From 1596b5c1776ab6c7ad1cc742012ed9487a1d02d4 Mon Sep 17 00:00:00 2001 From: C0nw0nk Date: Sun, 25 Aug 2019 22:47:17 +0100 Subject: [PATCH] Update anti_ddos_challenge.lua Add new security feature to make the header we sent our Javascript answer from the browser over unpredictable and dynamic to increase our security from content scrappers bots leechers etc. --- lua/anti_ddos_challenge.lua | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/lua/anti_ddos_challenge.lua b/lua/anti_ddos_challenge.lua index 315ee6e..901a0ea 100644 --- a/lua/anti_ddos_challenge.lua +++ b/lua/anti_ddos_challenge.lua @@ -145,6 +145,14 @@ local JavascriptPuzzleVars_answer = math.floor(JavascriptPuzzleVars_answer+0.5) local JavascriptPuzzleVars_answer = tostring(JavascriptPuzzleVars_answer) --convert the numeric output to a string --ngx.log(ngx.ERR, "expected answer"..JavascriptPuzzleVars_answer) --output the answer to the log +--[[ +X-Auth-Header to be static or Dynamic setting this as dynamic is the best form of security +1 = Static +2 = Dynamic +]] +local x_auth_header = 2 --Default 2 +local x_auth_header_name = "x-auth-answer" --the header our server will expect the client to send us with the javascript answer this will change if you set the config as dynamic + --[[ Cookie Anti-DDos names ]] @@ -223,6 +231,10 @@ end local answer = calculate_signature(remote_addr) --create our encrypted unique identification for the user visiting the website. +if x_auth_header == 2 then --GET request + x_auth_header_name = calculate_signature(os.date("%Y%m%d",os.time()-24*60*60)):gsub("_","") --make the header todays date encrypted so every 24 hours this will change and can't be guessed by bots gsub because header bug with underscores so underscore needs to be removed +end + --[[ Grant access function to either grant or deny user access to our website ]] @@ -249,8 +261,8 @@ local function grant_access() --if x-auth-answer is correct to the user unique id time stamps etc meaning browser figured it out then set a new cookie that grants access without needed these checks local req_headers = ngx.req.get_headers() --get all request headers if req_headers["x-requested-with"] == "XMLHttpRequest" then --if request header matches request type of XMLHttpRequest - --ngx.log(ngx.ERR, "x-auth-answer result | "..req_headers["x-auth-answer"]) --output x-auth-answer to log - if req_headers["x-auth-answer"] == JavascriptPuzzleVars_answer then --if the answer header provided by the browser Javascript matches what our Javascript puzzle answer should be + --ngx.log(ngx.ERR, "x-auth-answer result | "..req_headers[x_auth_header_name]) --output x-auth-answer to log + if req_headers[x_auth_header_name] == JavascriptPuzzleVars_answer then --if the answer header provided by the browser Javascript matches what our Javascript puzzle answer should be ngx.header["Set-Cookie"] = { --set our cookies granting the user temporary access to the website challenge.."="..cookie_value.."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";", --apply our uid cookie incase javascript setting this cookies time stamp correctly has issues cookie_name_start_date.."="..ngx.cookie_time(currenttime).."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";", --start date cookie @@ -329,7 +341,7 @@ end local JavascriptPuzzleVariable_name = "_" .. stringrandom(10) local javascript_REQUEST_headers = [[ -xhttp.setRequestHeader('X-Auth-Answer', ]] .. JavascriptPuzzleVariable_name .. [[); //make the answer what ever the browser figures it out to be +xhttp.setRequestHeader(']] .. x_auth_header_name .. [[', ]] .. JavascriptPuzzleVariable_name .. [[); //make the answer what ever the browser figures it out to be xhttp.setRequestHeader('X-Requested-with', 'XMLHttpRequest'); ]]