Merge branch 'master' into kikeflare

2025-05-09 02:05:37 +00:00 · 2022-09-16 18:04:52 +00:00
parent fa4c437725 598790cb4f
commit 571d01db27
11 changed files with 3367 additions and 423 deletions
--- a/README.MD
+++ b/README.MD
@ -1,9 +1,9 @@
 ## HAProxy DDoS protection system

 A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work.
-Intended to stop bots, spam, ddos, etc.
+Intended to stop bots, spam, ddos, 

-Will soon™ be accompanied by a control panel allowing to manage clusters of servers with this installed. Allowing you to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime.
+Integrates with https://gitgud.io/fatchan/haproxy-panel-next to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime.

 Improvements in this fork:

@ -28,6 +28,8 @@ Add some env vars to docker-compose file:

 - HCAPTCHA_SITEKEY - your hcaptcha site key
 - HCAPTCHA_SECRET - your hcaptcha secret key
+- RECAPTCHA_SITEKEY - your recaptcha site key
+- RECAPTCHA_SECRET - your recaptcha secret key
 - CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
 - POW_COOKIE_SECRET - different random string, a salt for pow cookies
 - RAY_ID - string to identify the HAProxy node by
@ -55,7 +57,7 @@ Before installing the tool, ensure that HAProxy is built with Lua support and ve

 - Copy [haproxy.cfg](haproxy/haproxy.cfg) to /etc/haproxy
  - Edit the `lua-load` directive to be the absolute path to [register.lua](src/scripts/register.lua)
-  - Edit the paths of sha1.js and worker.js in the `http-request return` directive to the absolut path to the respective files in the haproxy/js folder
+  - Edit the paths of challenge.js and worker.js in the `http-request return` directive to the absolut path to the respective files in the haproxy/js folder
 - Copy [dataplaneapi.hcl](haproxy/dataplaneapi.hcl) to /etc/haproxy
 - Copy or link [scripts](src/scripts) to /etc/haproxy/scripts
 - Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules).
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -5,29 +5,31 @@ services:
 #      context: ./
 #      dockerfile: tor/Dockerfile
  haproxy:
-    network_mode: "host"
+    ports:
+      - 80:80
    build:
      context: ./
      dockerfile: haproxy/Dockerfile
-    ports:
-      - 80:80 #http
-      - 2000:2000 #port 2000 haproxy socket for external management
    volumes:
      - ./haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
      - ./haproxy/ddos.map:/etc/haproxy/ddos.map
      - ./haproxy/hosts.map:/etc/haproxy/hosts.map
      - ./haproxy/backends.map:/etc/haproxy/backends.map
      - ./haproxy/blocked.map:/etc/haproxy/blocked.map
+      - ./haproxy/whitelist.map:/etc/haproxy/whitelist.map
+      - ./haproxy/maintenance.map:/etc/haproxy/maintenance.map
      - ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl
      - ./haproxy/trace.txt:/etc/haproxy/trace.txt
      - ./src/scripts/:/etc/haproxy/scripts/
      - ./src/libs/:/etc/haproxy/libs/
      - ./haproxy/js/:/var/www/js/
+      - ./haproxy/html/maintenance.html:/var/www/html/maintenance.html
    environment:
-      - HCAPTCHA_SECRET=
-      - HCAPTCHA_SITEKEY=
+      - RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
+      - RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
      - CAPTCHA_COOKIE_SECRET=changeme
      - POW_COOKIE_SECRET=changeme
+      - HMAC_COOKIE_SECRET=changeme
      - RAY_ID=docker
      - BUCKET_DURATION=43200
      - BACKEND_NAME=servers
--- a/haproxy/backends.map
+++ b/haproxy/backends.map
@ -0,0 +1 @@
+localhost websrv1
--- a/haproxy/ddos.map
+++ b/haproxy/ddos.map
@ -0,0 +1,2 @@
+localhost 1
+localhost/captcha 2
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@ -7,6 +7,7 @@ global
 	group haproxy
 	daemon
 	maxconn 10000
+	httpclient.ssl.verify none

 	#for haproxy panel
 	stats socket 127.0.0.1:1999 level operator
@ -94,8 +95,8 @@ frontend www-http-https
 	acl is_kikeflare hdr(host) -i kikeflare.com www.kikeflare.com

