mirror of
https://gitgud.io/fatchan/haproxy-protection.git
synced 2025-05-09 02:05:37 +00:00
Add custom tfp example for writing custom case scripts, todo make not apply only to captcha
This commit is contained in:
3
.gitignore
vendored
3
.gitignore
vendored
@ -2,3 +2,6 @@ tor/hidden_service/
|
|||||||
haproxy/*.pem
|
haproxy/*.pem
|
||||||
haproxy/*.crt
|
haproxy/*.crt
|
||||||
haproxy/dataplaneapi
|
haproxy/dataplaneapi
|
||||||
|
src/lua/scripts/tfp.lua
|
||||||
|
#ignore self-signed cert
|
||||||
|
certs/*
|
||||||
|
@ -17,6 +17,7 @@ services:
|
|||||||
- ./src/lua/libs/:/etc/haproxy/libs/
|
- ./src/lua/libs/:/etc/haproxy/libs/
|
||||||
- ./src/js/:/etc/haproxy/js/
|
- ./src/js/:/etc/haproxy/js/
|
||||||
- ./src/locales/:/etc/haproxy/locales/
|
- ./src/locales/:/etc/haproxy/locales/
|
||||||
|
- ./certs:/etc/haproxy/certs
|
||||||
- ../../Documents/dataplaneapi/build/dataplaneapi:/usr/local/bin/dataplaneapi
|
- ../../Documents/dataplaneapi/build/dataplaneapi:/usr/local/bin/dataplaneapi
|
||||||
environment:
|
environment:
|
||||||
# These are the hcaptcha and recaptcha test keys, not leaking any dont worry :^)
|
# These are the hcaptcha and recaptcha test keys, not leaking any dont worry :^)
|
||||||
|
@ -18,7 +18,7 @@ RUN set -eux; \
|
|||||||
--uid 99 \
|
--uid 99 \
|
||||||
haproxy
|
haproxy
|
||||||
|
|
||||||
ENV HAPROXY_URL http://www.haproxy.org/download/3.0/src/snapshot/haproxy-ss-LATEST.tar.gz
|
ENV HAPROXY_URL http://www.haproxy.org/download/3.1/src/snapshot/haproxy-ss-LATEST.tar.gz
|
||||||
ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/download/v2.7.5/dataplaneapi_2.7.5_Linux_x86_64.tar.gz
|
ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/download/v2.7.5/dataplaneapi_2.7.5_Linux_x86_64.tar.gz
|
||||||
|
|
||||||
# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
|
# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
|
||||||
|
@ -6,12 +6,15 @@ global
|
|||||||
maxconn "${HAPROXY_MAXCONN}"
|
maxconn "${HAPROXY_MAXCONN}"
|
||||||
log stdout format raw local0 debug
|
log stdout format raw local0 debug
|
||||||
lua-load /etc/haproxy/scripts/register-servers.lua
|
lua-load /etc/haproxy/scripts/register-servers.lua
|
||||||
|
lua-load-per-thread /etc/haproxy/scripts/tfp.lua
|
||||||
lua-load-per-thread /etc/haproxy/scripts/register-bot-check.lua
|
lua-load-per-thread /etc/haproxy/scripts/register-bot-check.lua
|
||||||
stats socket /var/run/haproxy.sock mode 666 level admin
|
stats socket /var/run/haproxy.sock mode 666 level admin
|
||||||
stats socket 127.0.0.1:1999 level admin
|
stats socket 127.0.0.1:1999 level admin
|
||||||
httpclient.ssl.verify none
|
httpclient.ssl.verify none
|
||||||
# Allow larger buffer size for return-file of argon scripts
|
# Allow larger buffer size for return-file of argon scripts
|
||||||
tune.bufsize 51200
|
tune.bufsize 51200
|
||||||
|
expose-deprecated-directives
|
||||||
|
tune.ssl.capture-buffer-size 200
|
||||||
|
|
||||||
defaults
|
defaults
|
||||||
log global
|
log global
|
||||||
@ -51,7 +54,7 @@ frontend http-in
