WAF Features added :
Added ability to inspect URL for malicious content SQL/SQI Injections XSS attacks / exploits.
Added ability to inspect query strings and arguements for malicious content / exploits.
Added ability to inspect all Request Headers provided by the client connecting.
Added ability to inspect cookies for exploits.
Marked of the TODO list : https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/29
Added Feature to pass IP to backend in existing headers like Cloudflare and Such CDN's do https://support.cloudflare.com/hc/en-us/articles/206776727-What-is-True-Client-IP-
Added Feature to modify headers on site URL's Paths Query Strings etc the reason for this is to strip out unwanted header values that could expose the software the server runs like the "Server" header and to add in custom headers to responses like to get clients to Cache files to save server / site bandwidth and resources.
Added to configuration of file formats that should never have Query strings on the end of the URL this will strip query strings from static files like .jpg .gif .css .js .ico etc by default since all websites never serve these static files with query strings. This will result in a higher Cache HIT Ratio and a performance gains.
Added fix to stop Cloudflare from cache busting peoples websites with their captcha and javascript pages that add a pointless query string onto the end of sites urls this will remove their silly query string protecting your backends web applications and keeping your caches clean from junk like this it will also speed up your site since you will have a Higher Cache HIT ratio since they can't bypass your cache with this query string.
.com/index.php?__cf_chl_captcha_tk__=blahblahblah
.com/index.php?__cf_chl_jschl_tk__=blahblahblah
Added Feature : Query String Sorting I was inspired by Cloudflare to Create this since Cloudflare do this too but it is a exspensive PAID feature on Cloudflare ONLY available to Enterprise Customers at $3000 USD $3K USD minimum thats not right and its not fair! So I give it to you all for free!! I hope you enjoy it.
Query String Sort increases cache-hit rates by first sorting query strings into a consistent order.
This will treat files with the same query strings as the same file, regardless of the order of the query strings.
Example :
Un-Ordered : .com/index.html?lol=1&char=2
Ordered : .com/index.html?char=2&lol=1
Added Feature : Query String Argument Removing
To remove Query strings that bypass the cache Intentionally Facebook and Google is the biggest culprit in this. It is commonly known as Cache Busting.
Traffic to your site from facebook Posts / Shares the URL's will all contain this .com/index.html?fbclid=blah-blah-blah That will bypass your servers Cache what in turn slows your website down.
Added Feature : Query String Argument Whitelist
So this is useful for those who know what URL arguments their sites use and want to whitelist those ONLY so any other arguments provided in the URL never reach the backend or web application and are dropped from the URL. This will really make your Cache HIT Ratio go through the roof since junk arguments in the URL will be dropped.
WAF Web Application Firewall Improvement POST Data Filter : make both the values provided by connecting clients be regex patterns if need be. Allows for a wider scope of matching and stronger security over previous way i was doing it. Previously i was only matching the values for regex now you can match both keys and values for regex.
Added Feature : WAF Web Application Firewall POST Request arguments filter to improve the security and protection of backends and server services behind my script allowing you to block and filter out unwanted POST data from HTML fields and forms to your sites. You can create regex patterns and strings to match SQL injections unwanted code etc. https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/29 Ticked of the TODO List.
Modification : User-Agent strings configuration so that they will match the Regex patterns and showing users how to escape special characters in Regex for Lua with a percentage symbol `%`
Added Feature : Authentication Box / Restricted Access / Restricted Area Fields what require a username / password.
Highly useful for protecting sensative site directories like admin control panels etc. I also gave the ability to dynamicly generate the username and password field for this and gave the option to display the username and password to the visitor of your website since I saw some Tor .onion websites doing something similar to this to protect their websites I thought I would build it in to make it easy and they would find that feature extra handy for protection.
Optimization : Moved master switch function for execution order to be compatible with features.
Added Feature : When using custom hosts to enable and disable the script on with the master switch function you can choose what sites, file paths and directories will never require authentication and what sites, file paths and directories will always require authentication
Added information in regards to a upcomming update that will allow the script to turn itself on and off if it detects an attempted attack will take away the need to manualy turn on protection for sites (something Cloudflare still has not done) if it detects timeouts / to many request / connections from the same IP's or a dramaticly flood in general or slowloris it will trigger protection on for the domain that is under attack.
```
http { #inside http block
lua_shared_dict antiddos 10m; #Anti-DDoS shared memory zone
}
```
Added Feature : Support for IPv4 and IPv6 Subnet ranges so you can use ranged IP address formats in the IP blacklist and whitelist feature
Added Feature : User-Agent Blacklist
Added Feature : User-Agent Whitelist
Optimization : Removed ngx.md5 from encryption it was pointless since i encrypt data with salted hash sums so putting it into a md5 string first was a waste of time.
Cleanup : Removed unwanted / nulled out ngx.log lines and print lines from code since they are not needed was junk code.
Big Fix :
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Malformed_URI
URIError: The URI to be encoded contains invalid character (Edge)
URIError: malformed URI sequence (Firefox)
URIError: URI malformed (Chrome)
To prevent this happening on my Hex encryption of javascript "\x char" and "%" char values a soloution is to use `unescape()` or `escape()` i decided to escape values.
Added Feature : Custom setting for master_switch, For those who use this script and are large server hosts or host allot of websites from their machine(s) this will allow you to setup this script in your Nginx `http {` block to run for all sites on your service then you can set it to custom hosts to protect specific websites only such as Tor websites.
For example setting `master_switch = 3` will make it so all websites / domain names you do not specify in the list will never see the authentication page while those you do specifiy in the list will be required to solve our authentication page puzzle in order to get access. Highly useful for protecting Tor services / backends on hosts with normal services running too.
