diff --git a/README.MD b/INSTALLATION.md similarity index 57% rename from README.MD rename to INSTALLATION.md index 68afd9c..436299c 100644 --- a/README.MD +++ b/INSTALLATION.md @@ -1,24 +1,3 @@ -## haproxy-protection - -A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work. Intended to stop bots, spam, ddos. - -Integrates with https://gitgud.io/fatchan/haproxy-panel-next to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime. - -Improvements in this fork: - -- Add a proof-of-work element, instead of only captcha. -- Supports hcaptcha or recaptcha. -- Support .onion/tor with the HAProxy PROXY protocol, using circuit identifiers as a substitute for IPs. -- Use HAProxy `http-request return` directive to directly serve challenge pages from the edge, with no separate backend. -- Fix multiple security issues that could result in bypassing the captcha. -- Add a bucket duration for cookie validity, so valid cookies don't last forever. -- Choose protection modes "none", "pow" or "pow+captcha" per-domain or per-domain+path, with paths taking priority. -- Provide a bash script that solves the proof-of-work and a form submission box for noscript users. -- Whitelist or blacklist IPs/subnets. -- Maintenance mode page for selected domains. -- Improved the appearance of the challenge page. -- Many bugfixes. - #### Environment variables For docker, these are in docker-compose.yml. For production deployments, add them to `/etc/default/haproxy`. @@ -31,15 +10,16 @@ NOTE: Use either HCAPTCHA_ or RECAPTHCA_, not both. - CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies - POW_COOKIE_SECRET - different random string, a salt for pow cookies - HMAC_COOKIE_SECRET - different random string, a salt for pow cookies +- TOR_CONTROL_PORT_PASSWORD - the control port password for tor daemon - RAY_ID - string to identify the HAProxy node by -- BUCKET_DURATION - how long between bucket changes, invalidating cookies +- CHALLENGE_EXPIRY - how long solution cookies last for, in seconds - CHALLENGE_INCLUDES_IP - any value, whether to lock solved challenges to IP or tor circuit - BACKEND_NAME - Optional, name of backend to build from hosts.map - SERVER_PREFIX - Optional, prefix of server names used in server-template -- POW_TIME - argon2 iterations -- POW_KB - argon2 memory usage in KB -- POW_DIFFICULTY - pow "difficulty" (you should use all 3 POW_ parameters to tune the difficulty) -- TOR_CONTROL_PORT_PASSWORD - the control port password for tor daemon +- ARGON_TIME - argon2 iterations +- ARGON_KB - argon2 memory usage in KB +- POW_DIFFICULTY - pow difficulty +- POW_TYPE - type of ahsh algorithm for pow "argon2" or "sha256" #### Run in docker (for testing/development) @@ -57,9 +37,11 @@ Requires HAProxy compiled with lua support, and version >=2.5 for the native lua - Clone the repo somewhere. `/var/www/haproxy-protection` works. - Copy [haproxy.cfg](haproxy/haproxy.cfg) to `/etc/haproxy/haproxy.cfg`. - Please note this configuration is very minimal, and is simply an example configuration for haproxy-protection. You are expected to customise it significantly or otherwise copy the relevant parts into your own haproxy config. -- Copy (preferably link) [scripts](src/scripts) to `/etc/haproxy/scripts`. -- Copy (preferably link) [libs](src/libs) to `/etc/haproxy/libs`. -- Copy the map files from haproxy folder to `/etc/haproxy`. +- Copy/link [scripts](src/lua/scripts) to `/etc/haproxy/scripts`. +- Copy/link [libs](src/lua/libs) to `/etc/haproxy/libs`. +- Copy/link [template](haproxy/template) to `/etc/haproxy/template`. +- Copy/link [js](src/js) to `/etc/haproxy/js`. +- Copy [map](haproxy/map) to `/etc/haproxy/map`. - Install argon2, and the lua argon2 module with luarocks: ```bash sudo apt install -y git lua5.3 liblua5.3-dev argon2 libargon2-dev luarocks @@ -85,8 +67,3 @@ ControlPort 9051 HashedControlPassword xxxxxxxxxxxxxxxxx ``` - Don't forget to restart tor - -#### Screenshots - -![nocaptcha](img/nocaptcha.png "no captcha mode") -![captcha](img/captcha.png "captcha mode (pow done asynchronously in background)") diff --git a/LICENSE.md b/LICENSE.md index 3457a53..1870857 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,6 +1,7 @@ MIT License Copyright (c) 2021 Eugene Prodan +Copyright (c) 2022-2023 Thomas Lynch (fatchan) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -18,4 +19,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. \ No newline at end of file +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..a043ba7 --- /dev/null +++ b/README.md @@ -0,0 +1,40 @@ +## haproxy-protection + +A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work. Intended to stop bots, spam, ddos. + +Integrates with https://gitgud.io/fatchan/haproxy-panel-next to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime. + +#### Features / improvements in this fork: + +- Implement a proof-of-work mode, in addition to the existing captcha only mode. +- Ability to choose between argon2 or sha256 proof of work modes. +- Sharing POW answers with storage events to prevent unnecessary re-solving when opening multiple tabs. +- Supports either hcaptcha or recaptcha. +- Support .onion/tor with the HAProxy PROXY protocol, using circuit identifiers as a substitute for IPs. +- Allow users without javascript to solve the POW by providing a shell script and html form inside `noscript` tags. +- Use HAProxy `http-request return` directive to directly serve files from the edge without a separate backend. +- Adjustable cookie validity lifetime. +- Adjustable "mode" ("none", "pow" or "pow+captcha") per domain or domain+path +- Improved the appearance of the challenge page. +- Add several useful maps & acls to the haproxy config: + - Whitelist or blacklist IPs/subnets. + - Maintenance mode page for selected domains. +- Fix multiple security issues. +- Many bugfixes. + +#### Installation + +See [INSTALLATION.md](INSTALLATION.md) + +#### Screenshots + +![nocaptcha](img/nocaptcha.png "no captcha mode") +![captcha](img/captcha.png "captcha mode (pow done asynchronously in background)") + +## For generous people + +Bitcoin (BTC): [`bc1q4elrlz5puak4m9xy3hfvmpempnpqpu95v8s9m6`](bitcoin:bc1q4elrlz5puak4m9xy3hfvmpempnpqpu95v8s9m6) + +Monero (XMR): [`89J9DXPLUBr5HjNDNZTEo4WYMFTouSsGjUjBnUCCUxJGUirthnii4naZ8JafdnmhPe4NP1nkWsgcK82Uga7X515nNR1isuh`](monero:89J9DXPLUBr5HjNDNZTEo4WYMFTouSsGjUjBnUCCUxJGUirthnii4naZ8JafdnmhPe4NP1nkWsgcK82Uga7X515nNR1isuh) + +Oxen (OXEN): `LBjExqjDKCFT6Tj198CfK8auAzBERJX1ogtcsjuKZ6AYWTFxwEADLgf2zZ8NHvWCa1UW7vrtY8DJmPYFpj3MEE69CryCvN6` diff --git a/docker-compose.yml b/docker-compose.yml index 6824c86..768642d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,17 +10,11 @@ services: dockerfile: haproxy/Dockerfile volumes: - ./haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg - - ./haproxy/ddos.map:/etc/haproxy/ddos.map - - ./haproxy/hosts.map:/etc/haproxy/hosts.map - - ./haproxy/backends.map:/etc/haproxy/backends.map - - ./haproxy/blocked.map:/etc/haproxy/blocked.map - - ./haproxy/whitelist.map:/etc/haproxy/whitelist.map - - ./haproxy/maintenance.map:/etc/haproxy/maintenance.map - - ./haproxy/trace.txt:/etc/haproxy/trace.txt - - ./src/scripts/:/etc/haproxy/scripts/ - - ./src/libs/:/etc/haproxy/libs/ - - ./haproxy/js/:/var/www/js/ - - ./haproxy/html/maintenance.html:/var/www/html/maintenance.html + - ./haproxy/map/:/etc/haproxy/map/ + - ./haproxy/template/:/etc/haproxy/template/ + - ./src/lua/scripts/:/etc/haproxy/scripts/ + - ./src/lua/libs/:/etc/haproxy/libs/ + - ./src/js/:/etc/haproxy/js/ environment: # These are the hcaptcha and recaptcha test keys, not leaking any dont worry :^) - HCAPTCHA_SITEKEY=20000000-ffff-ffff-ffff-000000000002 @@ -31,13 +25,14 @@ services: - POW_COOKIE_SECRET=changeme - HMAC_COOKIE_SECRET=changeme - RAY_ID=docker - - BUCKET_DURATION=43200 + - CHALLENGE_EXPIRY=43200 - BACKEND_NAME=servers - SERVER_PREFIX=websrv - CHALLENGE_INCLUDES_IP=1 - - POW_TIME=2 - - POW_KB=512 - - POW_DIFFICULTY=25 + - ARGON_TIME=2 + - ARGON_KB=512 + - POW_DIFFICULTY=24 + - POW_TYPE=argon2 - TOR_CONTROL_PORT_PASSWORD=changeme nginx: diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg index ceaea01..f302c1b 100644 --- a/haproxy/haproxy.cfg +++ b/haproxy/haproxy.cfg @@ -40,38 +40,38 @@ frontend http-in #option forwardfor # drop requests with invalid host header - acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found + acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found http-request silent-drop unless is_existing_vhost - # debug only, /cdn-cgi/trace - #http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/trace.txt if { path /cdn-cgi/trace } + # debug information at /.basedflare/cgi/trace + http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace } # acl for blocked IPs/subnets - acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found + acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/map/blocked.map) -m found http-request deny deny_status 403 if blocked_ip_or_subnet # ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this. - http-request track-sc0 src table bot_check_post_throttle if { path /bot-check } { method POST } + http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST } http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 } http-request tarpit if { sc_http_req_rate(0) gt 1 } # acl for lua check whitelisted IPs/subnets and some excluded paths - acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found + acl is_excluded src,map_ip(/etc/haproxy/map/whitelist.map) -m found acl is_excluded path /favicon.ico #add more # acl ORs for when ddos_mode_enabled acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0 - acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/ddos.map) -m bool - acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool + acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m bool + acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m bool # serve challenge page scripts directly from haproxy - http-request return file /var/www/js/argon2.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /js/argon2.js } - http-request return file /var/www/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /js/challenge.js } - http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /js/worker.js } + http-request return file /etc/haproxy/js/argon2.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /.basedflare/js/argon2.js } + http-request return file /etc/haproxy/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /.basedflare/js/challenge.js } + http-request return file /etc/haproxy/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /.basedflare/js/worker.js } # acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo) - acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/maintenance.map) -m found - http-request return file /var/www/html/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "cache-control" "private, max-age=30" if maintenance_mode + acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found + http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "cache-control" "private, max-age=30" if maintenance_mode # create acl for bools updated by lua acl captcha_passed var(txn.captcha_passed) -m bool @@ -80,14 +80,14 @@ frontend http-in acl validate_pow var(txn.validate_pow) -m bool # check pow/captcha and show page if necessary - acl on_captcha_url path /bot-check - http-request use-service lua.hcaptcha-view if on_captcha_url !is_excluded + acl on_bot_check path /.basedflare/bot-check + http-request use-service lua.bot-check if on_bot_check !is_excluded # challenge decisions, checking, and redirecting to /bot-check - http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled - http-request lua.hcaptcha-check if !is_excluded !on_captcha_url validate_captcha - http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override - http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded + http-request lua.decide-checks-necessary if !is_excluded !on_bot_check ddos_mode_enabled + http-request lua.captcha-check if !is_excluded !on_bot_check validate_captcha + http-request lua.pow-check if !is_excluded !on_bot_check validate_pow OR !is_excluded !on_bot_check ddos_mode_enabled_override + http-request redirect location /.basedflare/bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_bot_check ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_bot_check ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_bot_check !is_excluded # X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use) http-response set-header X-Cache-Status HIT if !