Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

google recaptcha v2 support

Browse Source
This commit is contained in:
Thomas Lynch
2022-09-12 23:37:21 +10:00
parent c9e007639e
commit 0d991770cf
4 changed files with 51 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.MD
View File

@ -28,6 +28,8 @@ Add some env vars to docker-compose file:
- HCAPTCHA_SITEKEY - your hcaptcha site key - HCAPTCHA_SITEKEY - your hcaptcha site key
- HCAPTCHA_SECRET - your hcaptcha secret key - HCAPTCHA_SECRET - your hcaptcha secret key
- RECAPTCHA_SITEKEY - your recaptcha site key
- RECAPTCHA_SECRET - your recaptcha secret key
- CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies - CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
- POW_COOKIE_SECRET - different random string, a salt for pow cookies - POW_COOKIE_SECRET - different random string, a salt for pow cookies
- RAY_ID - string to identify the HAProxy node by - RAY_ID - string to identify the HAProxy node by

6
docker-compose.yml
View File

@ -18,14 +18,16 @@ services:
- ./haproxy/hosts.map:/etc/haproxy/hosts.map - ./haproxy/hosts.map:/etc/haproxy/hosts.map
- ./haproxy/backends.map:/etc/haproxy/backends.map - ./haproxy/backends.map:/etc/haproxy/backends.map
- ./haproxy/blocked.map:/etc/haproxy/blocked.map - ./haproxy/blocked.map:/etc/haproxy/blocked.map
- ./haproxy/whitelist.map:/etc/haproxy/whitelist.map
- ./haproxy/maintenance.map:/etc/haproxy/maintenance.map
- ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl - ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl
- ./haproxy/trace.txt:/etc/haproxy/trace.txt - ./haproxy/trace.txt:/etc/haproxy/trace.txt
- ./src/scripts/:/etc/haproxy/scripts/ - ./src/scripts/:/etc/haproxy/scripts/
- ./src/libs/:/etc/haproxy/libs/ - ./src/libs/:/etc/haproxy/libs/
- ./haproxy/js/:/var/www/js/ - ./haproxy/js/:/var/www/js/
environment: environment:
- HCAPTCHA_SECRET= - RECAPTCHA_SECRET=6LdOmvEhAAAAAB9zq2oSnhpUmw4wZ4uvfzixoxNY
- HCAPTCHA_SITEKEY= - RECAPTCHA_SITEKEY=6LdOmvEhAAAAAJjwpaaREKW9lYJ8arpZWydWDeXg
- CAPTCHA_COOKIE_SECRET=changeme - CAPTCHA_COOKIE_SECRET=changeme
- POW_COOKIE_SECRET=changeme - POW_COOKIE_SECRET=changeme
- RAY_ID=docker - RAY_ID=docker

4
haproxy/haproxy.cfg
View File

@ -91,3 +91,7 @@ backend servers
backend hcaptcha backend hcaptcha
mode http mode http
server hcaptcha hcaptcha.com:443 server hcaptcha hcaptcha.com:443
backend recaptcha
mode http
server recaptcha www.google.com:443

