Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add ability to include IPs in challenge hash generation, to lock cookies to IPs (like the pre-sig mode)

Browse Source
This commit is contained in:
Thomas Lynch
2022-09-21 21:31:48 +10:00
parent 20a04f23c2
commit 614b437667
3 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/libs/utils.lua
View File

@ -2,6 +2,7 @@ local _M = {}
local sha = require("sha")
local secret_bucket_duration = tonumber(os.getenv("BUCKET_DURATION"))
local challenge_includes_ip = os.getenv("CHALLENGE_INCLUDES_IP")
function _M.generate_secret(context, salt, user_key, is_applet)
@ -9,6 +10,12 @@ function _M.generate_secret(context, salt, user_key, is_applet)
local start_sec = core.now()['sec']
local bucket = start_sec - (start_sec % secret_bucket_duration)
-- optional IP to lock challenges/user_keys to IP (for clearnet or single-onion aka 99% of cases)
local ip = ""
if challenge_includes_ip then
ip = context.sf:src()
end
-- user agent to counter very dumb spammers
local user_agent = ""
if is_applet == true then
@ -19,7 +26,7 @@ function _M.generate_secret(context, salt, user_key, is_applet)
user_agent = context.sf:req_fhdr('user-agent') or ""
end
return sha.sha256(salt .. bucket .. user_key .. user_agent)
return sha.sha256(salt .. bucket .. ip .. user_key .. user_agent)
end