{ srv_id -m found } @@ -111,7 +111,7 @@ backend servers # placeholder servers, activated by LUA or the control panel server-template websrv 1-100 0.0.0.0:80 check disabled # use server based on hostname - use-server %[req.hdr(host),lower,map(/etc/haproxy/backends.map)] if TRUE + use-server %[req.hdr(host),lower,map(/etc/haproxy/map/backends.map)] if TRUE backend bot_check_post_throttle stick-table type ipv6 size 100k expire 60s store http_req_rate(60s) diff --git a/haproxy/js/worker.js b/haproxy/js/worker.js deleted file mode 100644 index 6fd4617..0000000 --- a/haproxy/js/worker.js +++ /dev/null @@ -1,29 +0,0 @@ -importScripts('/js/argon2.js'); - -onmessage = async function(e) { - const [userkey, challenge, diff, diffString, argonOpts, id, threads] = e.data; - console.log('Worker thread', id, 'started'); - let i = id; - if (id === 0) { - setInterval(() => { - postMessage([i]); - }, 500); - } - while(true) { - const hash = await argon2.hash({ - pass: challenge + i.toString(), - salt: userkey, - ...argonOpts, - }); - // This throttle seems to really help some browsers not stop the workers abruptly - i % 10 === 0 && await new Promise(res => setTimeout(res, 10)); - if (hash.hashHex.startsWith(diffString) - && ((parseInt(hash.hashHex[diffString.length],16) & - 0xff >> (((diffString.length+1)*8)-diff)) === 0)) { - console.log('Worker', id, 'found solution'); - postMessage([id, i]); - break; - } - i+=threads; - } -} diff --git a/haproxy/backends.map b/haproxy/map/backends.map similarity index 100% rename from haproxy/backends.map rename to haproxy/map/backends.map diff --git a/haproxy/blocked.map b/haproxy/map/blocked.map similarity index 100% rename from haproxy/blocked.map rename to haproxy/map/blocked.map diff --git a/haproxy/ddos.map b/haproxy/map/ddos.map similarity index 100% rename from haproxy/ddos.map rename to haproxy/map/ddos.map diff --git a/haproxy/hosts.map b/haproxy/map/hosts.map similarity index 100% rename from haproxy/hosts.map rename to haproxy/map/hosts.map diff --git a/haproxy/maintenance.map b/haproxy/map/maintenance.map similarity index 100% rename from haproxy/maintenance.map rename to haproxy/map/maintenance.map diff --git a/haproxy/whitelist.map b/haproxy/map/whitelist.map similarity index 100% rename from haproxy/whitelist.map rename to haproxy/map/whitelist.map diff --git a/haproxy/html/maintenance.html b/haproxy/template/maintenance.html similarity index 83% rename from haproxy/html/maintenance.html rename to haproxy/template/maintenance.html index fe9caef..3d445b1 100644 --- a/haproxy/html/maintenance.html +++ b/haproxy/template/maintenance.html @@ -7,7 +7,7 @@ :root{--text-color:#c5c8c6;--bg-color:#1d1f21} @media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}} a,a:visited{color:var(--text-color)} -body,html{height:100%} +body,html{height:100%%} body{display:flex;flex-direction:column;background-color:var(--bg-color);color:var(--text-color);font-family:Helvetica,Arial,sans-serif;text-align:center;margin:0} code{background-color:#dfdfdf30;border-radius:3px;padding:0 3px;} img,h3,p{margin:0 0 5px 0} @@ -19,7 +19,8 @@ footer{font-size:x-small;margin-top:auto;margin-bottom:20px}.pt{padding-top:30vh diff --git a/haproxy/trace.txt b/haproxy/template/trace.txt similarity index 80% rename from haproxy/trace.txt rename to haproxy/template/trace.txt index be55d08..48410ef 100644 --- a/haproxy/trace.txt +++ b/haproxy/template/trace.txt @@ -7,4 +7,4 @@ tls=%[ssl_fc] tlsv=%sslv sni=%[ssl_fc_sni] vey_id=%[env(RAY_ID)] -bucket=%[env(BUCKET_DURATION)] +expiry=%[env(CHALLENGE_EXPIRY)] diff --git a/haproxy/js/argon2.js b/src/js/argon2.js similarity index 100% rename from haproxy/js/argon2.js rename to src/js/argon2.js diff --git a/haproxy/js/challenge.js b/src/js/challenge.js similarity index 65% rename from haproxy/js/challenge.js rename to src/js/challenge.js index ef22c6b..4dcd4de 100644 --- a/haproxy/js/challenge.js +++ b/src/js/challenge.js @@ -25,6 +25,7 @@ const wasmSupported = (() => { return new WebAssembly.Instance(module) instanceof WebAssembly.Instance; } } catch (e) { + console.error(e); } return false; })(); @@ -37,7 +38,7 @@ function postResponse(powResponse, captchaResponse) { body['h-captcha-response'] = captchaResponse; body['g-recaptcha-response'] = captchaResponse; } - fetch('/bot-check', { + fetch('/.basedflare/bot-check', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', @@ -51,38 +52,68 @@ function postResponse(powResponse, captchaResponse) { } else if (s >= 500) { return insertError('server responded with error.'); } + window.localStorage.setItem('basedflare-redirect', Math.random()); finishRedirect(); - }).catch(err => { + }).catch(() => { insertError('failed to send challenge response.'); }); } -const powFinished = new Promise((resolve, reject) => { +const powFinished = new Promise(resolve => { + + const start = Date.now(); + const workers = []; + let finished = false; + const stopPow = () => { + finished = true; + const hasCaptcha = document.getElementById('captcha'); + updateElem('.powstatus', `Found proof-of-work solution.