D1re_W0lf those rules do not seem to help, I have enabled them as well.
yasas we have been seeing the same behaviour starting perhaps a week ago. The bursts seem to happen for maybe half a day and then disappear.
Since we wanted the site to start working quickly, we opted for an allow-list approach. We turned on "I'm under attack" mode, which has some unfortunate side effects (namely, causing federation to stop).
These are our rules:
(any(http.request.headers["accept"][*] eq "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"")) or (any(http.request.headers["accept"][*] eq "application/activity+json")) or (http.request.method eq "POST" and starts_with(http.request.uri.path, "/inbox")) or (starts_with(http.request.uri.path, "/assets")) or (starts_with(http.request.uri.path, "/.well-known"))
This lets (respectively):
ActivityPub fetches
Same
ActivityPub publishes to the NodeBB inbox
Static assets
Certbot and webfinger (also for AP)
