Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into kikeflare

Browse Source
This commit is contained in:
Thomas Lynch
2022-10-02 06:18:26 +00:00
parent 55eb293675 64e26f65b5
commit 33a1aa02a9
7 changed files with 133 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
haproxy/haproxy.cfg
View File

@ -10,10 +10,13 @@ global
tune.bufsize 51200
defaults
log global
mode http
option httplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout tarpit 5000ms
#frontend stats-frontend
# bind *:2000
@ -47,6 +50,11 @@ frontend http-in
acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
http-request deny deny_status 403 if blocked_ip_or_subnet
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
http-request track-sc0 src table bot_check_post_throttle if { path /bot-check } { method POST }
http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 }
http-request tarpit if { sc_http_req_rate(0) gt 1 }
# acl for lua check whitelisted IPs/subnets and some excluded paths
acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found
acl is_excluded path /favicon.ico #add more
@ -74,10 +82,11 @@ frontend http-in
# check pow/captcha and show page if necessary
acl on_captcha_url path /bot-check
http-request use-service lua.hcaptcha-view if on_captcha_url !is_excluded
http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled
# global override enabled pow-check only, uncomment the OR to also do hcaptcha-check
http-request lua.hcaptcha-check if !is_excluded !on_captcha_url validate_captcha #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
# challenge decisions, checking, and redirecting to /bot-check
http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled
http-request lua.hcaptcha-check if !is_excluded !on_captcha_url validate_captcha
http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded
# X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use)
@ -104,6 +113,9 @@ backend servers
# use server based on hostname
use-server %[req.hdr(host),lower,map(/etc/haproxy/backends.map)] if TRUE
backend bot_check_post_throttle
stick-table type ipv6 size 100k expire 60s store http_req_rate(60s)
backend hcaptcha
mode http
server hcaptcha hcaptcha.com:443

6
haproxy/js/challenge.js
View File

@ -1,7 +1,9 @@
function insertError(str) {
const ring = document.querySelector('.lds-ring');
ring.insertAdjacentHTML('afterend', `<p class="red">Error: ${str}</p>`);
ring.remove();
const captcha = document.querySelector('#captcha');
(ring || captcha).insertAdjacentHTML('afterend', `<p class="red">Error: ${str}</p>`);
ring && ring.remove();
captcha && captcha.remove();
}
function finishRedirect() {