${!hasCaptcha?' Submitting...':''}`); + workers.forEach(w => w.terminate()); + }; + const submitPow = (answer) => { + window.localStorage.setItem('basedflare-pow-response', answer); + stopPow(); + const dummyTime = 3000 - (Date.now()-start); + window.setTimeout(() => { + resolve({ answer }); + }, dummyTime); + }; + window.addEventListener('DOMContentLoaded', async () => { + + const { time, kb, pow, diff, mode } = document.querySelector('[data-pow]').dataset; + window.addEventListener('storage', event => { + if (event.key === 'basedflare-pow-response' && !finished) { + console.log('Got answer', event.newValue, 'from storage event'); + stopPow(); + resolve({ answer: event.newValue, localStorage: true }); + } else if (event.key === 'basedflare-redirect') { + console.log('Redirecting, solved in another tab'); + finishRedirect(); + } + }); + if (!wasmSupported) { - return insertError('browser does not support WebAssembly.'); + return insertError('Browser does not support WebAssembly.'); } - const { time, kb, pow, diff } = document.querySelector('[data-pow]').dataset; - const argonOpts = { + const powOpts = { time: time, mem: kb, hashLen: 32, parallelism: 1, - type: argon2.ArgonType.Argon2id, + type: argon2 ? argon2.ArgonType.Argon2id : null, + mode: mode, }; console.log('Got pow', pow, 'with difficulty', diff); const eHashes = Math.pow(16, Math.floor(diff/8)) * ((diff%8)*2); const diffString = '0'.repeat(Math.floor(diff/8)); - const combined = pow; - const [userkey, challenge, signature] = combined.split("#"); - const start = Date.now(); + const [userkey, challenge] = pow.split("#"); if (window.Worker) { const cpuThreads = window.navigator.hardwareConcurrency; const isTor = location.hostname.endsWith('.onion'); /* Try to use all threads on tor, because tor limits threads for anti fingerprinting but this makes it awfully slow because workerThreads will always be = 1 */ const workerThreads = isTor ? cpuThreads : Math.max(Math.ceil(cpuThreads/2),cpuThreads-1); - let finished = false; const messageHandler = (e) => { if (e.data.length === 1) { const totalHashes = e.data[0]; //assumes all worker threads are same speed @@ -93,64 +124,38 @@ const powFinished = new Promise((resolve, reject) => { return updateElem('.powstatus', `Proof-of-work: ${hps}H/s, ~${remainingSec}s remaining`); } if (finished) { return; } - finished = true; - const hasCaptcha = document.getElementById('captcha'); - updateElem('.powstatus', `Found proof-of-work solution.${!hasCaptcha?' Submitting...':''}`); - workers.forEach(w => w.terminate()); const [workerId, answer] = e.data; console.log('Worker', workerId, 'returned answer', answer, 'in', Date.now()-start+'ms'); - const dummyTime = 5000 - (Date.now()-start); - window.setTimeout(() => { - resolve(`${combined}#${answer}`); - }, dummyTime); - } - const workers = []; - for (let i = 0; i < workerThreads; i++) { - const argonWorker = new Worker('/js/worker.js'); - argonWorker.onmessage = messageHandler; - workers.push(argonWorker); + submitPow(`${pow}#${answer}`); } for (let i = 0; i < workerThreads; i++) { - await new Promise(res => setTimeout(res, 100)); - workers[i].postMessage([userkey, challenge, diff, diffString, argonOpts, i, workerThreads]); + const powWorker = new Worker('/.basedflare/js/worker.js'); + powWorker.onmessage = messageHandler; + workers.push(powWorker); + } + for (let i = 0; i < workerThreads; i++) { + await new Promise(res => setTimeout(res, 10)); + workers[i].postMessage([userkey, challenge, diff, diffString, powOpts, i, workerThreads]); } } else { - console.warn('No webworker support, running in main/UI thread!'); - let i = 0; - let start = Date.now(); - while(true) { - const hash = await argon2.hash({ - pass: challenge + i.toString(), - salt: userkey, - ...argonOpts, - }); - if (hash.hashHex.startsWith(diffString) - && ((parseInt(hash.hashHex[diffString.length],16) & - 0xff >> (((diffString.length+1)*8)-diff)) === 0)) { - console.log('Main thread found solution:', hash.hashHex, 'in', (Date.now()-start)+'ms'); - break; - } - ++i; - } - const dummyTime = 5000 - (Date.now()-start); - window.setTimeout(() => { - resolve(`${combined}#${i}`); - }, dummyTime); + return insertError('Browser does not support Web Workers.'); } }); }).then((powResponse) => { const hasCaptchaForm = document.getElementById('captcha'); - if (!hasCaptchaForm) { - postResponse(powResponse); + if (!hasCaptchaForm && !powResponse.localStorage) { + postResponse(powResponse.answer); } - return powResponse; + return powResponse.answer; +}).catch((e) => { + console.error(e); }); function onCaptchaSubmit(captchaResponse) { const captchaElem = document.querySelector('[data-sitekey]'); captchaElem.insertAdjacentHTML('afterend', `
`); captchaElem.remove(); - powFinished.then((powResponse) => { + powFinished.then(powResponse => { postResponse(powResponse, captchaResponse); }); } diff --git a/src/js/worker.js b/src/js/worker.js new file mode 100644 index 0000000..9a120f0 --- /dev/null +++ b/src/js/worker.js @@ -0,0 +1,43 @@ +async function nativeHash(data, method) { + const buffer = new TextEncoder('utf-8').encode(data); + const hashBuffer = await crypto.subtle.digest(method, buffer) + const hashArray = Array.from(new Uint8Array(hashBuffer)); + return hashArray.map(b => b.toString(16).padStart(2, '0')).join(''); +} + +onmessage = async function(e) { + const [userkey, challenge, diff, diffString, powOpts, id, threads] = e.data; + if (powOpts.mode === "argon2") { + importScripts('/.basedflare/js/argon2.js'); + } + console.log('Worker thread', id, 'started'); + let i = id; + if (id === 0) { + setInterval(() => { + postMessage([i]); + }, 500); + } + while(true) { + let hash; + if (powOpts.mode === "argon2") { + const argonHash = await argon2.hash({ + pass: challenge + i.toString(), + salt: userkey, + ...powOpts, + }); + hash = argonHash.hashHex; + } else { + hash = await nativeHash(userkey + challenge + i.toString(), 'sha-256'); + } + // This throttle seems to really help some browsers not stop the workers abruptly + i % 10 === 0 && await new Promise(res => setTimeout(res, 10)); + if (hash.toString().startsWith(diffString) + && ((parseInt(hash[diffString.length],16) & + 0xff >> (((diffString.length+1)*8)-diff)) === 0)) { + console.log('Worker', id, 'found solution'); + postMessage([id, i]); + break; + } + i+=threads; + } +} diff --git a/src/libs/cookie.lua b/src/lua/libs/cookie.lua similarity index 100% rename from src/libs/cookie.lua rename to src/lua/libs/cookie.lua diff --git a/src/libs/json.lua b/src/lua/libs/json.lua similarity index 100% rename from src/libs/json.lua rename to src/lua/libs/json.lua diff --git a/src/libs/print_r.lua b/src/lua/libs/print_r.lua similarity index 100% rename from src/libs/print_r.lua rename to src/lua/libs/print_r.lua diff --git a/src/libs/randbytes.lua b/src/lua/libs/randbytes.lua