 	# drop requests with invalid host header
-	acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found
-	http-request silent-drop unless is_existing_vhost
+	#acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found
+	#http-request silent-drop unless is_existing_vhost

 	# acl for blocked IPs/subnets
 	acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
@ -112,10 +113,10 @@ frontend www-http-https
 	acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool

 	# serve challenge page scripts directly from haproxy
-	acl is_sha1_js path /js/sha1.js
+	acl is_challenge_js path /js/challenge.js
 	acl is_worker_js path /js/worker.js
 	acl is_footerlogo_png path /img/footerlogo.png
-	http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
+	http-request return file /var/www/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_challenge_js
 	http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js
 	http-request return file /var/www/img/footerlogo.png status 200 content-type "image/png" hdr "cache-control" "public, max-age=300" if is_footerlogo_png

@ -236,3 +237,7 @@ backend maxconn-20-backend
 backend hcaptcha
 	mode http
 	server hcaptcha hcaptcha.com:443
+
+backend recaptcha
+	mode http
+	server recaptcha www.google.com:443
--- a/haproxy/js/challenge.js
+++ b/haproxy/js/challenge.js
@ -0,0 +1,53 @@
+function finishPow(combined, answer) {
+	const submitButton = document.querySelector('input[type=submit]')
+	if (submitButton) {
+		//button is shown only if captcha is enabled
+		submitButton.disabled = false;
+		submitButton.value = 'Submit';
+	} else {
+		window.location=location.search.slice(1)+location.hash || "/";
+	}
+}
+
+const combined = document.querySelector('[data-pow]').dataset.pow;
+const [_userkey, challenge, _signature] = combined.split("#");
+const start = Date.now();
+if (window.Worker && crypto.subtle) {
+	const threads = Math.min(4,Math.ceil(window.navigator.hardwareConcurrency/2));
+	let finished = false;
+	const messageHandler = (e) => {
+		if (finished) { return; }
+		finished = true;
+		workers.forEach(w => w.terminate());
+		const [workerId, answer] = e.data;
+		console.log('Worker', workerId, 'returned answer', answer, 'in', Date.now()-start+'ms');
+		document.cookie='z_ddos_pow='+combined+'#'+answer+';expires=Thu, 31-Dec-37 23:55:55 GMT; path=/; SameSite=Strict; '+(location.protocol==='https:'?'Secure=true; ':'');
+		const dummyTime = 5000 - (Date.now()-start);
+		window.setTimeout(() => finishPow(combined, answer), dummyTime);
+	}
+	const workers = [];
+	for (let i = 0; i < threads; i++) {
+		const shaWorker = new Worker('/js/worker.js');
+		shaWorker.onmessage = messageHandler;
+		workers.push(shaWorker);
+	}
+	workers.forEach((w, i) => w.postMessage([challenge, i, threads]));
+} else {
+	console.warn('No webworker or crypto.subtle support, using legacy method in main/UI thread!');
+	function sha256(ascii){function rightRotate(value,amount){return(value>>>amount)|(value<<(32-amount))};var mathPow=Math.pow;var maxWord=mathPow(2,32);var lengthProperty='length';var i,j;var result='';var words=[];var asciiBitLength=ascii[lengthProperty]*8;var hash=sha256.h=sha256.h||[];var k=sha256.k=sha256.k||[];var primeCounter=k[lengthProperty];var isComposite={};for(var candidate=2;primeCounter<64;candidate+=1){if(!isComposite[candidate]){for(i=0;i<313;i+=candidate){isComposite[i]=candidate}hash[primeCounter]=(mathPow(candidate,.5)*maxWord)|0;k[primeCounter++]=(mathPow(candidate,1/3)*maxWord)|0}}ascii+='\x80';while(ascii[lengthProperty]%64-56){ascii+='\x00';}for(i=0;i<ascii[lengthProperty];i+=1){j=ascii.charCodeAt(i);if(j>>8){return;}words[i>>2]|=j<<((3-i)%4)*8}words[words[lengthProperty]]=((asciiBitLength/maxWord)|0);words[words[lengthProperty]]=(asciiBitLength);for(j=0;j<words[lengthProperty];){var w=words.slice(j,j+=16);var oldHash=hash;hash=hash.slice(0,8);for(i=0;i<64;i+=1){var i2=i+j;var w15=w[i-15],w2=w[i-2];var a=hash[0],e=hash[4];var temp1=hash[7]+(rightRotate(e,6)^rightRotate(e,11)^rightRotate(e,25))+((e&hash[5])^((~e)&hash[6]))+k[i]+(w[i]=(i<16)?w[i]:(w[i-16]+(rightRotate(w15,7)^rightRotate(w15,18)^(w15>>>3))+w[i-7]+(rightRotate(w2,17)^rightRotate(w2,19)^(w2>>>10)))|0);var temp2=(rightRotate(a,2)^rightRotate(a,13)^rightRotate(a,22))+((a&hash[1])^(a&hash[2])^(hash[1]&hash[2]));hash=[(temp1+temp2)|0].concat(hash);hash[4]=(hash[4]+temp1)|0}for(i=0;i<8;i+=1){hash[i]=(hash[i]+oldHash[i])|0}}for(i=0;i<8;i+=1){for(j=3;j+1;j-=1){var b=(hash[i]>>(j*8))&255;result+=((b<16)?0:'')+b.toString(16)}}return result}
+	let challengeIndex = parseInt(challenge[0], 16);
+	let i = 0
+		, result;
+	while(true) {
+		result = sha256(challenge+i);
+		if(result[challengeIndex] === 0x00
+			&& result[challengeIndex+1] === 0x41){
+			console.log('Worker thread found solution:', i);
+			postMessage([id, i]);
+			break;
+		}
+		i++;
+	}
+	const dummyTime = 5000 - (Date.now()-start);
+	window.setTimeout(() => finishPow(combined, result), dummyTime);
+}
--- a/haproxy/js/worker.js
+++ b/haproxy/js/worker.js
@ -5,19 +5,14 @@ async function hash(data, method) {
 }