|
|||||||
|
|
||||||
# Clearnet http (you'll have to figure out https yourself)
|
# Clearnet http (you'll have to figure out https yourself)
|
||||||
bind *:80
|
bind *:80
|
||||||
# bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h3,h2,http/1.1
|
bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h2,http/1.1
|
||||||
# bind quic4@*:443 ssl crt /etc/haproxy/certs/haproxy.pem
|
# bind quic4@*:443 ssl crt /etc/haproxy/certs/haproxy.pem
|
||||||
# http-response set-header alt-svc "h3=\":443\";ma=900;"
|
# http-response set-header alt-svc "h3=\":443\";ma=900;"
|
||||||
|
|
||||||
@ -59,8 +62,11 @@ frontend http-in
|
|||||||
# bind 127.0.0.1:80 accept-proxy
|
# bind 127.0.0.1:80 accept-proxy
|
||||||
option forwardfor
|
option forwardfor
|
||||||
|
|
||||||
|
# tfp lua dev test
|
||||||
|
http-request lua.set_tfp
|
||||||
|
|
||||||
# custom log format
|
# custom log format
|
||||||
log-format "{\"cc\":%{+Q}[capture.req.hdr(1)],\"cip\":\"%ci\",\"cp\":\"%cp\",\"hh\":%{+Q}[capture.req.hdr(0)],\"backend\":\"%b\",\"server\":\"%s\",\"timers\":\"%TR/%Tw/%Tc/%Tr/%Ta\",\"status\":\"%ST\",\"bytes\":\"%B\",\"bs\":\"%U\",\"conns\":\"%ac/%fc/%bc/%sc/%rc\",\"q\":\"%sq/%bq\",\"req\":%{+Q,+E}r,\"GeoIP_Source\":\"GeoIP_Source=%ci\"}"
|
log-format "{\"cc\":%{+Q}[capture.req.hdr(1)],\"tp\":%{+Q}[var(txn.fp_custom)],\"cip\":\"%ci\",\"cp\":\"%cp\",\"hh\":%{+Q}[capture.req.hdr(0)],\"backend\":\"%b\",\"server\":\"%s\",\"timers\":\"%TR/%Tw/%Tc/%Tr/%Ta\",\"status\":\"%ST\",\"bytes\":\"%B\",\"bs\":\"%U\",\"conns\":\"%ac/%fc/%bc/%sc/%rc\",\"q\":\"%sq/%bq\",\"req\":%{+Q,+E}r,\"GeoIP_Source\":\"GeoIP_Source=%ci\"}"
|
||||||
|
|
||||||
# optional geoip handling (maps required) and alt-svc header addition
|
# optional geoip handling (maps required) and alt-svc header addition
|
||||||
http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
|
http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
|
||||||
@ -169,7 +175,7 @@ backend haproxy-to-varnish-cache
|
|||||||
|
|
||||||
backend servers
|
backend servers
|
||||||
balance roundrobin
|
balance roundrobin
|
||||||
default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host) check observe layer4 inter 30
|
default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host) check observe layer4 inter 30s
|
||||||
use-server %[lua.get_server_names] if TRUE
|
use-server %[lua.get_server_names] if TRUE
|
||||||
|
|
||||||
backend bot_check_post_throttle
|
backend bot_check_post_throttle
|
||||||
|
1
haproxy/map/bfp.map
Normal file
1
haproxy/map/bfp.map
Normal file
@ -0,0 +1 @@
|
|||||||
|
#
|
@ -0,0 +1 @@
|
|||||||
|
localhost {"m":0,"t":false}
|
||||||
|
@ -1 +1 @@
|
|||||||
localhost {"pd":27,"pt":"sha256","cex":999,"cip":false,"js":true}
|
localhost {"pd":21,"pt":"sha256","cex":999,"cip":true,"js":true}
|
||||||
|
1
haproxy/map/lfp.map
Normal file
1
haproxy/map/lfp.map
Normal file
@ -0,0 +1 @@
|
|||||||
|
#
|
@ -52,6 +52,7 @@ local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
|
|||||||
local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET")
