Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

make the useragent header fetch properly

Browse Source 
add a salt to the generate_secret function -- that was kinda important right? lol
just pass through to `end` if not POST or GET
make it not use calls to hostname and dig in lua scripts, use haproxy backend resolving instead
improve the template a lot and make it theme-matched to my site and similar to ngx_http_js_challenge robot page
fix various bugs
This commit is contained in:
Thomas Lynch
2021-11-24 00:34:41 +11:00
parent 7a1a91f0e8
commit 6400d98975
5 changed files with 84 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docker-compose.yml
View File

@ -12,13 +12,6 @@ services:
- ./src/scripts/:/usr/local/etc/haproxy/scripts/
- ./src/libs/:/usr/local/etc/haproxy/libs/
environment:
- HCAPTCHA_SECRET=${HCAPTCHA_SECRET}
- HCAPTCHA_SITEKEY=${HCAPTCHA_SITEKEY}
nginx:
image: "nginx:latest"
redis:
image: "redis:latest"
ports:
- 6379:6379
- HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
- HCAPTCHA_SITEKEY=10000000-ffff-ffff-ffff-000000000001
- COOKIE_SECRET=changeme

8
haproxy/haproxy.cfg
View File

@ -17,13 +17,17 @@ frontend http-in
acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
acl domain_under_ddos hdr(host) -i -f /usr/local/etc/haproxy/domains_under_ddos.txt
acl captcha_passed var(txn.captcha_passed) -m bool
acl on_captcha_url path -m beg /captcha
acl on_captcha_url path -m beg /bot-check
http-request use-service lua.hcaptcha-view if on_captcha_url
http-request lua.hcaptcha-redirect if !on_captcha_url ddos_mode_enabled OR domain_under_ddos
http-request redirect location /captcha?%[capture.req.uri] code 301 if !captcha_passed !on_captcha_url ddos_mode_enabled OR domain_under_ddos
http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled OR domain_under_ddos
default_backend servers
backend servers
server server1 nginx:80 maxconn 32
backend hcaptcha
mode http
server hcaptcha hcaptcha.com:443

2
src/libs/http.lua
View File

@ -609,7 +609,7 @@ function M.send(method, t)
else
return nil, "http." .. method:lower() .. ": Invalid URL schema " .. tostring(schema)
end
print("ADDR IS", addr)
local c, err = connect(socket, addr, port)
if c then

22
src/libs/utils.lua
View File

@ -15,28 +15,16 @@ function _M.resolve_fqdn(fqdn)
return result:gsub("\n", "")
end
function _M.generate_secret(args)
--[[ args: {
-- context: enum(applet, txn),
-- mode: enum('service', 'action')
-- }
--]]
local context = args.context
local mode = args.mode or "service"
local ip = context.sf:src() or ""
local hostname = _M.get_hostname() or ""
function _M.generate_secret(context, salt, is_applet)
local ip = context.sf:src()
local user_agent
if mode == "service" then
if is_applet == true then
user_agent = context.headers['user-agent'] or {}
user_agent = user_agent[0]
else
user_agent = context.sf:req_hdr('user-agent') or ""
user_agent = context.sf:req_hdr('user-agent')
end
return context.sc:xxh32(ip .. hostname .. user_agent)
return context.sc:xxh32(salt .. ip .. user_agent)
end
return _M