 onmessage = async function(e) {
-	const [challenge, difficulty, id, threads] = e.data;
-	console.log('Worker thread', id,'got challenge', challenge, 'with difficulty', difficulty);
+	const [challenge, id, threads] = e.data;
+	console.log('Worker thread', id,'got challenge', challenge);
 	let i = id;
 	let challengeIndex = parseInt(challenge[0], 16);
 	while(true) {
-		let result = await hash(challenge+i, 'sha-1');
-		let middle = true;
-		for(let imiddle = 1; imiddle <= difficulty; imiddle++) {
-			middle = (middle && (result[challengeIndex+imiddle] === 0x00));
-		}
-		if(result[challengeIndex] === 0xb0
-			&& middle === true
-			&& result[challengeIndex+difficulty+1] === 0x0b){
+		let result = await hash(challenge+i, 'sha-256');
+		if(result[challengeIndex] === 0x00
+			&& result[challengeIndex+1] === 0x41){
 			console.log('Worker thread found solution:', i);
 			postMessage([id, i]);
 			break;
--- a/src/libs/randbytes.lua
+++ b/src/libs/randbytes.lua
@ -0,0 +1,105 @@
+-- randbytes.lua
+-- Colin 'Oka' Hall-Coates
+-- MIT, 2015
+-- https://github.com/okabsd/randbytes
+local defaults = setmetatable ({
+  bytes = 4,
+  mask = 256,
+  file = 'urandom',
+  filetable = {'urandom', 'random'}
+}, { __newindex = function () return false end })
+
+local files = {
+  urandom = false,
+  random = false
+}
+
+local utils = {}
+
+function utils:gettable (...)
+  local t, r = {...}, defaults.filetable
+  if #t > 0 then r = t end
+  return r
+end
+
+function utils:open (...)
+  for _, f in next, self:gettable (...) do
+    for k, _ in next, files do
+      if k == f then
+        files[f] = assert (io.open ('/dev/'..f, 'rb'))
+      end
+    end
+  end
+end
+
+function utils:close (...)
+  for _, f in next, self:gettable (...) do
+    for k, _ in next, files do
+      if files[f] and k == f then
+        files[f] = not assert (files[f]:close ())
+      end
+    end
+  end
+end
+
+function utils:reader (f, b)
+  if f then
+    return f:read (b or defaults.bytes)
+  end
+end
+
+local randbytes = {
+  generate = function (f, ...)
+    if f then
+      local n, m = 0, select (2, ...) or defaults.mask
+      local s = utils:reader (f, select (1, ...))
+
+      for i = 1, s:len () do
+        n = m * n + s:byte (i)
+      end
+
+      return n
+    end
+  end
+}
+
+function randbytes:open (...)
+  utils:open (...)
+  return self
+end
+
+function randbytes:close (...)
+  utils:close (...)
+  return self
+end
+
+function randbytes:uread (...)
+  return utils:reader (files.urandom, ...)
+end
+
+function randbytes:read (...)
+  return utils:reader (files.random, ...)
+end
+
+function randbytes:urandom (...)
+  return self.generate (files.urandom, ...)
+end
+
+function randbytes:random (...)
+  return self.generate (files.random, ...)
+end
+
+function randbytes:setdefault (k, v)
+  defaults[k] = v or defaults[k]
+  return defaults[k]
+end
+
+utils:open ()
+
+return setmetatable (randbytes, {
+  __call = function (t, ...)
+    return utils:reader (files[defaults.file], ...)
+  end,
+  __metatable = false,
+  __newindex = function () return false end
+})
--- a/src/libs/sha.lua
+++ b/src/libs/sha.lua
--- a/src/libs/utils.lua
+++ b/src/libs/utils.lua
@ -3,10 +3,13 @@ local _M = {}
 local sha = require("sha")
 local secret_bucket_duration = tonumber(os.getenv("BUCKET_DURATION"))

