viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

anubis: per-site PoW reverse proxy on blog + kms + travel-blog

Browse source 
Adds modules/kubernetes/anubis_instance/ — a per-site reverse proxy
instance pinned to ghcr.io/techarohq/anubis:v1.25.0. Each instance
issues a 30-day JWT cookie scoped to viktorbarzin.me after a tiny
proof-of-work (difficulty 2 ≈ 250 ms desktop / 700 ms mobile). The
shared ed25519 signing key (Vault: secret/viktor → anubis_ed25519_key)
makes a single solve good across every Anubis-fronted subdomain.

Wired into blog (viktorbarzin.me + www), kms.viktorbarzin.me, and
travel.viktorbarzin.me — each with anti_ai_scraping=false on the
ingress so the redundant ai-bot-block forwardAuth is dropped from the
chain. Skipped forgejo (Git/API clients can't solve PoW) and resume
(replicas=0).

Also tightens bot-block-proxy nginx timeouts (3s/5s → 100ms/200ms) so
any ingress still using the ai-bot-block forwardAuth pays at most
~150 ms when poison-fountain is scaled down, instead of 3 s.

End-to-end TTFB on viktorbarzin.me dropped from ~3.2 s to ~150-200 ms.

Docs: .claude/reference/patterns.md "Anti-AI Scraping" updated to
4 layers; .claude/CLAUDE.md adds the Anubis usage paragraph and
Forgejo/API caveat.
This commit is contained in:
Viktor Barzin 2026-05-10 00:04:37 +00:00
parent 27675cb8f1
commit f48da84770
7 changed files with 418 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

10
stacks/traefik/modules/traefik/main.tf
View file

@ -314,9 +314,13 @@ resource "kubernetes_config_map" "bot_block_proxy_config" {
ngx.req.clear_header("If-Unmodified-Since")
}
proxy_pass http://poison_fountain;
proxy_connect_timeout 3s;
proxy_read_timeout 5s;
proxy_send_timeout 5s;
# Tight timeouts: poison-fountain may be scaled to 0 (graveyard
# endpoints) failing open in <200ms keeps the 68-ingress chain
# responsive instead of paying 3s per request. Healthy upstream
# responds in <50ms anyway.
proxy_connect_timeout 100ms;
proxy_read_timeout 200ms;
proxy_send_timeout 200ms;
proxy_intercept_errors on;
error_page 502 503 504 =200 /fallback-allow;
proxy_set_header Host $host;