Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rename POW vars to separately argon_ for argon2 stuff, improve readme and split out INSTALLATION into separate file

Browse Source
This commit is contained in:
Thomas Lynch
2023-02-11 14:43:55 +11:00
parent 4637df4745
commit 0d56079960
3 changed files with 54 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
README.MD → INSTALLATION.md
View File

@ -1,24 +1,3 @@
## haproxy-protection
A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work. Intended to stop bots, spam, ddos.
Integrates with https://gitgud.io/fatchan/haproxy-panel-next to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime.
Improvements in this fork:
- Add a proof-of-work element, instead of only captcha.
- Supports hcaptcha or recaptcha.
- Support .onion/tor with the HAProxy PROXY protocol, using circuit identifiers as a substitute for IPs.
- Use HAProxy `http-request return` directive to directly serve challenge pages from the edge, with no separate backend.
- Fix multiple security issues that could result in bypassing the captcha.
- Add a bucket duration for cookie validity, so valid cookies don't last forever.
- Choose protection modes "none", "pow" or "pow+captcha" per-domain or per-domain+path, with paths taking priority.
- Provide a bash script that solves the proof-of-work and a form submission box for noscript users.
- Whitelist or blacklist IPs/subnets.
- Maintenance mode page for selected domains.
- Improved the appearance of the challenge page.
- Many bugfixes.
#### Environment variables
For docker, these are in docker-compose.yml. For production deployments, add them to `/etc/default/haproxy`.
@ -36,9 +15,9 @@ NOTE: Use either HCAPTCHA_ or RECAPTHCA_, not both.
- CHALLENGE_INCLUDES_IP - any value, whether to lock solved challenges to IP or tor circuit
- BACKEND_NAME - Optional, name of backend to build from hosts.map
- SERVER_PREFIX - Optional, prefix of server names used in server-template
- POW_TIME - argon2 iterations
- POW_KB - argon2 memory usage in KB
- POW_DIFFICULTY - pow "difficulty" (you should use all 3 POW_ parameters to tune the difficulty)
- ARGON_TIME - argon2 iterations
- ARGON_KB - argon2 memory usage in KB
- POW_DIFFICULTY - pow difficulty
- TOR_CONTROL_PORT_PASSWORD - the control port password for tor daemon
#### Run in docker (for testing/development)
@ -85,8 +64,3 @@ ControlPort 9051
HashedControlPassword xxxxxxxxxxxxxxxxx
```
- Don't forget to restart tor
#### Screenshots
![nocaptcha](img/nocaptcha.png "no captcha mode")
![captcha](img/captcha.png "captcha mode (pow done asynchronously in background)")

38
README.md Normal file
View File

@ -0,0 +1,38 @@
## haproxy-protection
A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work. Intended to stop bots, spam, ddos.
Integrates with https://gitgud.io/fatchan/haproxy-panel-next to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime.
#### Features / improvements in this fork:
- Implement a proof-of-work mode, in addition to the existing captcha only mode.
- Supports either hcaptcha or recaptcha.
- Support .onion/tor with the HAProxy PROXY protocol, using circuit identifiers as a substitute for IPs.
- Allow users without javascript to solve the POW by providing a shell script and html form inside `noscript` tags.
- Use HAProxy `http-request return` directive to directly serve files from the edge without a separate backend.
- Adjustable cookie validity lifetime.
- Adjustable "mode" ("none", "pow" or "pow+captcha") per domain or domain+path
- Improved the appearance of the challenge page.
- Add several useful maps & acls to the haproxy config:
- Whitelist or blacklist IPs/subnets.
- Maintenance mode page for selected domains.
- Fix multiple security issues.
- Many bugfixes.
#### Installation
See [INSTALLATION.md](INSTALLATION.md)
#### Screenshots
![nocaptcha](img/nocaptcha.png "no captcha mode")
![captcha](img/captcha.png "captcha mode (pow done asynchronously in background)")
## For generous people
Bitcoin (BTC): [`bc1q4elrlz5puak4m9xy3hfvmpempnpqpu95v8s9m6`](bitcoin:bc1q4elrlz5puak4m9xy3hfvmpempnpqpu95v8s9m6)
Monero (XMR): [`89J9DXPLUBr5HjNDNZTEo4WYMFTouSsGjUjBnUCCUxJGUirthnii4naZ8JafdnmhPe4NP1nkWsgcK82Uga7X515nNR1isuh`](monero:89J9DXPLUBr5HjNDNZTEo4WYMFTouSsGjUjBnUCCUxJGUirthnii4naZ8JafdnmhPe4NP1nkWsgcK82Uga7X515nNR1isuh)
Oxen (OXEN): `LBjExqjDKCFT6Tj198CfK8auAzBERJX1ogtcsjuKZ6AYWTFxwEADLgf2zZ8NHvWCa1UW7vrtY8DJmPYFpj3MEE69CryCvN6`

21
src/scripts/bot-check.lua
View File

@ -13,17 +13,22 @@ local sha = require("sha")
local randbytes = require("randbytes")
local templates = require("templates")
-- argon2 POW
local argon2 = require("argon2")
-- POW
local pow_difficulty = tonumber(os.getenv("POW_DIFFICULTY") or 18)
local pow_kb = tonumber(os.getenv("POW_KB") or 6000)
local pow_time = tonumber(os.getenv("POW_TIME") or 1)
argon2.t_cost(pow_time)
argon2.m_cost(pow_kb)
-- argon2
local argon2 = require("argon2")
local argon_kb = tonumber(os.getenv("ARGON_KB") or 6000)
local argon_time = tonumber(os.getenv("ARGON_TIME") or 1)
argon2.t_cost(argon_time)
argon2.m_cost(argon_kb)
argon2.parallelism(1)
argon2.hash_len(32)
argon2.variant(argon2.variants.argon2_id)
-- sha2
-- TODO
-- environment variables
local captcha_secret = os.getenv("HCAPTCHA_SECRET") or os.getenv("RECAPTCHA_SECRET")
local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY") or os.getenv("RECAPTCHA_SITEKEY")
@ -140,12 +145,12 @@ function _M.view(applet)
else
pow_body = templates.pow_section
noscript_extra_body = string.format(templates.noscript_extra, user_key, challenge_hash, signature,
math.ceil(pow_difficulty/8), pow_time, pow_kb)
math.ceil(pow_difficulty/8), argon_time, argon_kb)
end
-- sub in the body sections
response_body = string.format(templates.body, combined_challenge,
pow_difficulty, pow_time, pow_kb,
pow_difficulty, argon_time, argon_kb,
site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id)
response_status_code = 403