similarity index 100% rename from src/libs/randbytes.lua rename to src/lua/libs/randbytes.lua diff --git a/src/libs/sha.lua b/src/lua/libs/sha.lua similarity index 100% rename from src/libs/sha.lua rename to src/lua/libs/sha.lua diff --git a/src/libs/url.lua b/src/lua/libs/url.lua similarity index 100% rename from src/libs/url.lua rename to src/lua/libs/url.lua diff --git a/src/libs/utils.lua b/src/lua/libs/utils.lua similarity index 80% rename from src/libs/utils.lua rename to src/lua/libs/utils.lua index d1ef1f9..00cd71a 100644 --- a/src/libs/utils.lua +++ b/src/lua/libs/utils.lua @@ -1,16 +1,12 @@ local _M = {} local sha = require("sha") -local secret_bucket_duration = tonumber(os.getenv("BUCKET_DURATION")) +local challenge_expiry = tonumber(os.getenv("CHALLENGE_EXPIRY")) local challenge_includes_ip = os.getenv("CHALLENGE_INCLUDES_IP") local tor_control_port_password = os.getenv("TOR_CONTROL_PORT_PASSWORD") -- generate the challenge hash/user hash -function _M.generate_secret(context, salt, user_key, is_applet) - - -- time bucket for expiry - local start_sec = core.now()['sec'] - local bucket = start_sec - (start_sec % secret_bucket_duration) +function _M.generate_challenge(context, salt, user_key, is_applet) -- optional IP to lock challenges/user_keys to IP (for clearnet or single-onion aka 99% of cases) local ip = "" @@ -28,7 +24,11 @@ function _M.generate_secret(context, salt, user_key, is_applet) user_agent = context.sf:req_fhdr('user-agent') or "" end - return sha.sha3_256(salt .. bucket .. ip .. user_key .. user_agent) + local challenge_hash = sha.sha3_256(salt .. ip .. user_key .. user_agent) + + local expiry = core.now()['sec'] + challenge_expiry + + return challenge_hash, expiry end @@ -43,6 +43,9 @@ end -- return true if hash passes difficulty function _M.checkdiff(hash, diff) + if #hash == 0 then + return false + end local i = 1 for j = 0, (diff-8), 8 do if hash:sub(i, i) ~= "0" then @@ -59,11 +62,10 @@ end function _M.send_tor_control_port(circuit_identifier) local tcp = core.tcp(); tcp:settimeout(1); - tcp:connect("127.0.0.1", 9051); + tcp:connect("127.0.0.1", 9051); --TODO: configurable host/port -- not buffered, so we are better off sending it all at once tcp:send('AUTHENTICATE "' .. tor_control_port_password .. '"\nCLOSECIRCUIT ' .. circuit_identifier ..'\n') tcp:close() end return _M - diff --git a/src/scripts/hcaptcha.lua b/src/lua/scripts/bot-check.lua similarity index 56% rename from src/scripts/hcaptcha.lua rename to src/lua/scripts/bot-check.lua index 7aa099b..f42b28a 100644 --- a/src/scripts/hcaptcha.lua +++ b/src/lua/scripts/bot-check.lua @@ -1,25 +1,33 @@ _M = {} -local url = require("url") -local utils = require("utils") -local cookie = require("cookie") -local json = require("json") -local sha = require("sha") -local randbytes = require("randbytes") -local argon2 = require("argon2") -local pow_difficulty = tonumber(os.getenv("POW_DIFFICULTY") or 18) -local pow_kb = tonumber(os.getenv("POW_KB") or 6000) -local pow_time = tonumber(os.getenv("POW_TIME") or 1) -argon2.t_cost(pow_time) -argon2.m_cost(pow_kb) -argon2.parallelism(1) -argon2.hash_len(32) -argon2.variant(argon2.variants.argon2_id) - -- Testing only -- require("socket") -- require("print_r") +-- main libs +local url = require("url") +local utils = require("utils") +local cookie = require("cookie") +local json = require("json") +local randbytes = require("randbytes") +local templates = require("templates") + +-- POW +local pow_type = os.getenv("POW_TYPE") or "argon2" +local pow_difficulty = tonumber(os.getenv("POW_DIFFICULTY") or 18) +-- argon2 +local argon2 = require("argon2") +local argon_kb = tonumber(os.getenv("ARGON_KB") or 6000) +local argon_time = tonumber(os.getenv("ARGON_TIME") or 1) +argon2.t_cost(argon_time) +argon2.m_cost(argon_kb) +argon2.parallelism(1) +argon2.hash_len(32) +argon2.variant(argon2.variants.argon2_id) +-- sha2 +local sha = require("sha") + +-- environment variables local captcha_secret = os.getenv("HCAPTCHA_SECRET") or os.getenv("RECAPTCHA_SECRET") local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY") or os.getenv("RECAPTCHA_SITEKEY") local captcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET") @@ -27,7 +35,8 @@ local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET") local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET") local ray_id = os.getenv("RAY_ID") -local captcha_map = Map.new("/etc/haproxy/ddos.map", Map._str); +-- load captcha map and set hcaptcha/recaptch based off env vars +local captcha_map = Map.new("/etc/haproxy/map/ddos.map", Map._str); local captcha_provider_domain = "" local captcha_classname = "" local captcha_script_src = "" @@ -47,6 +56,7 @@ else captcha_backend_name = "recaptcha" end +-- setup initial server backends based on hosts.map into backends.map function _M.setup_servers() if pow_difficulty < 8 then error("POW_DIFFICULTY must be > 8. Around 16-32 is better") @@ -56,8 +66,8 @@ function _M.setup_servers() if backend_name == nil or server_prefix == nil then return; end - local hosts_map = Map.new("/etc/haproxy/hosts.map", Map._str); - local handle = io.open("/etc/haproxy/hosts.map", "r") + local hosts_map = Map.new("/etc/haproxy/map/hosts.map", Map._str); + local handle = io.open("/etc/haproxy/map/hosts.map", "r") local line = handle:read("*line") local counter = 1 while line do @@ -65,7 +75,7 @@ function _M.setup_servers() local port_index = backend_host:match'^.*():' local backend_hostname = backend_host:sub(0, port_index-1) local backend_port = backend_host:sub(port_index + 1) - core.set_map("/etc/haproxy/backends.map", domain, server_prefix..counter) + core.set_map("/etc/haproxy/map/backends.map", domain, server_prefix..counter) local proxy = core.proxies[backend_name].servers[server_prefix..counter] proxy:set_addr(backend_hostname, backend_port) proxy:set_ready() @@ -75,104 +85,6 @@ function _M.setup_servers() handle:close() end --- main page template -local body_template = [[ - - - - - Hold on... - - - - - - - %s - %s - %s - -
- - - -]] - -local noscript_extra_template = [[ -
- No JavaScript? -
    -
  1. -

