loadk.com LuaRocks mirror abuse
71 views
Skip to first unread message
Pierre Chapuis
Sep 19, 2025, 11:05:29 AM (7 days ago) Sep 19
to lu...@googlegroups.com
I don't know if the people who should read this are here but I had to ban a few IP addresses from the LuaRocks mirror at loadk.com because of what I think is misconfiguration on their end. They started downloading the manifest in a loop about 2 weeks ago, consuming terabytes of bandwidth.
If this is you, get in touch and I will unban you if you fix it.
Best.
--
Pierre Chapuis
If this is you, get in touch and I will unban you if you fix it.
Best.
--
Pierre Chapuis
Martin Eden
Sep 19, 2025, 11:50:19 AM (7 days ago) Sep 19
to lu...@googlegroups.com
proposes to run "curl https://loadk.com/localua.sh -O" and then
complains about bandwidth usage.
-- Martin
Sainan
Sep 19, 2025, 11:54:46 AM (7 days ago) Sep 19
to lu...@googlegroups.com
I may have misread this. I thought loadk.com is the ones doing the abuse. Complaining about many requests to such a service is just weird.
Put Cloudflare in front of it if it's mostly static content and just let them swallow it.
Otherwise you have my condolences for setting up a public web service in the big 25. You will get a lot of unsolicited traffic, I'm afraid.
-- Sainan
Put Cloudflare in front of it if it's mostly static content and just let them swallow it.
Otherwise you have my condolences for setting up a public web service in the big 25. You will get a lot of unsolicited traffic, I'm afraid.
-- Sainan
Pierre Chapuis
Sep 19, 2025, 12:05:31 PM (7 days ago) Sep 19
to lu...@googlegroups.com
> Bro is declaring "main use cases are bootstrapping test environments",
> proposes to run "curl https://loadk.com/localua.sh -O" and then
> complains about bandwidth usage.
This is completely unrelated. Using the localua script does not use the loadk.com luarocks mirror, and running that command will not download the manifest.
> proposes to run "curl https://loadk.com/localua.sh -O" and then
> complains about bandwidth usage.
It is very likely that those people are not using localua (*). There are few users of localua but many users of the mirror, which is one of the three default rock servers in LuaRocks... [1]
[1] https://github.com/luarocks/luarocks/blob/99c57c8b2464550d6659cce43f84db83b17c4c15/src/luarocks/core/cfg.lua#L203-L209
(*) Actually it is not just very likely, it is sure that they do nor use that command because they're running an outdated version of LuaRocks...
--
Pierre Chapuis
Pierre Chapuis
Sep 19, 2025, 12:14:10 PM (7 days ago) Sep 19
to lu...@googlegroups.com
> Put Cloudflare in front of it if it's mostly static content and just
> let them swallow it.
>
> Otherwise you have my condolences for setting up a public web service
> in the big 25. You will get a lot of unsolicited traffic, I'm afraid.
I know how to deal with traffic and yeah I'd put CloudFlare or another CDN in front of the mirror if it was necessary. But here I'm talking about one or maybe two people who misuse an old version of LuaRocks (3.11.1) and are downloading the exact same file millions of times per day on a handful of machines.
> let them swallow it.
>
> Otherwise you have my condolences for setting up a public web service
> in the big 25. You will get a lot of unsolicited traffic, I'm afraid.
--
Pierre Chapuis
Sainan
Sep 19, 2025, 12:33:21 PM (7 days ago) Sep 19
to lu...@googlegroups.com
Yes, I get it, it's easier to pick the path of least resistance and just say that 'they are using it wrong' instead of 'my systems should be able to handle millions of requests per day to the same static content'.
-- Sainan
-- Sainan
Remy Blank
Sep 19, 2025, 3:57:38 PM (7 days ago) Sep 19
to lu...@googlegroups.com
'Sainan' via lua-l wrote on 19.09.2025 18:33:
> Yes, I get it, it's easier to pick the path of least resistance and just say that 'they are using it wrong' instead of 'my systems should be able to handle millions of requests per day to the same static content'.
This was uncalled for. Please stop.
> Yes, I get it, it's easier to pick the path of least resistance and just say that 'they are using it wrong' instead of 'my systems should be able to handle millions of requests per day to the same static content'.
It's reasonable to expect some basic civility from one's clients. It's also reasonable to ban
abusive clients. Trying to get in touch with them to fix the issue is going above and beyond.
-- Remy
Sainan
Sep 19, 2025, 4:20:09 PM (7 days ago) Sep 19
to lu...@googlegroups.com
That really was the most polite way for me to put it.
I think in 2025, at least static data services really ought to be able to handle millions of requests in a given hour (worst case scenario when you're being hugged to death).
For dynamic data services, I do understand that IP banning is reasonable, but trust me, the abusers of public services have A LOT of ranges, so this is just not an ideal approach.
-- Sainan
I think in 2025, at least static data services really ought to be able to handle millions of requests in a given hour (worst case scenario when you're being hugged to death).
For dynamic data services, I do understand that IP banning is reasonable, but trust me, the abusers of public services have A LOT of ranges, so this is just not an ideal approach.
-- Sainan
Sean Conner
Sep 19, 2025, 5:23:22 PM (7 days ago) Sep 19
to 'Sainan' via lua-l
It was thus said that the Great 'Sainan' via lua-l once stated:
> I think in 2025, at least static data services really ought to be able to
> handle millions of requests in a given hour (worst case scenario when
> you're being hugged to death).
That's 300 requests per second. Do you not run a web server? It seems to
me that you do not. I do. And when you have bots that identify themselves
as, and I am not making this up:
Mozilla/5.0 (compatible; Thinkbot/0.5.8; +In_the_test_phase,_if_the_Thinkbot_brings_you_trouble,_please_block_its_IP_address._Thank_you.)
and it comes from 500,000 different IP addresses, then yes, I'm banning it
regardless if I can handle 300 requests per second, or 3,000,000 requests
per second, even if my site has nothing but static files.
> For dynamic data services, I do understand that IP banning is reasonable,
> but trust me, the abusers of public services have A LOT of ranges, so this
> is just not an ideal approach.
So what is an ideal approach, oh ye of of web hosting? robots.txt?
Cloudflair, which is fast becoming a single point of failure for the web?
Something else entirely?
-spc
> That really was the most polite way for me to put it.
No it wasn't.
> I think in 2025, at least static data services really ought to be able to
> handle millions of requests in a given hour (worst case scenario when
> you're being hugged to death).
me that you do not. I do. And when you have bots that identify themselves
as, and I am not making this up:
Mozilla/5.0 (compatible; Thinkbot/0.5.8; +In_the_test_phase,_if_the_Thinkbot_brings_you_trouble,_please_block_its_IP_address._Thank_you.)
and it comes from 500,000 different IP addresses, then yes, I'm banning it
regardless if I can handle 300 requests per second, or 3,000,000 requests
per second, even if my site has nothing but static files.
> For dynamic data services, I do understand that IP banning is reasonable,
> but trust me, the abusers of public services have A LOT of ranges, so this
> is just not an ideal approach.
Cloudflair, which is fast becoming a single point of failure for the web?
Something else entirely?
-spc
Luiz Henrique de Figueiredo
Sep 19, 2025, 6:46:23 PM (7 days ago) Sep 19
to lu...@googlegroups.com
This discussion is off topic here.
Let's go back to discussing Lua.
Thanks.
--lhf
Let's go back to discussing Lua.
Thanks.
--lhf
Reply all
Reply to author
Forward
0 new messages