-function _M.generate_secret(context, salt, is_applet, iterations)
+function _M.generate_secret(context, salt, user_key, is_applet)
+
+	-- time bucket for expiry
 	local start_sec = core.now()['sec']
 	local bucket = start_sec - (start_sec % secret_bucket_duration)
-	local ip = context.sf:src()
+
+	-- user agent to counter very dumb spammers
 	local user_agent = ""
 	if is_applet == true then
 		user_agent = context.headers['user-agent'] or {}
@ -15,13 +18,17 @@ function _M.generate_secret(context, salt, is_applet, iterations)
 		--note req_fhdr not req_hdr otherwise commas in useragent become a delimiter
 		user_agent = context.sf:req_fhdr('user-agent') or ""
 	end
-	if iterations == nil then
-		--hcaptcha secret is just this
-		return context.sc:xxh32(salt .. bucket .. ip .. user_agent)
-	else
-		--POW secret adds the iteration number by the user
-		return sha.sha1(salt .. bucket .. ip .. user_agent .. iterations)
+
+	return sha.sha256(salt .. bucket .. user_key .. user_agent)
+
+end
+
+function _M.split(inputstr, sep)
+	local t = {}
+	for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
+		table.insert(t, str)
 	end
+	return t
 end

 return _M
--- a/src/scripts/hcaptcha.lua
+++ b/src/scripts/hcaptcha.lua
@ -5,15 +5,35 @@ local utils = require("utils")
 local cookie = require("cookie")
 local json = require("json")
 local sha = require("sha")
+local randbytes = require("randbytes")
+--require("print_r")

-local captcha_secret = os.getenv("HCAPTCHA_SECRET")
-local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY")
-local hcaptcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET")
+local captcha_secret = os.getenv("HCAPTCHA_SECRET") or os.getenv("RECAPTCHA_SECRET")
+local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY") or os.getenv("RECAPTCHA_SITEKEY")
+local captcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET")
 local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
+local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET")
 local ray_id = os.getenv("RAY_ID")

-local captcha_provider_domain = "hcaptcha.com"
 local captcha_map = Map.new("/etc/haproxy/ddos.map", Map._str);
+local captcha_provider_domain = ""
+local captcha_classname = ""
+local captcha_script_src = ""
+local captcha_siteverify_path = ""
+local captcha_backend_name = ""
+if os.getenv("HCAPTCHA_SITEKEY") then
+	captcha_provider_domain = "hcaptcha.com"
+	captcha_classname = "h-captcha"
+	captcha_script_src = "https://hcaptcha.com/1/api.js"
+	captcha_siteverify_path = "/siteverify"
+	captcha_backend_name = "hcaptcha"
+else
+	captcha_provider_domain = "www.google.com"
+	captcha_classname = "g-recaptcha"
+	captcha_script_src = "https://www.google.com/recaptcha/api.js"
+	captcha_siteverify_path = "/recaptcha/api/siteverify"
+	captcha_backend_name = "recaptcha"
+end