    Run this in a linux terminal (requires argon2 package installed):

    - - echo "Q0g9IiQyIjtCPSQocHJpbnRmICcwJS4wcycgJChzZXEgMSAkNCkpO2VjaG8gIldvcmtpbmcuLi4iO0k9MDt3aGlsZSB0cnVlOyBkbyBIPSQoZWNobyAtbiAkQ0gkSSB8IGFyZ29uMiAkMSAtaWQgLXQgJDUgLWsgJDYgLXAgMSAtbCAzMiAtcik7RT0ke0g6MDokNH07W1sgJEUgPT0gJEIgXV0gJiYgZWNobyAiT3V0cHV0OiIgJiYgZWNobyAkMSMkMiMkMyMkSSAmJiBleGl0IDA7KChJKyspKTtkb25lOwo=" | base64 -d | bash -s %s %s %s %s %s %s - -
  2. Paste the script output into the box and submit: -
    - -
    -
    -
-
-]] - --- title with favicon and hostname -local site_name_section_template = [[ -

- icon - %s -

-]] - --- spinner animation for proof of work -local pow_section_template = [[ -

- Checking your browser for robots 🤖 -

-
-
-
-]] - --- message, captcha form and submit button -local captcha_section_template = [[ -

- Please solve the captcha to continue. -

-
-
- -
-]] - -- kill a tor circuit function _M.kill_tor_circuit(txn) local ip = txn.sf:src() @@ -202,9 +114,9 @@ function _M.view(applet) -- get the user_key#challenge#sig local user_key = sha.bin_to_hex(randbytes(16)) - local challenge_hash = utils.generate_secret(applet, pow_cookie_secret, user_key, true) - local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, user_key .. challenge_hash) - local combined_challenge = user_key .. "#" .. challenge_hash .. "#" .. signature + local challenge_hash, expiry = utils.generate_challenge(applet, pow_cookie_secret, user_key, true) + local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, user_key .. challenge_hash .. expiry) + local combined_challenge = user_key .. "#" .. challenge_hash .. "#" .. expiry .. "#" .. signature -- define body sections local site_name_body = "" @@ -215,7 +127,7 @@ function _M.view(applet) -- check if captcha is enabled, path+domain priority, then just domain, and 0 otherwise local captcha_enabled = false local host = applet.headers['host'][0] - local path = applet.qs; --because on /bot-check?/whatever, .qs (query string) holds the "path" + local path = applet.qs; --because on /.basedflare/bot-check?/whatever, .qs (query string) holds the "path" local captcha_map_lookup = captcha_map:lookup(host..path) or captcha_map:lookup(host) or 0 captcha_map_lookup = tonumber(captcha_map_lookup) @@ -224,19 +136,26 @@ function _M.view(applet) end -- pow at least is always enabled when reaching bot-check page - site_name_body = string.format(site_name_section_template, host) + site_name_body = string.format(templates.site_name_section, host) if captcha_enabled then - captcha_body = string.format(captcha_section_template, captcha_classname, + captcha_body = string.format(templates.captcha_section, captcha_classname, captcha_sitekey, captcha_script_src) else - pow_body = pow_section_template - noscript_extra_body = string.format(noscript_extra_template, user_key, challenge_hash, signature, - math.ceil(pow_difficulty/8), pow_time, pow_kb) + pow_body = templates.pow_section + local noscript_extra + if pow_type == "argon2" then + noscript_extra = templates.noscript_extra_argon2 + else + noscript_extra = templates.noscript_extra_sha256 + end + noscript_extra_body = string.format(noscript_extra, user_key, + challenge_hash, expiry, signature, math.ceil(pow_difficulty/8), + argon_time, argon_kb) end -- sub in the body sections - response_body = string.format(body_template, combined_challenge, - pow_difficulty, pow_time, pow_kb, + response_body = string.format(templates.body, combined_challenge, + pow_difficulty, argon_time, argon_kb, pow_type, site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id) response_status_code = 403 @@ -257,47 +176,60 @@ function _M.view(applet) -- handle setting the POW cookie local user_pow_response = parsed_body["pow_response"] + local matched_expiry = 0 -- ensure captcha cookie expiry matches POW cookie if user_pow_response then -- split the response up (makes the nojs submission easier because it can be a single field) local split_response = utils.split(user_pow_response, "#") - if #split_response == 4 then + if #split_response == 5 then local given_user_key = split_response[1] local given_challenge_hash = split_response[2] - local given_signature = split_response[3] - local given_answer = split_response[4] + local given_expiry = split_response[3] + local given_signature = split_response[4] + local given_answer = split_response[5] - -- regenerate the challenge and compare it - local generated_challenge_hash = utils.generate_secret(applet, pow_cookie_secret, given_user_key, true) - if given_challenge_hash == generated_challenge_hash then + -- expiry check + local number_expiry = tonumber(given_expiry, 10) + if number_expiry ~= nil and number_expiry > core.now()['sec'] then - -- regenerate the signature and compare it - local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash) - if given_signature == generated_signature then + -- regenerate the challenge and compare it + local generated_challenge_hash = utils.generate_challenge(applet, pow_cookie_secret, given_user_key, true) - -- do the work with their given answer - local full_hash = argon2.hash_encoded(given_challenge_hash .. given_answer, given_user_key) + if given_challenge_hash == generated_challenge_hash then - -- check the output is correct - local hash_output = utils.split(full_hash, '$')[6]:sub(0, 43) -- https://github.com/thibaultcha/lua-argon2/issues/37 - local hex_hash_output = sha.bin_to_hex(sha.base64_to_bin(hash_output)); - if utils.checkdiff(hex_hash_output, pow_difficulty) then + -- regenerate the signature and compare it + local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_expiry) - -- the answer was good, give them a cookie - local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_answer) - local combined_cookie = given_user_key .. "#" .. given_challenge_hash .. "#" .. given_answer .. "#" .. signature - applet:add_header( - "set-cookie", - string.format( - "z_ddos_pow=%s; Expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; Domain=.