Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Add ability to communicate with Tor control port and close circuits. Can be called from lua or as a http-request lua... call to do it based off an ACL. close #16

Browse Source 
- Make POW checked before captcha in POST handler, since they both must be submittedin captcha mode, we don't want to send POST to /siteverify if they didnt even solve the POW

Other:
- Change (improve) split util to leave empty table entries for repeated delimiters
- Minor frontend script bugfix so error messages display properly in captcha mode
- Wrap submit button of noscript pow form to next line
This commit is contained in:
Thomas Lynch
2022-10-02 04:57:59 +11:00
parent eb1dc3e378
commit 64e26f65b5
7 changed files with 133 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
README.MD
View File

@ -39,6 +39,7 @@ NOTE: Use either HCAPTCHA_ or RECAPTHCA_, not both.
- POW_TIME - argon2 iterations
- POW_KB - argon2 memory usage in KB
- POW_DIFFICULTY - pow "difficulty" (you should use all 3 POW_ parameters to tune the difficulty)
- TOR_CONTROL_PORT_PASSWORD - the control port password for tor daemon
#### Run in docker (for testing/development)
@ -69,6 +70,22 @@ sudo luarocks install argon2
If you have problems, read the error messages before opening an issue that is simply a bad configuration.
### Tor
- Check the `bind` line comments. Switch to the one with `accept-proxy` and `option forwardfor`
- To generate a tor control port password:
```
$ tor --hash-password example
16:0175C41DDD88C5EA605582C858BC08FA29014215F233479A99FE78EDED
```
- Set `TOR_CONTROL_PORT_PASSWORD` env var to the same password (NOT the output hash)
- Add to your torrc (where xxxx is the output of `tor --hash-password`):
```
ControlPort 9051
HashedControlPassword xxxxxxxxxxxxxxxxx
```
- Don't forget to restart tor
#### Screenshots
![nocaptcha](img/nocaptcha.png "no captcha mode")

1
docker-compose.yml
View File

@ -38,6 +38,7 @@ services:
- POW_TIME=2
- POW_KB=512
- POW_DIFFICULTY=25
- TOR_CONTROL_PORT_PASSWORD=changeme
nginx:
ports:

20
haproxy/haproxy.cfg
View File

@ -10,10 +10,13 @@ global
tune.bufsize 51200
defaults
log global
mode http
option httplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
timeout tarpit 5000ms
#frontend stats-frontend
# bind *:2000
@ -47,6 +50,11 @@ frontend http-in
acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
http-request deny deny_status 403 if blocked_ip_or_subnet
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
http-request track-sc0 src table bot_check_post_throttle if { path /bot-check } { method POST }
http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 }
http-request tarpit if { sc_http_req_rate(0) gt 1 }
# acl for lua check whitelisted IPs/subnets and some excluded paths
acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found
acl is_excluded path /favicon.ico #add more
@ -74,10 +82,11 @@ frontend http-in
# check pow/captcha and show page if necessary
acl on_captcha_url path /bot-check
http-request use-service lua.hcaptcha-view if on_captcha_url !is_excluded
http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled
# global override enabled pow-check only, uncomment the OR to also do hcaptcha-check
http-request lua.hcaptcha-check if !is_excluded !on_captcha_url validate_captcha #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
# challenge decisions, checking, and redirecting to /bot-check
http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled
http-request lua.hcaptcha-check if !is_excluded !on_captcha_url validate_captcha
http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded
# X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use)
@ -104,6 +113,9 @@ backend servers
# use server based on hostname
use-server %[req.hdr(host),lower,map(/etc/haproxy/backends.map)] if TRUE
backend bot_check_post_throttle
stick-table type ipv6 size 100k expire 60s store http_req_rate(60s)
backend hcaptcha
mode http
server hcaptcha hcaptcha.com:443

6
haproxy/js/challenge.js
View File

@ -1,7 +1,9 @@
function insertError(str) {
const ring = document.querySelector('.lds-ring');
ring.insertAdjacentHTML('afterend', `<p class="red">Error: ${str}</p>`);
ring.remove();
const captcha = document.querySelector('#captcha');
(ring || captcha).insertAdjacentHTML('afterend', `<p class="red">Error: ${str}</p>`);
ring && ring.remove();
captcha && captcha.remove();
}
function finishRedirect() {

