/129.0.0.0"
+  ];
+in
 {
   networking.firewall.allowedTCPPorts = [
     80
@@ -43,6 +49,13 @@
     '';
 
     appendHttpConfig = ''
+      map $http_user_agent $badagent {
+        default 0;
+        ${lib.concatMapStringsSep "\n" (pattern: ''
+          ~${pattern} 1;
+        '') bannedUserAgentPatterns}
+      }
+
       map $http_x_from $upstream {
         default "anubis";
         nix.dev-Uogho3gi "hydra-server";
@@ -89,6 +102,11 @@
       locations."/" = {
         proxyPass = "http://$upstream";
         extraConfig = ''
+          if ($badagent) {
+            access_log /var/log/nginx/abuse.log;
+            return 403;
+          }
+
           limit_req zone=hydra-server burst=7;
         '';
       };