- Add ability to communicate with Tor control port and close circuits. Can be called from lua or as a http-request lua... call to do it based off an ACL. close #16

- Make POW checked before captcha in POST handler, since they both must be submittedin captcha mode, we don't want to send POST to /siteverify if they didnt even solve the POW

Other:
- Change (improve) split util to leave empty table entries for repeated delimiters
- Minor frontend script bugfix so error messages display properly in captcha mode
- Wrap submit button of noscript pow form to next line

haproxy/haproxy.cfg

@@ -10,10 +10,13 @@ global
 	tune.bufsize 51200
 
 defaults
+	log global
 	mode http
+	option httplog
 	timeout connect 5000ms
 	timeout client 50000ms
 	timeout server 50000ms
+	timeout tarpit 5000ms
 
 #frontend stats-frontend
 #	bind *:2000
@@ -47,6 +50,11 @@ frontend http-in
 	acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
 	http-request deny deny_status 403 if blocked_ip_or_subnet
 
+	# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
+	http-request track-sc0 src table bot_check_post_throttle if { path /bot-check } { method POST }
+	http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 }
+	http-request tarpit if { sc_http_req_rate(0) gt 1 }
+
 	# acl for lua check whitelisted IPs/subnets and some excluded paths
 	acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found
 	acl is_excluded path /favicon.ico #add more
@@ -74,10 +82,11 @@ frontend http-in
 	# check pow/captcha and show page if necessary
 	acl on_captcha_url path /bot-check
 	http-request use-service lua.hcaptcha-view	if on_captcha_url !is_excluded
-	http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled
-	# global override enabled pow-check only, uncomment the OR to also do hcaptcha-check
-	http-request lua.hcaptcha-check          if !is_excluded !on_captcha_url validate_captcha #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
-	http-request lua.pow-check          if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
+
+	# challenge decisions, checking, and redirecting to /bot-check
+	http-request lua.decide-checks-necessary 	if !is_excluded !on_captcha_url ddos_mode_enabled
+	http-request lua.hcaptcha-check				if !is_excluded !on_captcha_url validate_captcha
+	http-request lua.pow-check					if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
 	http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded
 
 	# X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use)
@@ -104,6 +113,9 @@ backend servers
 	# use server based on hostname
 	use-server %[req.hdr(host),lower,map(/etc/haproxy/backends.map)] if TRUE
 
+backend bot_check_post_throttle
+	stick-table type ipv6 size 100k expire 60s store http_req_rate(60s)
+
 backend hcaptcha
 	mode http
 	server hcaptcha hcaptcha.com:443