16
src/libs/utils.lua
View File

@ -3,7 +3,9 @@ local _M = {}
local sha = require("sha")
local secret_bucket_duration = tonumber(os.getenv("BUCKET_DURATION"))
local challenge_includes_ip = os.getenv("CHALLENGE_INCLUDES_IP")
local tor_control_port_password = os.getenv("TOR_CONTROL_PORT_PASSWORD")
-- generate the challenge hash/user hash
function _M.generate_secret(context, salt, user_key, is_applet)
-- time bucket for expiry
@ -30,14 +32,16 @@ function _M.generate_secret(context, salt, user_key, is_applet)
end
-- split string by delimiter
function _M.split(inputstr, sep)
local t = {}
for str in string.gmatch(inputstr, "([^"..sep.."]+)") do
for str in string.gmatch(inputstr, "([^"..sep.."]*)") do
table.insert(t, str)
end
return t
end
-- return true if hash passes difficulty
function _M.checkdiff(hash, diff)
local i = 1
for j = 0, (diff-8), 8 do
@ -51,5 +55,15 @@ function _M.checkdiff(hash, diff)
return (lnm & msk) == 0
end
-- connect to the tor control port and instruct it to close a circuit
function _M.send_tor_control_port(circuit_identifier)
local tcp = core.tcp();
tcp:settimeout(1);
tcp:connect("127.0.0.1", 9051);
-- not buffered, so we are better off sending it all at once
tcp:send('AUTHENTICATE "' .. tor_control_port_password .. '"\nCLOSECIRCUIT ' .. circuit_identifier ..'\n')
tcp:close()
end
return _M