 function _M.setup_servers()
 	local backend_name = os.getenv("BACKEND_NAME")
@ -50,7 +70,7 @@ local body_template = [[
 		<style>
 			:root{--text-color:#c5c8c6;--bg-color:#1d1f21}
 			@media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}}
-			.h-captcha{min-height:85px;display:block}
+			.h-captcha,.g-recaptcha{min-height:85px;display:block}
 			.red{color:red;font-weight:bold}
 			a,a:visited{color:var(--text-color)}
 			body,html{height:100%%}
@ -83,7 +103,7 @@ local body_template = [[
 			<p>Security and Performance by <a href="https://BasedFlare.com">BasedFlare</a></p>
 			<p>Node: <code>%s</code></p>
 		</footer>
-		<script src="/js/sha1.js"></script>
+		<script src="/js/challenge.js"></script>
 	</body>
 </html>
 ]]
@ -121,14 +141,14 @@ local pow_section_template = [[
 		</div>
 ]]

-- message, hcaptcha form and submit button
+-- message, captcha form and submit button
 local captcha_section_template = [[
 		<h3>
 			Please solve the captcha to continue.
 		</h3>
 		<form class="jsonly" method="POST">
-			<div class="h-captcha" data-sitekey="%s"></div>
-			<script src="https://hcaptcha.com/1/api.js" async defer></script>
+			<div class="%s" data-sitekey="%s"></div>
+			<script src="%s" async defer></script>
 			<input type="submit" value="Calculating proof of work..." disabled>
 		</form>
 ]]
@ -138,8 +158,15 @@ function _M.view(applet)
 	local response_status_code
 	if applet.method == "GET" then

-		-- get challenge string for proof of work
-		generated_work = utils.generate_secret(applet, pow_cookie_secret, true, "")
+		-- get the user_key#challenge#sig
+		local user_key = sha.bin_to_hex(randbytes(16))
+		local challenge_hash = utils.generate_secret(applet, pow_cookie_secret, user_key, true)
+		local signature = sha.hmac(sha.sha256, hmac_cookie_secret, user_key .. challenge_hash)
+		local combined_challenge = user_key .. "#" .. challenge_hash .. "#" .. signature
+		-- print_r(user_key)
+		-- print_r(challenge_hash)
+		-- print_r(signature)
+		-- print_r(combined_challenge)

 		-- define body sections
 		local site_name_body = ""
@ -157,53 +184,54 @@ function _M.view(applet)
 		if captcha_map_lookup == 2 then
 			captcha_enabled = true
 		end
-		--

 		-- pow at least is always enabled when reaching bot-check page
 		site_name_body = string.format(site_name_section_template, host)
 		if captcha_enabled then
-			captcha_body = string.format(captcha_section_template, captcha_sitekey)
+			captcha_body = string.format(captcha_section_template, captcha_classname, captcha_sitekey, captcha_script_src)
 		else
 			pow_body = pow_section_template
-			noscript_extra_body = string.format(noscript_extra_template, generated_work)
+			noscript_extra_body = string.format(noscript_extra_template, combined_challenge)
 		end

 		-- sub in the body sections
-		response_body = string.format(body_template, generated_work, site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id)
+		response_body = string.format(body_template, combined_challenge, site_name_body, pow_body, captcha_body, noscript_extra_body, ray_id)
 		response_status_code = 403
 	elseif applet.method == "POST" then
 		local parsed_body = url.parseQuery(applet.receive(applet))
-		if parsed_body["h-captcha-response"] then
-			local hcaptcha_url = string.format(
-				"https://%s/siteverify",
-				core.backends["hcaptcha"].servers["hcaptcha"]:get_addr()
+		local user_captcha_response = parsed_body["h-captcha-response"] or parsed_body["g-recaptcha-response"]
+		if user_captcha_response then
+			local captcha_url = string.format(
+				"https://%s%s",
+				core.backends[captcha_backend_name].servers[captcha_backend_name]:get_addr(),
+				captcha_siteverify_path
 			)
-			local hcaptcha_body = url.buildQuery({
+			local captcha_body = url.buildQuery({
 				secret=captcha_secret,
-				response=parsed_body["h-captcha-response"]
+				response=user_captcha_response
 			})
 			local httpclient = core.httpclient()
 			local res = httpclient:post{
-				url=hcaptcha_url,
-				body=hcaptcha_body,
+				url=captcha_url,
+				body=captcha_body,
 				headers={
 					[ "host" ] = { captcha_provider_domain },
 					[ "content-type" ] = { "application/x-www-form-urlencoded" }
 				}
 			}
 			local status, api_response = pcall(json.decode, res.body)
-			--require("print_r")
-			--print_r(hcaptcha_body)
-			--print_r(res)
-			--print_r(api_response)
 			if not status then
 				api_response = {}
 			end
 			if api_response.success == true then
-				local floating_hash = utils.generate_secret(applet, hcaptcha_cookie_secret, true, nil)
+				-- for captcha, they dont need to solve a POW but we check the user_hash and sig later
+				local user_key = sha.bin_to_hex(randbytes(16))
+				local user_hash = utils.generate_secret(applet, captcha_cookie_secret, user_key, true)
+				local signature = sha.hmac(sha.sha256, hmac_cookie_secret, user_key .. user_hash)
+				local combined_cookie = user_key .. "#" .. user_hash .. "#" .. signature
 				applet:add_header(
 					"set-cookie",
-					string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; SameSite=Strict; Secure=true;", floating_hash)
+					string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; SameSite=Strict; Secure=true;", combined_cookie)
 				)
 			end
 		end
@ -236,26 +264,57 @@ function _M.decide_checks_necessary(txn)
 	-- otherwise, domain+path was set to 0 (whitelist) or there is no entry in the map
 end