139
src/scripts/hcaptcha.lua
View File

@ -9,97 +9,100 @@ local json = require("json")
local captcha_secret = os.getenv("HCAPTCHA_SECRET")
local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY")
-- HaProxy Lua is not capable of FQDN resolution :(
local cookie_secret = os.getenv("COOKIE_SECRET")
-- HaProxy Lua is not capable of FQDN resolution :( -- bypased by using alternative core.backends["hcaptcha"].servers["hcaptcha"]:get_addr()
local captcha_provider_domain = "hcaptcha.com"
local captcha_provider_ip = utils.resolve_fqdn(captcha_provider_domain)
--local captcha_provider_ip = utils.resolve_fqdn(captcha_provider_domain)
function _M.view(applet)
local response_body
local response_status_code
if applet.method == "GET" then
response_body =
[[
<!DOCTYPE html>
<html>
local body_template = [[
<!DOCTYPE html>
<html>
<head>
<title>Captcha</title>
<meta name='viewport' content='width=device-width initial-scale=1'>
<title>Solve this captcha...</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
:root{--text-color:#c5c8c6;--bg-color:#1d1f21}
@media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}}
a,a:visited{color:var(--text-color)}
body,html{height:100vh}
body{display:flex;flex-direction:column;background-color:var(--bg-color);color:var(--text-color);font-family:Helvetica,Arial,sans-serif;text-align:center;margin:0}
h3,p{margin:0}
footer{font-size:small;margin-top:auto;margin-bottom:50px}h3{padding-top:30vh}
</style>
</head>
<body>
<h1>Captcha challenge completion required.</h1>
<p>We have detected an unusual activity on the requested resource.</p>
<p>To ensure that the service runs smoothly, it is needed to complete a captcha challenge.</p>
<h3>Captcha completion required</h3>
<p>We have detected unusual activity on the requested resource.</p>
<p>Please solve this captcha to prove you are not a robot.</p>
<div>
<br>
</div>
<noscript>
<p class="red">JavaScript is required to complete the captcha.</p>
</noscript>
<form method="POST">
<div class="h-captcha" data-sitekey="%s"></div>
<script src="https://hcaptcha.com/1/api.js" async defer></script>
<input type="submit" value="Submit">
</form>
<p><em>Thank you for understanding.</em></p>
<footer>Supported by <a href="https://kikeflare.com">KikeFlare</a></footer>
</body>
</html>
]]
response_body = string.format(response_body, captcha_sitekey)
response_status_code = 200
elseif applet.method == "POST" then
local parsed_body = url.parseQuery(applet.receive(applet))
if parsed_body["h-captcha-response"] then
local url =
string.format(
"https://%s/siteverify?secret=%s&response=%s",
captcha_provider_ip,
captcha_secret,
parsed_body["h-captcha-response"]
)
local res, err = http.get{url=url, headers={host=captcha_provider_domain} }
local status, api_response = pcall(res.json, res)
if not status then
local original_error = api_response
api_response = {}
core.Warning("Received incorrect response from Captcha Provider: " .. original_error)
end
if api_response.success == true then
local floating_hash = utils.generate_secret{context=applet, mode='service'}
core.Debug("HCAPTCHA SUCCESSFULLY PASSED")
applet:add_header(
"set-cookie",
string.format("z_ddos_protection=%s; Max-Age=14400; Path=/", floating_hash)
)
else
core.Debug("HCAPTCHA FAILED: " .. json.encode(api_response))
end
end
response_body = "Thank you for submitting!"
response_status_code = 301
applet:add_header("location", applet.qs)
end
</html>
]]
function _M.view(applet)
local response_body
local response_status_code
if applet.method == "GET" then
response_body = string.format(body_template, captcha_sitekey)
response_status_code = 403
applet:set_status(response_status_code)
applet:add_header("content-type", "text/html")
applet:add_header("content-length", string.len(response_body))
applet:start_response()
applet:send(response_body)
elseif applet.method == "POST" then
local parsed_body = url.parseQuery(applet.receive(applet))
if parsed_body["h-captcha-response"] then
local url = string.format(
"https://%s/siteverify?secret=%s&response=%s",
core.backends["hcaptcha"].servers["hcaptcha"]:get_addr(),
captcha_secret,
parsed_body["h-captcha-response"]
)
local res, err = http.get{url=url, headers={host=captcha_provider_domain} }
local status, api_response = pcall(res.json, res)
if not status then
local original_error = api_response
api_response = {}
end
if api_response.success == true then
local floating_hash = utils.generate_secret(applet, cookie_secret, true)
applet:add_header(
"set-cookie",
string.format("z_ddos_protection=%s; Max-Age=14400; Path=/", floating_hash)
)
-- else
-- core.Debug("HCAPTCHA FAILED: " .. json.encode(api_response))
end
end
response_body = ""
response_status_code = 302
applet:add_header("location", applet.qs)
applet:set_status(response_status_code)
applet:add_header("content-type", "text/html")
applet:add_header("content-length", string.len(response_body))
applet:start_response()
applet:send(response_body)
end
end
function _M.check_captcha_status(txn)
core.Debug("CAPTCHA STATUS CHECK START")
txn:set_var("txn.requested_url", "/mopsik?kek=pek")
local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
local expected_cookie = utils.generate_secret{context=txn, mode='service'}
core.Debug("RECEIVED SECRET COOKIE: " .. parsed_request_cookies["z_ddos_protection"])
core.Debug("OUR SECRET COOKIE: " .. expected_cookie)
local expected_cookie = utils.generate_secret(txn, cookie_secret)
--core.Debug("RECEIVED SECRET COOKIE: " .. parsed_request_cookies["z_ddos_protection"])
--core.Debug("EXPECTED SECRET COOKIE: " .. expected_cookie)
if parsed_request_cookies["z_ddos_protection"] == expected_cookie then
core.Debug("CAPTCHA STATUS CHECK SUCCESS")
return txn:set_var("txn.captcha_passed", true)