131
src/scripts/hcaptcha.lua
View File

@ -132,10 +132,10 @@ local noscript_extra_template = [[
<code style="word-break: break-all;">
echo "Q0g9IiQyIjtCPSQocHJpbnRmICcwJS4wcycgJChzZXEgMSAkNCkpO2VjaG8gIldvcmtpbmcuLi4iO0k9MDt3aGlsZSB0cnVlOyBkbyBIPSQoZWNobyAtbiAkQ0gkSSB8IGFyZ29uMiAkMSAtaWQgLXQgJDUgLWsgJDYgLXAgMSAtbCAzMiAtcik7RT0ke0g6MDokNH07W1sgJEUgPT0gJEIgXV0gJiYgZWNobyAiT3V0cHV0OiIgJiYgZWNobyAkMSMkMiMkMyMkSSAmJiBleGl0IDA7KChJKyspKTtkb25lOwo=" | base64 -d | bash -s %s %s %s %s %s %s
</code>
<li>Paste the output from the script into the box and submit:
<form method="POST">
<textarea type="text" name="pow_response"></textarea>
<input type="submit" value="submit" />
<li>Paste the script output into the box and submit:
<form method="post">
<textarea name="pow_response" placeholder="script output" required></textarea>
<div><input type="submit" value="submit" /></div>
</form>
</ol>
</details>
@ -144,7 +144,7 @@ local noscript_extra_template = [[
-- title with favicon and hostname
local site_name_section_template = [[
<h3 class="pt">
<img src="/favicon.ico" width="32" height="32">
<img src="/favicon.ico" width="32" height="32" alt="favicon">
%s
</h3>
]]
@ -170,6 +170,24 @@ local captcha_section_template = [[
</div>
]]
-- kill a tor circuit
function _M.kill_tor_circuit(txn)
local ip = txn.sf:src()
if ip:sub(1,19) ~= "fc00:dead:beef:4dad" then
return -- not a tor circuit id/ip. we shouldn't get here, but just in case.
end
-- split the IP, take the last 2 sections
local split_ip = utils.split(ip, ":")
local aa_bb = split_ip[5] or "0000"
local cc_dd = split_ip[6] or "0000"
aa_bb = string.rep("0", 4 - #aa_bb) .. aa_bb
cc_dd = string.rep("0", 4 - #cc_dd) .. cc_dd
-- convert the last 2 sections to a number from hex, which makes the circuit ID
local circuit_identifier = tonumber(aa_bb..cc_dd, 16)
print('Closing Tor circuit ID: '..circuit_identifier..', "IP": '..ip)
utils.send_tor_control_port(circuit_identifier)
end
function _M.view(applet)
-- set response body and declare status code
@ -222,6 +240,9 @@ function _M.view(applet)
-- if request is POST, check the answer to the pow/cookie
elseif applet.method == "POST" then
-- if they fail, set a var for use in ACLs later
local valid_submission = false
-- parsed POST body
local parsed_body = url.parseQuery(applet.receive(applet))
@ -231,9 +252,58 @@ function _M.view(applet)
secure_cookie_flag = ""
end
-- handle setting the POW cookie
local user_pow_response = parsed_body["pow_response"]
if user_pow_response then
-- split the response up (makes the nojs submission easier because it can be a single field)
local split_response = utils.split(user_pow_response, "#")
if #split_response == 4 then
local given_user_key = split_response[1]
local given_challenge_hash = split_response[2]
local given_signature = split_response[3]
local given_answer = split_response[4]
-- regenerate the challenge and compare it
local generated_challenge_hash = utils.generate_secret(applet, pow_cookie_secret, given_user_key, true)
if given_challenge_hash == generated_challenge_hash then
-- regenerate the signature and compare it
local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash)
if given_signature == generated_signature then
-- do the work with their given answer
local full_hash = argon2.hash_encoded(given_challenge_hash .. given_answer, given_user_key)
-- check the output is correct
local hash_output = utils.split(full_hash, '$')[6]:sub(0, 43) -- https://github.com/thibaultcha/lua-argon2/issues/37
local hex_hash_output = sha.bin_to_hex(sha.base64_to_bin(hash_output));
if utils.checkdiff(hex_hash_output, pow_difficulty) then
-- the answer was good, give them a cookie
local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_answer)
local combined_cookie = given_user_key .. "#" .. given_challenge_hash .. "#" .. given_answer .. "#" .. signature
applet:add_header(
"set-cookie",
string.format(
"z_ddos_pow=%s; Expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; Domain=.%s; SameSite=Strict;%s",
combined_cookie,
applet.headers['host'][0],
secure_cookie_flag
)
)
valid_submission = true
end
end
end
end
end
-- handle setting the captcha cookie
local user_captcha_response = parsed_body["h-captcha-response"] or parsed_body["g-recaptcha-response"]
if user_captcha_response then
if valid_submission and user_captcha_response then -- only check captcha if POW is already correct
-- format the url for verifying the captcha response
local captcha_url = string.format(
"https://%s%s",
@ -276,56 +346,13 @@ function _M.view(applet)
secure_cookie_flag
)
)
valid_submission = valid_submission and true
end
end
-- handle setting the POW cookie
local user_pow_response = parsed_body["pow_response"]
if user_pow_response then
-- split the response up (makes the nojs submission easier because it can be a single field)
local split_response = utils.split(user_pow_response, "#")
if #split_response == 4 then
local given_user_key = split_response[1]
local given_challenge_hash = split_response[2]
local given_signature = split_response[3]
local given_answer = split_response[4]
-- regenerate the challenge and compare it
local generated_challenge_hash = utils.generate_secret(applet, pow_cookie_secret, given_user_key, true)
if given_challenge_hash == generated_challenge_hash then
-- regenerate the signature and compare it
local generated_signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash)
if given_signature == generated_signature then
-- do the work with their given answer
local full_hash = argon2.hash_encoded(given_challenge_hash .. given_answer, given_user_key)
-- check the output is correct
local hash_output = utils.split(full_hash, '$')[5]:sub(0, 43) -- https://github.com/thibaultcha/lua-argon2/issues/37
local hex_hash_output = sha.bin_to_hex(sha.base64_to_bin(hash_output));
if utils.checkdiff(hex_hash_output, pow_difficulty) then
-- the answer was good, give them a cookie
local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, given_user_key .. given_challenge_hash .. given_answer)
local combined_cookie = given_user_key .. "#" .. given_challenge_hash .. "#" .. given_answer .. "#" .. signature
applet:add_header(
"set-cookie",
string.format(
"z_ddos_pow=%s; Expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/; Domain=.%s; SameSite=Strict;%s",
combined_cookie,
applet.headers['host'][0],
secure_cookie_flag
)
)
end
end
end
end
if not valid_submission then
_M.kill_tor_circuit(applet)
end
-- redirect them to their desired page in applet.qs (query string)

1
src/scripts/register.lua
View File

@ -6,4 +6,5 @@ core.register_service("hcaptcha-view", "http", hcaptcha.view)
core.register_action("hcaptcha-check", { 'http-req', }, hcaptcha.check_captcha_status)
core.register_action("pow-check", { 'http-req', }, hcaptcha.check_pow_status)
core.register_action("decide-checks-necessary", { 'http-req', }, hcaptcha.decide_checks_necessary)
core.register_action("kill-tor-circuit", { 'http-req', }, hcaptcha.kill_tor_circuit)
core.register_init(hcaptcha.setup_servers)