64
src/scripts/hcaptcha.lua
View File

@ -6,14 +6,31 @@ local cookie = require("cookie")
local json = require("json") local json = require("json")
local sha = require("sha") local sha = require("sha")
local captcha_secret = os.getenv("HCAPTCHA_SECRET") local captcha_secret = os.getenv("HCAPTCHA_SECRET") or os.getenv("RECAPTCHA_SECRET")
local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY") local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY") or os.getenv("RECAPTCHA_SITEKEY")
local hcaptcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET") local captcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET")
local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET") local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
local ray_id = os.getenv("RAY_ID") local ray_id = os.getenv("RAY_ID")
local captcha_provider_domain = "hcaptcha.com"
local captcha_map = Map.new("/etc/haproxy/ddos.map", Map._str); local captcha_map = Map.new("/etc/haproxy/ddos.map", Map._str);
local captcha_provider_domain = ""
local captcha_classname = ""
local captcha_script_src = ""
local captcha_siteverify_path = ""
local captcha_backend_name = ""
if os.getenv("HCAPTCHA_SITEKEY") then
captcha_provider_domain = "hcaptcha.com"
captcha_classname = "h-captcha"
captcha_script_src = "https://hcaptcha.com/1/api.js"
captcha_siteverify_path = "/siteverify"
captcha_backend_name = "hcaptcha"
else
captcha_provider_domain = "www.google.com"
captcha_classname = "g-recaptcha"
captcha_script_src = "https://www.google.com/recaptcha/api.js"
captcha_siteverify_path = "/recaptcha/api/siteverify"
captcha_backend_name = "recaptcha"
end
function _M.setup_servers() function _M.setup_servers()
local backend_name = os.getenv("BACKEND_NAME") local backend_name = os.getenv("BACKEND_NAME")
@ -50,7 +67,7 @@ local body_template = [[
<style> <style>
:root{--text-color:#c5c8c6;--bg-color:#1d1f21} :root{--text-color:#c5c8c6;--bg-color:#1d1f21}
@media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}} @media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}}
.h-captcha{min-height:85px;display:block} .h-captcha,.g-recaptcha{min-height:85px;display:block}
.red{color:red;font-weight:bold} .red{color:red;font-weight:bold}
a,a:visited{color:var(--text-color)} a,a:visited{color:var(--text-color)}
body,html{height:100%%} body,html{height:100%%}
@ -120,14 +137,14 @@ local pow_section_template = [[
</div> </div>
]] ]]
-- message, hcaptcha form and submit button -- message, captcha form and submit button
local captcha_section_template = [[ local captcha_section_template = [[
<h3> <h3>
Please solve the captcha to continue. Please solve the captcha to continue.
</h3> </h3>
<form class="jsonly" method="POST"> <form class="jsonly" method="POST">
<div class="h-captcha" data-sitekey="%s"></div> <div class="%s" data-sitekey="%s"></div>
<script src="https://hcaptcha.com/1/api.js" async defer></script> <script src="%s" async defer></script>
<input type="submit" value="Calculating proof of work..." disabled> <input type="submit" value="Calculating proof of work..." disabled>
</form> </form>
]] ]]
@ -161,7 +178,7 @@ function _M.view(applet)
-- pow at least is always enabled when reaching bot-check page -- pow at least is always enabled when reaching bot-check page
site_name_body = string.format(site_name_section_template, host) site_name_body = string.format(site_name_section_template, host)
if captcha_enabled then if captcha_enabled then
captcha_body = string.format(captcha_section_template, captcha_sitekey) captcha_body = string.format(captcha_section_template, captcha_classname, captcha_sitekey, captcha_script_src)
else else
pow_body = pow_section_template pow_body = pow_section_template
noscript_extra_body = string.format(noscript_extra_template, generated_work) noscript_extra_body = string.format(noscript_extra_template, generated_work)
@ -172,34 +189,35 @@ function _M.view(applet)
response_status_code = 403 response_status_code = 403
elseif applet.method == "POST" then elseif applet.method == "POST" then
local parsed_body = url.parseQuery(applet.receive(applet)) local parsed_body = url.parseQuery(applet.receive(applet))
if parsed_body["h-captcha-response"] then local user_captcha_response = parsed_body["h-captcha-response"] or parsed_body["g-recaptcha-response"]
local hcaptcha_url = string.format( -- require("print_r")
"https://%s/siteverify", -- print_r(captcha_provider_domain)
core.backends["hcaptcha"].servers["hcaptcha"]:get_addr() -- print_r(user_captcha_response)
if user_captcha_response then
local captcha_url = string.format(
"https://%s%s",
core.backends[captcha_backend_name].servers[captcha_backend_name]:get_addr(),
captcha_siteverify_path
) )
local hcaptcha_body = url.buildQuery({ local captcha_body = url.buildQuery({
secret=captcha_secret, secret=captcha_secret,
response=parsed_body["h-captcha-response"] response=user_captcha_response
}) })
local httpclient = core.httpclient() local httpclient = core.httpclient()
local res = httpclient:post{ local res = httpclient:post{
url=hcaptcha_url, url=captcha_url,
body=hcaptcha_body, body=captcha_body,
headers={ headers={
[ "host" ] = { captcha_provider_domain }, [ "host" ] = { captcha_provider_domain },
[ "content-type" ] = { "application/x-www-form-urlencoded" } [ "content-type" ] = { "application/x-www-form-urlencoded" }
} }
} }
local status, api_response = pcall(json.decode, res.body) local status, api_response = pcall(json.decode, res.body)
--require("print_r")
--print_r(hcaptcha_body)
--print_r(res)
--print_r(api_response)
if not status then if not status then
api_response = {} api_response = {}
end end
if api_response.success == true then if api_response.success == true then
local floating_hash = utils.generate_secret(applet, hcaptcha_cookie_secret, true, nil) local floating_hash = utils.generate_secret(applet, captcha_cookie_secret, true, nil)
applet:add_header( applet:add_header(
"set-cookie", "set-cookie",
string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; SameSite=Strict; Secure=true;", floating_hash) string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; SameSite=Strict; Secure=true;", floating_hash)
@ -238,7 +256,7 @@ end
-- check if captcha token is valid, separate secret from POW -- check if captcha token is valid, separate secret from POW
function _M.check_captcha_status(txn) function _M.check_captcha_status(txn)
local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie")) local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
local expected_cookie = utils.generate_secret(txn, hcaptcha_cookie_secret, false, nil) local expected_cookie = utils.generate_secret(txn, captcha_cookie_secret, false, nil)
if parsed_request_cookies["z_ddos_captcha"] == expected_cookie then if parsed_request_cookies["z_ddos_captcha"] == expected_cookie then
return txn:set_var("txn.captcha_passed", true) return txn:set_var("txn.captcha_passed", true)
end end