-- check if captcha token is valid, separate secret from POW
+-- check if captcha cookie is valid, separate secret from POW
 function _M.check_captcha_status(txn)
 	local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
-	local expected_cookie = utils.generate_secret(txn, hcaptcha_cookie_secret, false, nil)
-	if parsed_request_cookies["z_ddos_captcha"] == expected_cookie then
+	local received_captcha_cookie = parsed_request_cookies["z_ddos_captcha"] or ""
+	local split_cookie = utils.split(received_captcha_cookie, "#")
+	if #split_cookie ~= 3 then
+		return
+	end
+	local given_user_key = split_cookie[1]
+	local given_user_hash = split_cookie[2]
+	local given_signature = split_cookie[3]
+	-- regenerate the user hash and compare it
+	local generated_user_hash = utils.generate_secret(txn, captcha_cookie_secret, given_user_key, false)
+	if generated_user_hash ~= given_user_hash then
+		return
+	end
+	-- regenerate the signature and compare it
+	local generated_signature = sha.hmac(sha.sha256, hmac_cookie_secret, given_user_key .. given_user_hash)
+	if given_signature == generated_signature then
 		return txn:set_var("txn.captcha_passed", true)
 	end
 end

-- check if pow token is valid
+-- check if pow cookie is valid
 function _M.check_pow_status(txn)
 	local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
-	if parsed_request_cookies["z_ddos_pow"] then
-		local generated_work = utils.generate_secret(txn, pow_cookie_secret, false, "")
-		local iterations = parsed_request_cookies["z_ddos_pow"]
-		local completed_work = sha.sha1(generated_work .. iterations)
-		local challenge_offset = tonumber(generated_work:sub(1,1),16) * 2
-		if completed_work:sub(challenge_offset+1, challenge_offset+4) == 'b00b' then -- i dont know lua properly :^)
-			return txn:set_var("txn.pow_passed", true)
-		end
+	local received_pow_cookie = parsed_request_cookies["z_ddos_pow"] or ""
+	-- split the cookie up
+	local split_cookie = utils.split(received_pow_cookie, "#")
+	if #split_cookie ~= 4 then
+		return
+	end
+	local given_user_key = split_cookie[1]
+	local given_challenge_hash = split_cookie[2]
+	local given_signature = split_cookie[3]
+	local given_nonce = split_cookie[4]
+	-- regenerate the challenge and compare it
+	local generated_challenge_hash = utils.generate_secret(txn, pow_cookie_secret, given_user_key, false)
+	if given_challenge_hash ~= generated_challenge_hash then
+		return
+	end
+	-- regenerate the signature and compare it
+	local generated_signature = sha.hmac(sha.sha256, hmac_cookie_secret, given_user_key .. given_challenge_hash)
+	if given_signature ~= generated_signature then
+		return
+	end
+	-- check the work
+	local completed_work = sha.sha256(generated_challenge_hash .. given_nonce)
+	local challenge_offset = tonumber(generated_challenge_hash:sub(1,1),16) * 2
+	if completed_work:sub(challenge_offset+1, challenge_offset+4) == '0041' then -- i dont know lua properly :^)
+		return txn:set_var("txn.pow_passed", true)
 	end
 end