Cavemanon/Nginx-Lua-Anti-DDoS
8
Fork 0
mirror of https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS.git synced 2023-12-14 04:31:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update anti_ddos_challenge.lua

Browse Source 
Add cors headers and include XMLHTTPREQUEST with credentials tag and remove domain tag from set-cookie to fix issue with Google Chrome. Still broken in Microsoft Edge !?
This commit is contained in:
C0nw0nk
2019-08-28 01:17:53 +01:00
committed by GitHub
parent f2133a8307
commit 447534b611
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
lua/anti_ddos_challenge.lua
View File

@ -418,12 +418,16 @@ local function grant_access()
if req_headers["x-requested-with"] == "XMLHttpRequest" then --if request header matches request type of XMLHttpRequest
--ngx.log(ngx.ERR, "x-auth-answer result | "..req_headers[x_auth_header_name]) --output x-auth-answer to log
if req_headers[x_auth_header_name] == JavascriptPuzzleVars_answer then --if the answer header provided by the browser Javascript matches what our Javascript puzzle answer should be
set_cookie1 = challenge.."="..cookie_value.."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --apply our uid cookie incase javascript setting this cookies time stamp correctly has issues
set_cookie2 = cookie_name_start_date.."="..ngx.cookie_time(currenttime).."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start date cookie
set_cookie3 = cookie_name_end_date.."="..ngx.cookie_time(currenttime+expire_time).."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --end date cookie
set_cookie4 = cookie_name_encrypted_start_and_end_date.."="..calculate_signature(remote_addr .. ngx.cookie_time(currenttime) .. ngx.cookie_time(currenttime+expire_time) ).."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start and end date combined to unique id
set_cookie1 = challenge.."="..cookie_value.."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --apply our uid cookie incase javascript setting this cookies time stamp correctly has issues
set_cookie2 = cookie_name_start_date.."="..ngx.cookie_time(currenttime).."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start date cookie
set_cookie3 = cookie_name_end_date.."="..ngx.cookie_time(currenttime+expire_time).."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --end date cookie
set_cookie4 = cookie_name_encrypted_start_and_end_date.."="..calculate_signature(remote_addr .. ngx.cookie_time(currenttime) .. ngx.cookie_time(currenttime+expire_time) ).."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start and end date combined to unique id
ngx.header["Set-Cookie"] = {set_cookie1 , set_cookie2 , set_cookie3 , set_cookie4}
ngx.header["Access-Control-Allow-Origin"] = "*"
ngx.header["Access-Control-Allow-Credentials"] = "true"
ngx.header["Access-Control-Allow-Methods"] = "GET, POST, PUT, HEAD"
ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
end
end
@ -503,6 +507,7 @@ xhttp.setRequestHeader(']] .. x_auth_header_name .. [[', ]] .. JavascriptPuzzleV
xhttp.setRequestHeader('X-Requested-TimeStamp-Combination', '');
xhttp.setRequestHeader('X-Requested-Type', 'GET');
xhttp.setRequestHeader('X-Requested-Type-Combination', 'GET'); //Encrypted for todays date
xhttp.withCredentials = true;
]]
local JavascriptPuzzleVariable = [[
@ -527,7 +532,7 @@ local javascript_anti_ddos = [[
var time = now.getTime();
time += 300 * 1000;
now.setTime(time);
document.cookie = ']] .. challenge .. [[=]] .. answer .. [[' + '; expires=' + ']] .. ngx.cookie_time(currenttime+expire_time) .. [[' + '; domain=.]] .. domain .. [[; path=/';
document.cookie = ']] .. challenge .. [[=]] .. answer .. [[' + '; expires=' + ']] .. ngx.cookie_time(currenttime+expire_time) .. [[' + '; path=/';
//javascript puzzle for browser to figure out to get answer
]] .. JavascriptVars_opening .. [[
]] .. JavascriptPuzzleVariable .. [[
@ -684,6 +689,10 @@ local anti_ddos_html_output = [[
--Output Anti-DDoS Authentication Page
--set_cookie1 = challenge.."="..answer.."; path=/; domain=." .. domain .. "; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --apply our uid cookie in header here incase browsers javascript can't set cookies due to permissions.
--ngx.header["Set-Cookie"] = {set_cookie1}
ngx.header["Access-Control-Allow-Origin"] = "*"
ngx.header["Access-Control-Allow-Credentials"] = "true"
ngx.header["Access-Control-Allow-Methods"] = "GET, POST, PUT, HEAD"
ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
ngx.header["X-Content-Type-Options"] = "nosniff"
ngx.header["X-Frame-Options"] = "SAMEORIGIN"
ngx.header["X-XSS-Protection"] = "1; mode=block"