%s; SameSite=Strict;%s", - combined_cookie, - applet.headers['host'][0], - secure_cookie_flag + if given_signature == generated_signature then + + -- do the work with their given answer + local hex_hash_output = "" + if pow_type == "argon2" then + local encoded_argon_hash = argon2.hash_encoded(given_challenge_hash .. given_answer, given_user_key) + local trimmed_argon_hash = utils.split(encoded_argon_hash, '$')[6]:sub(0, 43) -- https://github.com/thibaultcha/lua-argon2/issues/37 + hex_hash_output = sha.bin_to_hex(sha.base64_to_bin(trimmed_argon_hash)); + else + hex_hash_output = sha.sha256(given_user_key .. given_challenge_hash .. given_answer) + end + + if utils.checkdiff(hex_hash_output, pow_difficulty) then + + -- the answer was good, give them a cookie + local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_expiry .. given_answer) + local combined_cookie = given_user_key .. "#" .. given_challenge_hash .. "#" .. given_expiry .. "#" .. given_answer .. "#" .. signature + applet:add_header( + "set-cookie", + string.format( + "_basedflare_pow=%s; Expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; Domain=.%s; SameSite=Strict; HttpOnly;%s", + combined_cookie, + applet.headers['host'][0], + secure_cookie_flag + ) ) - ) - valid_submission = true + valid_submission = true + end end end end @@ -337,13 +269,13 @@ function _M.view(applet) if api_response.success == true then local user_key = sha.bin_to_hex(randbytes(16)) - local user_hash = utils.generate_secret(applet, captcha_cookie_secret, user_key, true) - local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, user_key .. user_hash) - local combined_cookie = user_key .. "#" .. user_hash .. "#" .. signature + local user_hash = utils.generate_challenge(applet, captcha_cookie_secret, user_key, true) + local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, user_key .. user_hash .. matched_expiry) + local combined_cookie = user_key .. "#" .. user_hash .. "#" .. matched_expiry .. "#" .. signature applet:add_header( "set-cookie", string.format( - "z_ddos_captcha=%s; Expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; Domain=.%s; SameSite=Strict;%s", + "_basedflare_captcha=%s; Expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; Domain=.%s; SameSite=Strict; HttpOnly;%s", combined_cookie, applet.headers['host'][0], secure_cookie_flag @@ -395,22 +327,29 @@ end -- check if captcha cookie is valid, separate secret from POW function _M.check_captcha_status(txn) local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie")) - local received_captcha_cookie = parsed_request_cookies["z_ddos_captcha"] or "" + local received_captcha_cookie = parsed_request_cookies["_basedflare_captcha"] or "" -- split the cookie up local split_cookie = utils.split(received_captcha_cookie, "#") - if #split_cookie ~= 3 then + if #split_cookie ~= 4 then return end local given_user_key = split_cookie[1] local given_user_hash = split_cookie[2] - local given_signature = split_cookie[3] + local given_expiry = split_cookie[3] + local given_signature = split_cookie[4] + + -- expiry check + local number_expiry = tonumber(given_expiry, 10) + if number_expiry == nil or number_expiry <= core.now()['sec'] then + return + end -- regenerate the user hash and compare it - local generated_user_hash = utils.generate_secret(txn, captcha_cookie_secret, given_user_key, false) + local generated_user_hash = utils.generate_challenge(txn, captcha_cookie_secret, given_user_key, false) if generated_user_hash ~= given_user_hash then return end -- regenerate the signature and compare it - local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_user_hash) + local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_user_hash .. given_expiry) if given_signature == generated_signature then return txn:set_var("txn.captcha_passed", true) end @@ -419,23 +358,30 @@ end -- check if pow cookie is valid function _M.check_pow_status(txn) local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie")) - local received_pow_cookie = parsed_request_cookies["z_ddos_pow"] or "" + local received_pow_cookie = parsed_request_cookies["_basedflare_pow"] or "" -- split the cookie up local split_cookie = utils.split(received_pow_cookie, "#") - if #split_cookie ~= 4 then + if #split_cookie ~= 5 then return end local given_user_key = split_cookie[1] local given_challenge_hash = split_cookie[2] - local given_answer = split_cookie[3] - local given_signature = split_cookie[4] + local given_expiry = split_cookie[3] + local given_answer = split_cookie[4] + local given_signature = split_cookie[5] + + -- expiry check + local number_expiry = tonumber(given_expiry, 10) + if number_expiry == nil or number_expiry <= core.now()['sec'] then + return + end -- regenerate the challenge and compare it - local generated_challenge_hash = utils.generate_secret(txn, pow_cookie_secret, given_user_key, false) + local generated_challenge_hash = utils.generate_challenge(txn, pow_cookie_secret, given_user_key, false) if given_challenge_hash ~= generated_challenge_hash then return end -- regenerate the signature and compare it - local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_answer) + local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_expiry .. given_answer) if given_signature == generated_signature then return txn:set_var("txn.pow_passed", true) end diff --git a/src/lua/scripts/register.lua b/src/lua/scripts/register.lua new file mode 100644 index 0000000..6ba84ef --- /dev/null +++ b/src/lua/scripts/register.lua @@ -0,0 +1,10 @@ +package.path = package.path .. "./?.lua;/etc/haproxy/scripts/?.lua;/etc/haproxy/libs/?.lua" + +local bot_check = require("bot-check") + +core.register_service("bot-check", "http", bot_check.view) +core.register_action("captcha-check", { 'http-req', }, bot_check.check_captcha_status) +core.register_action("pow-check", { 'http-req', }, bot_check.check_pow_status) +core.register_action("decide-checks-necessary", { 'http-req', }, bot_check.decide_checks_necessary) +core.register_action("kill-tor-circuit", { 'http-req', }, bot_check.kill_tor_circuit) +core.register_init(bot_check.setup_servers) diff --git a/src/lua/scripts/templates.lua b/src/lua/scripts/templates.lua new file mode 100644 index 0000000..c056ecc --- /dev/null +++ b/src/lua/scripts/templates.lua @@ -0,0 +1,119 @@ +local _M = {} + +-- main page template +_M.body = [[ + + + + + Hold on... + + + + + + + %s + %s + %s + +
+ + + +]] + +_M.noscript_extra_argon2 = [[ +
+ No JavaScript? +
    +
  1. +

