diff --git a/README.MD b/README.MD index 150a2d4..44b6111 100644 --- a/README.MD +++ b/README.MD @@ -38,9 +38,9 @@ Before installing the tool, ensure that HaProxy is built with Lua support. - Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua) - Copy [libs](src/libs) to a path where Lua looks for modules. - Copy [ddos-cli](src/cli/ddos-cli) to any convenient path. -- Create `/usr/local/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly) +- Create `/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly) -#### CLI (not maintained) +#### CLI The system comes with CLI. It can be used to manage global and per-domain protection. Ensure that stat socket is configured in HaProxy for CLI support. ```bash diff --git a/docker-compose.yml b/docker-compose.yml index 2d2b5e2..2d0c381 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,9 +7,9 @@ services: ports: - 80:80 volumes: - - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg - - ./src/scripts/:/usr/local/etc/haproxy/scripts/ - - ./src/libs/:/usr/local/etc/haproxy/libs/ + - ./haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg + - ./src/scripts/:/etc/haproxy/scripts/ + - ./src/libs/:/etc/haproxy/libs/ environment: - HCAPTCHA_SECRET= - HCAPTCHA_SITEKEY= diff --git a/haproxy/Dockerfile b/haproxy/Dockerfile index 751ba9b..e10950c 100644 --- a/haproxy/Dockerfile +++ b/haproxy/Dockerfile @@ -68,8 +68,8 @@ RUN set -eux; \ eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \ eval "make -C /usr/src/haproxy install-bin $makeOpts"; \ \ - mkdir -p /usr/local/etc/haproxy; \ - cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \ + mkdir -p /etc/haproxy; \ + cp -R /usr/src/haproxy/examples/errorfiles /etc/haproxy/errors; \ rm -rf /usr/src/haproxy; \ \ apt-mark auto '.*' > /dev/null; \ @@ -102,4 +102,4 @@ RUN apt-get update && apt-get install socat dnsutils -y ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] # no USER for backwards compatibility (to try to avoid breaking existing users) -CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"] +CMD ["haproxy", "-f", "/etc/haproxy/haproxy.cfg"] diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg index a11dc49..570d795 100644 --- a/haproxy/haproxy.cfg +++ b/haproxy/haproxy.cfg @@ -2,7 +2,7 @@ global daemon maxconn 256 log stdout format raw local0 debug - lua-load /usr/local/etc/haproxy/scripts/register.lua + lua-load /etc/haproxy/scripts/register.lua stats socket /var/run/haproxy.sock mode 666 level admin defaults @@ -16,12 +16,12 @@ frontend http-in # acl for ddos_mode_enabled = global enabled OR domain enabled acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0 - acl ddos_mode_enabled hdr(host) -i -f /usr/local/etc/haproxy/ddos.map + acl ddos_mode_enabled hdr(host) -i -f /etc/haproxy/ddos.map #TODO: add ORs here for auto enable on traffic pattern # check captcha cookie, separate map allows to disable captcha (still keeping POW) acl captcha_passed var(txn.captcha_passed) -m bool - acl captcha_passed hdr(host),map_str(/usr/local/etc/haproxy/no_captcha.map) -m found + acl captcha_passed hdr(host),map_str(/etc/haproxy/no_captcha.map) -m found # check proof of work cookie acl pow_passed var(txn.pow_passed) -m bool diff --git a/src/cli/ddos-cli b/src/cli/ddos-cli index 74a7d9b..7995ff9 100755 --- a/src/cli/ddos-cli +++ b/src/cli/ddos-cli @@ -1,7 +1,7 @@ #!/usr/bin/env bash -HAPROXY_DDOS_DOMAINS_FILE="/usr/local/etc/haproxy/ddos.map" -HAPROXY_NOCAPTCHA_DOMAINS_FILE="/usr/local/etc/haproxy/no_captcha.map" +HAPROXY_DDOS_DOMAINS_FILE="/etc/haproxy/ddos.map" +HAPROXY_NOCAPTCHA_DOMAINS_FILE="/etc/haproxy/no_captcha.map" HAPROXY_GLOBAL_ACL="hdr_cnt" HAPROXY_SOCKET="/var/run/haproxy.sock" SOCAT="$(which socat)" diff --git a/src/scripts/hcaptcha.lua b/src/scripts/hcaptcha.lua index 941e8b8..e7ab16d 100644 --- a/src/scripts/hcaptcha.lua +++ b/src/scripts/hcaptcha.lua @@ -14,7 +14,7 @@ local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET") local captcha_provider_domain = "hcaptcha.com" -local captcha_map = Map.new("/usr/local/etc/haproxy/no_captcha.map", Map._dom); +local captcha_map = Map.new("/etc/haproxy/no_captcha.map", Map._dom); -- main page template local body_template = [[ @@ -152,6 +152,7 @@ function _M.check_pow_status(txn) local iterations = parsed_request_cookies["z_ddos_pow"] local completed_work = sha.sha1(generated_work .. iterations) local challenge_offset = tonumber(generated_work:sub(1,1),16) * 2 + --core.Debug(completed_work:sub(challenge_offset+1, challenge_offset+4)) if completed_work:sub(challenge_offset+1, challenge_offset+4) == 'b00b' then -- i dont know lua properly :^) return txn:set_var("txn.pow_passed", true) end diff --git a/src/scripts/register.lua b/src/scripts/register.lua index 4d491aa..ce9e1d0 100644 --- a/src/scripts/register.lua +++ b/src/scripts/register.lua @@ -1,4 +1,4 @@ -package.path = package.path .. "./?.lua;/usr/local/etc/haproxy/scripts/?.lua;/usr/local/etc/haproxy/libs/?.lua" +package.path = package.path .. "./?.lua;/etc/haproxy/scripts/?.lua;/etc/haproxy/libs/?.lua" local hcaptcha = require("hcaptcha")