This way if you host a domain like ".onion" they will be required to solve auth pages to get access while everything not specified like ".com" or specific domain names visitors will never see the auth page.
Added Feature : Allow our randomly generated Javascript vars to be configurable and dynamic or static depending on user prefrence.
Fix bug : Tor users I forgot to check if Tor users solved our Mathematical puzzle now it checks that they have solved the puzzle before granting them access.
Fix bug : When generating random Javascript variables there was a chance for duplicate outputs / collisions with Javascript vars making Javascript not work whilst the odds for those collisions / duplicates was very very small it was something that maybe one request in a million could have been stuck with a broken javascript page so to prevent that ever happening I keep track of generated vars and prevent duplicates.
Added Feature :
A new Javascript encryption / Obfuscation method i built to my list of others inside my function, This will take Javascript encrypt it as a base64 string, Split it up into chunks randomize those chunks then output it. Just like a deck of cards you can shuffle the stack and allow the code to run still regardless of the order the deck would come out as.
Fix :
Added defer and async ability to my Hexdecimal encryption when I Built the encryption function originaly in development I added it to the rest and forgot that one.
Added Feature to detect Tor users
Added Feature to block or allow Tor users (Allowing Tor users will still require for them to go through the authentication process the same as everyone else so don't worry)
Added Feature to encrypt Tor headers making them as Dynamic as possible
Added Feature to encrypt Tor cookies making them as Dynamic as possible
Added Tor Javascript Checks
Fixed unwanted collision bug between header x_auth_header_name when encrypted it was not unique so I made it unique to avoid any clashes in the future.
Add feature to automatically detect if website we are serving traffic for is a Tor network website via the .onion domain extension and switch our compatibility to accomadate for Tor clients.
Change default from Dynamic GET and POST to just POST requests with XMLHttpRequest object the reason being is to avoid unwanted conflicts with caches on proxy servers / services (Cloudflare proxy being a prime culprit of this).
Add feature to automatically get the connecting Clients IP Address without needing to manually set it in the config, I decided to make this for compatibility with every service connecting to your server. It can now work with Cloudflare, Proxies, Tor Direct connections etc simultaneously.
Fix output for remote_addr on Authentication page in HTML, If you change the variable `local remote_addr =` in your settings / setup / config at the start of the script the output on the auth page where it should say `IP Address` would be what you set the `remote_addr` as so to fix it and ensure it stays as an IP Address not User-Agent etc I manualy set it back with logical operators.
Fix for Javascript refreshing the page before the browser has a chance to set the cookies in response.
Fix to stop Firefox browsers message "firefox prevented this page from automatically reloading"
Remove un-used junk code.
Remove junk javascript code.
Change the timer text element to inform the user to refresh their page incase their browser blocks it. (Firefox is a prime culprit of this "firefox prevented this page from automatically reloading")
correctly use vars expected_header_status and authentication_page_status_output
simplify and faster exit in case of ajax request
default authentication_page_status_output status to 503 otherwise google and other crawlers index this page
Add feature to allow disabling of my credits as much as credit to be recieved is nice i do understand and realise people do not want to display them on their sites hence why i made it a feature to allow you to remove them easily and swiftly. :)
Add Enable/disable script this feature allows you to turn on or off this script so you can leave this file in your nginx configuration permamently.
This way you don't have to remove `access_by_lua_file anti_ddos_challenge.lua;` to stop protecting your websites :) you can set up your nginx config and use this feature to enable or disable protection.
Remove un-needed Javascript from my development stages where i planned Javascript based header response checks all not needed.
Change Javascript page refresh method from `window.location.reload();` to `location.reload(true);` as the Mozilla docs tell us we should be reloading pages this way. https://developer.mozilla.org/en-US/docs/Web/API/Location/reload
Fix Nginx Lua Bug with ngx.header["Set-Cookie"] function for some reason it only allows one instance of this header to be defined in a script. So to fix the issue I define the header once and only once in the entire script right at the end and set a variable that can be dynamic in setting multiple cookies.
Add cors headers and include XMLHTTPREQUEST with credentials tag and remove domain tag from set-cookie to fix issue with Google Chrome. Still broken in Microsoft Edge !?
Added Feature built in my method to encrypt and obfuscate Javascript outputs. (I am very proud of this!)
Bug fix: incase certain browsers lack in permissions to set cookies with javascript on the initital header request we will give them their cookie they still need javascript enabled to solve the authentication puzzle that will always be mandatory!
Added X-Requested-* headers for the next feature i am building in
Move current time variable out of configuration area.
Create currentdate variable to stop calling os.date() and os.time() multiple un-needed times.
Fix bug now the auth page only shows when the expire_time config value is set and around the time before if you had set a time greater than one day every 24 hours you would recieve the auth page even if your cookies are valid this expire_time checks solves that problem.
Add new security feature to make the cookies we set encrypted, unpredictable, dynamic and unique to each user/client to increase our security from content scrappers bots leechers etc. Where as before they could monitor static cookie names this prevents that.
Add new security feature to make the header we sent our Javascript answer from the browser over unpredictable and dynamic to increase our security from content scrappers bots leechers etc.
Remove Search Engines from the Browsers Javascript Checking (This will allow search engines to crawl still like Google because they can execute Javascript)
Fix expire_time description to show correct default time of 1 day.
Fix cookie bug when Javascript was setting a cookie it was setting a cookie of 'now' instead of the set config of expire_time into the future when the cookie should expire.
Added the challenge cookie to the headers set by grant_access function to update the cookie set by Javascript since the time stamp on the cookie would be out of sync with the other cookies otherwise this was all cookies will be updated and set/kept with the same time stamps.