|
local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET")
|
||||||
local ray_id = os.getenv("RAY_ID")
|
local ray_id = os.getenv("RAY_ID")
|
||||||
-- load captcha map and set hcaptcha/recaptch based off env vars
|
-- load captcha map and set hcaptcha/recaptch based off env vars
|
||||||
|
local bfp_map = Map.new("/etc/haproxy/map/bfp.map", Map._str);
|
||||||
local ddos_map = Map.new("/etc/haproxy/map/ddos.map", Map._str);
|
local ddos_map = Map.new("/etc/haproxy/map/ddos.map", Map._str);
|
||||||
local captcha_provider_domain = ""
|
local captcha_provider_domain = ""
|
||||||
local captcha_siteverify_path = ""
|
local captcha_siteverify_path = ""
|
||||||
@ -156,7 +157,9 @@ function _M.view(applet)
|
|||||||
local ddos_map_lookup = ddos_map:lookup(host .. path) or ddos_map:lookup(host)
|
local ddos_map_lookup = ddos_map:lookup(host .. path) or ddos_map:lookup(host)
|
||||||
if ddos_map_lookup ~= nil then
|
if ddos_map_lookup ~= nil then
|
||||||
local ddos_map_json = json.decode(ddos_map_lookup)
|
local ddos_map_json = json.decode(ddos_map_lookup)
|
||||||
if ddos_map_json.m == 2 then
|
local fp = applet:get_var("txn.fp_custom")
|
||||||
|
local bfp_map_lookup = bfp_map:lookup(fp)
|
||||||
|
if ddos_map_json.m == 2 or bfp_map_lookup ~= nil then
|
||||||
captcha_enabled = true
|
captcha_enabled = true
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
@ -476,6 +479,13 @@ function _M.decide_checks_necessary(txn)
|
|||||||
local path = txn.sf:path();
|
local path = txn.sf:path();
|
||||||
local ddos_map_lookup = ddos_map:lookup(host .. path) or ddos_map:lookup(host)
|
local ddos_map_lookup = ddos_map:lookup(host .. path) or ddos_map:lookup(host)
|
||||||
if ddos_map_lookup ~= nil then
|
if ddos_map_lookup ~= nil then
|
||||||
|
local fp = txn:get_var("txn.fp_custom")
|
||||||
|
local bfp_map_lookup = bfp_map:lookup(fp)
|
||||||
|
if bfp_map_lookup ~= nil then
|
||||||
|
txn:set_var("txn.validate_pow", true)
|
||||||
|
txn:set_var("txn.validate_captcha", true)
|
||||||
|
return
|
||||||
|
end
|
||||||
local ddos_map_json = json.decode(ddos_map_lookup)
|
local ddos_map_json = json.decode(ddos_map_lookup)
|
||||||
if ddos_map_json.m == 0
|
if ddos_map_json.m == 0
|
||||||
or (ddos_map_json.t == true and txn.sf:hdr("X-Country-Code") ~= "T1") then
|
or (ddos_map_json.t == true and txn.sf:hdr("X-Country-Code") ~= "T1") then
|
||||||
@ -486,6 +496,7 @@ function _M.decide_checks_necessary(txn)
|
|||||||
txn:set_var("txn.validate_captcha", true)
|
txn:set_var("txn.validate_captcha", true)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
-- no entry in the map
|
-- no entry in the map
|
||||||
end
|
end
|
||||||
|
5
src/lua/scripts/tfp.lua
Normal file
5
src/lua/scripts/tfp.lua
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
function set_tfp_var(txn)
|
||||||
|
txn:set_var('txn.fp_custom', 'changeme')
|
||||||
|
end
|
||||||
|
|
||||||
|
core.register_action('set_tfp', {'tcp-req', 'http-req'}, set_tfp_var)
|
Reference in New Issue
Block a user