Merge branch 'main' into json/fix-pow-deref

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

.github/actions/spelling/allow.txt

@@ -31,6 +31,3 @@ Stargate
 FFXIV
 uvensys
 de
-resourced
-envoyproxy
-unipromos

data/crawlers/_allow-good.yaml

@@ -8,5 +8,4 @@
 - import: (data)/crawlers/marginalia.yaml
 - import: (data)/crawlers/mojeekbot.yaml
 - import: (data)/crawlers/commoncrawl.yaml
-- import: (data)/crawlers/wikimedia-citoid.yaml
 - import: (data)/crawlers/yandexbot.yaml

data/crawlers/wikimedia-citoid.yaml

@@ -1,18 +0,0 @@
-# Wikimedia Foundation citation services
-# https://www.mediawiki.org/wiki/Citoid
-
-- name: wikimedia-citoid
-  user_agent_regex: "Citoid/WMF"
-  action: ALLOW
-  remote_addresses: [
-    "208.80.152.0/22",
-    "2620:0:860::/46",
-  ]
-
-- name: wikimedia-zotero-translation-server
-  user_agent_regex: "ZoteroTranslationServer/WMF"
-  action: ALLOW
-  remote_addresses: [
-    "208.80.152.0/22",
-    "2620:0:860::/46",
-  ]

docs/docs/admin/environments/haproxy.mdx

@@ -48,8 +48,6 @@ This simply enables SSL offloading, sets some useful and required headers and ro
 
 Due to the fact that HAProxy can decode JWT, we are able to verify the Anubis token directly in HAProxy and route the traffic to the specific backends ourselves.
 
-Mind that rule logic to allow Git HTTP and other legit bot traffic to bypass is delegated from Anubis to HAProxy then. If required, you should implement any whitelisting in HAProxy using `acl_anubis_ignore` yourself.
-
 In this example are three applications behind one HAProxy frontend. Only App1 and App2 are secured via Anubis; App3 is open for everyone. The path `/excluded/path` can also be accessed by anyone.
 
 ```mermaid

docs/docs/admin/environments/kubernetes.mdx

@@ -130,52 +130,3 @@ Then point your Ingress to the Anubis port:
               # diff-add
               name: anubis
 ```
-
-## Envoy Gateway
-
-If you are using envoy-gateway, the `X-Real-Ip` header is not set by default, but Anubis does require it. You can resolve this by adding the header, either on the specific `HTTPRoute` where Anubis is listening, or on the `ClientTrafficPolicy` to apply it to any number of Gateways:
-
-HTTPRoute:
-```yaml
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: app-route
-spec:
-  hostnames: ["app.domain.tld"]
-  parentRefs:
-    - name: envoy-external
-      namespace: network
-      sectionName: https
-  rules:
-    - backendRefs:
-        - identifier: *app
-          port: anubis
-      filters:
-        - type: RequestHeaderModifier
-          requestHeaderModifier:
-            set:
-              - name: X-Real-Ip
-                value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
-```
-
-Applying to any number of Gateways:
-```yaml
-apiVersion: gateway.envoyproxy.io/v1alpha1
-kind: ClientTrafficPolicy
-metadata:
-  name: envoy
-spec:
-  headers:
-    earlyRequestHeaders:
-      set:
-        - name: X-Real-Ip
-          value: "%DOWNSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%"
-  clientIPDetection:
-    xForwardedFor:
-      trustedCIDRs:
-        - 10.96.0.0/16 # Cluster pod CIDR
-  targetSelectors: # These will apply to all Gateways
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-```

docs/docs/user/frequently-asked-questions.mdx

@@ -22,13 +22,3 @@ If you use a browser extension such as [JShelter](https://jshelter.org/), you wi
 ## Does Anubis mine Bitcoin?
 
 No. Anubis does not mine Bitcoin or any other cryptocurrency.
-
-## I disabled Just-in-time compilation in my browser. Why is Anubis slow?
-
-Anubis proof-of-work checks run an open source JavaScript program in your browser. These checks do a lot of complicated math and aim to be done quickly, so the execution speed depends on [Just-in-time (JIT) compilation](https://en.wikipedia.org/wiki/Just-in-time_compilation). JIT compiles JavaScript from the Internet into native machine code at runtime. The code produced by the JIT engine is almost as good as if it was written in a native programming language and compiled for your computer in particular. Without JIT, all JavaScript programs on every website you visit run through a slow interpreter.
-
-This interpreter is much slower than native code because it has to translate each low level JavaScript operation into many dozens of calls to execute. This means that using the interpreter incurs a massive performance hit by its very nature; it takes longer to add numbers than if the CPU just added the numbers directly.
-
-Some users choose to disable JIT as a hardening measure against theoretical browser exploits. This is a reasonable choice if you face targeted attacks from well-resourced adversaries (such as nation-state actors), but it comes with real performance costs.
-
-If you've disabled JIT and find Anubis checks slow, re-enabling JIT is the fix. There is no way for Anubis to work around this on our end.