Added Feature : Custom setting for master_switch, For those who use this script and are large server hosts or host allot of websites from their machine(s) this will allow you to setup this script in your Nginx `http {` block to run for all sites on your service then you can set it to custom hosts to protect specific websites only such as Tor websites.
For example setting `master_switch = 3` will make it so all websites / domain names you do not specify in the list will never see the authentication page while those you do specifiy in the list will be required to solve our authentication page puzzle in order to get access. Highly useful for protecting Tor services / backends on hosts with normal services running too.
This way if you host a domain like ".onion" they will be required to solve auth pages to get access while everything not specified like ".com" or specific domain names visitors will never see the auth page.
Added Feature : Allow our randomly generated Javascript vars to be configurable and dynamic or static depending on user prefrence.
Fix bug : Tor users I forgot to check if Tor users solved our Mathematical puzzle now it checks that they have solved the puzzle before granting them access.
Fix bug : When generating random Javascript variables there was a chance for duplicate outputs / collisions with Javascript vars making Javascript not work whilst the odds for those collisions / duplicates was very very small it was something that maybe one request in a million could have been stuck with a broken javascript page so to prevent that ever happening I keep track of generated vars and prevent duplicates.
Added Feature :
A new Javascript encryption / Obfuscation method i built to my list of others inside my function, This will take Javascript encrypt it as a base64 string, Split it up into chunks randomize those chunks then output it. Just like a deck of cards you can shuffle the stack and allow the code to run still regardless of the order the deck would come out as.
Fix :
Added defer and async ability to my Hexdecimal encryption when I Built the encryption function originaly in development I added it to the rest and forgot that one.
Added Feature to detect Tor users
Added Feature to block or allow Tor users (Allowing Tor users will still require for them to go through the authentication process the same as everyone else so don't worry)
Added Feature to encrypt Tor headers making them as Dynamic as possible
Added Feature to encrypt Tor cookies making them as Dynamic as possible
Added Tor Javascript Checks
Fixed unwanted collision bug between header x_auth_header_name when encrypted it was not unique so I made it unique to avoid any clashes in the future.
Add feature to automatically detect if website we are serving traffic for is a Tor network website via the .onion domain extension and switch our compatibility to accomadate for Tor clients.
Change default from Dynamic GET and POST to just POST requests with XMLHttpRequest object the reason being is to avoid unwanted conflicts with caches on proxy servers / services (Cloudflare proxy being a prime culprit of this).
Add feature to automatically get the connecting Clients IP Address without needing to manually set it in the config, I decided to make this for compatibility with every service connecting to your server. It can now work with Cloudflare, Proxies, Tor Direct connections etc simultaneously.
Fix output for remote_addr on Authentication page in HTML, If you change the variable `local remote_addr =` in your settings / setup / config at the start of the script the output on the auth page where it should say `IP Address` would be what you set the `remote_addr` as so to fix it and ensure it stays as an IP Address not User-Agent etc I manualy set it back with logical operators.
Fix for Javascript refreshing the page before the browser has a chance to set the cookies in response.
Fix to stop Firefox browsers message "firefox prevented this page from automatically reloading"
Remove un-used junk code.
Remove junk javascript code.
Change the timer text element to inform the user to refresh their page incase their browser blocks it. (Firefox is a prime culprit of this "firefox prevented this page from automatically reloading")
correctly use vars expected_header_status and authentication_page_status_output
simplify and faster exit in case of ajax request
default authentication_page_status_output status to 503 otherwise google and other crawlers index this page
Add feature to allow disabling of my credits as much as credit to be recieved is nice i do understand and realise people do not want to display them on their sites hence why i made it a feature to allow you to remove them easily and swiftly. :)
Add Enable/disable script this feature allows you to turn on or off this script so you can leave this file in your nginx configuration permamently.
This way you don't have to remove `access_by_lua_file anti_ddos_challenge.lua;` to stop protecting your websites :) you can set up your nginx config and use this feature to enable or disable protection.
Remove un-needed Javascript from my development stages where i planned Javascript based header response checks all not needed.
Change Javascript page refresh method from `window.location.reload();` to `location.reload(true);` as the Mozilla docs tell us we should be reloading pages this way. https://developer.mozilla.org/en-US/docs/Web/API/Location/reload
Fix Nginx Lua Bug with ngx.header["Set-Cookie"] function for some reason it only allows one instance of this header to be defined in a script. So to fix the issue I define the header once and only once in the entire script right at the end and set a variable that can be dynamic in setting multiple cookies.
Add cors headers and include XMLHTTPREQUEST with credentials tag and remove domain tag from set-cookie to fix issue with Google Chrome. Still broken in Microsoft Edge !?
Added Feature built in my method to encrypt and obfuscate Javascript outputs. (I am very proud of this!)
Bug fix: incase certain browsers lack in permissions to set cookies with javascript on the initital header request we will give them their cookie they still need javascript enabled to solve the authentication puzzle that will always be mandatory!
Added X-Requested-* headers for the next feature i am building in
Move current time variable out of configuration area.
Create currentdate variable to stop calling os.date() and os.time() multiple un-needed times.
Fix bug now the auth page only shows when the expire_time config value is set and around the time before if you had set a time greater than one day every 24 hours you would recieve the auth page even if your cookies are valid this expire_time checks solves that problem.
Add new security feature to make the cookies we set encrypted, unpredictable, dynamic and unique to each user/client to increase our security from content scrappers bots leechers etc. Where as before they could monitor static cookie names this prevents that.
Add new security feature to make the header we sent our Javascript answer from the browser over unpredictable and dynamic to increase our security from content scrappers bots leechers etc.
Remove Search Engines from the Browsers Javascript Checking (This will allow search engines to crawl still like Google because they can execute Javascript)
Fix expire_time description to show correct default time of 1 day.
Fix cookie bug when Javascript was setting a cookie it was setting a cookie of 'now' instead of the set config of expire_time into the future when the cookie should expire.
Added the challenge cookie to the headers set by grant_access function to update the cookie set by Javascript since the time stamp on the cookie would be out of sync with the other cookies otherwise this was all cookies will be updated and set/kept with the same time stamps.