    Run this in a linux terminal (requires argon2 package installed):

    + + echo "Q0g9IiQyIjtCPSQocHJpbnRmIDAlLjBzICQoc2VxIDEgJDUpKTtlY2hvICJXb3JraW5nLi4uIjtJPTA7d2hpbGUgdHJ1ZTsgZG8gSD0kKGVjaG8gLW4gJENIJEkgfCBhcmdvbjIgJDEgLWlkIC10ICQ2IC1rICQ3IC1wIDEgLWwgMzIgLXIpO0U9JHtIOjA6JDV9O1tbICRFID09ICRCIF1dICYmIGVjaG8gIk91dHB1dDoiICYmIGVjaG8gJDEjJDIjJDMjJDQjJEkgJiYgZXhpdCAwOygoSSsrKSk7ZG9uZTsK" | base64 -d | bash -s %s %s %s %s %s %s %s + +
  2. Paste the script output into the box and submit: +
    + +
    +
    +
+
+]] + +_M.noscript_extra_sha256 = [[ +
+ No JavaScript? +
    +
  1. +

    Run this in a linux terminal (requires perl):

    + + echo "dXNlIHN0cmljdDt1c2UgRGlnZXN0OjpTSEEgcXcoc2hhMjU2X2hleCk7cHJpbnQgIldvcmtpbmcuLi4iO215JGM9IiRBUkdWWzBdIi4iJEFSR1ZbMV0iO215JGlkPSRBUkdWWzRdKzA7bXkkZD0iMCJ4JGlkO215JGk9MDt3aGlsZSgxKXtsYXN0IGlmICRkIGVxIHN1YnN0ciBzaGEyNTZfaGV4KCRjLCRpKSwwLCRpZDskaSsrfXByaW50IlxuT3V0cHV0OlxuJEFSR1ZbMF0jJEFSR1ZbMV0jJEFSR1ZbMl0jJEFSR1ZbM10jJGlcbiI=" | base64 -d | perl -w - %s %s %s %s %s %s %s + +
  2. Paste the script output into the box and submit: +
    + +
    +
    +
+
+]] + +-- title with favicon and hostname +_M.site_name_section = [[ +

+ icon + %s +

+]] + +-- spinner animation for proof of work +_M.pow_section = [[ +

+ Checking your browser for robots 🤖 +

+
+
+
+]] + +-- message, captcha form and submit button +_M.captcha_section = [[ +

+ Please solve the captcha to continue. +

+
+
+ +
+]] + +return _M diff --git a/src/scripts/register.lua b/src/scripts/register.lua deleted file mode 100644 index ec408ee..0000000 --- a/src/scripts/register.lua +++ /dev/null @@ -1,10 +0,0 @@ -package.path = package.path .. "./?.lua;/etc/haproxy/scripts/?.lua;/etc/haproxy/libs/?.lua" - -local hcaptcha = require("hcaptcha") - -core.register_service("hcaptcha-view", "http", hcaptcha.view) -core.register_action("hcaptcha-check", { 'http-req', }, hcaptcha.check_captcha_status) -core.register_action("pow-check", { 'http-req', }, hcaptcha.check_pow_status) -core.register_action("decide-checks-necessary", { 'http-req', }, hcaptcha.decide_checks_necessary) -core.register_action("kill-tor-circuit", { 'http-req', }, hcaptcha.kill_tor_circuit) -core.register_init(hcaptcha.setup_servers)