diff --git a/README.MD b/README.MD index 61099b1..83a8a7c 100644 --- a/README.MD +++ b/README.MD @@ -1,17 +1,24 @@ ## HaProxy DDoS protection system PoC -A fork of https://github.com/mora9715/haproxy_ddos_protector, a haproxy lua script allowing a holding page where users solve a captcha and proof-of-work (cpu intensive) task. +A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a haproxy configuration and lua scripts allowing a holding page where users solve a captcha (think cloudflare CDN). Intended to stop bots, spam, probably some forms of ddos, etc. Some issues fixed and various improvements: -- Fix some bugs -- Fix a security issue where unsalted hash could let users bypass captcha -- Made the cookies not work permanently. They now expire based on a server-side bucket as part of the cookie hash, instead of client side expiry -- Added additional proof-of-work element to the challenge page, both pow+captcha must be completed -- Avoid using a hack to resolve domain names, usea backend in haproxy instead +- Add a proof-of-work element to the bot-check page as an optional weaker but more user-friendly mode +- Add more options to CLI for nocaptcha +- Add examples and support for .onion/tor using the haproxy PROXY protocol to provide some kind of "ip" discrimination of tor users (circuit identifiers) +- Add serving javascript files directly from haproxy with http-request return, so no extra backend is needed - Improved the appearance of the challenge page -- More options to CLI for nocaptcha +- Fix a lot of bugs +- Fix resolving domain of hcaptcha, no longer uses a hack +- Fix multiple security issues that could result in bypassing the captcha +- Fix challenge cookies lasting forever, they are now limited by a bucket duration on server side + +#### Screenshot + +![captcha](img/captcha.png "captcha mode (pow done asynchronously in background)") +![nocaptcha](img/nocaptcha.png "no captcha mode") #### How to test @@ -19,11 +26,10 @@ Add some env vars to docker-compose file: - HCAPTCHA_SITEKEY - your hcaptcha site key - HCAPTCHA_SECRET - your hcaptcha secret key -- CAPTCHA_COOKIE_SECRET - random string, a salt for cookies -- POW_COOKIE_SECRET - random string a salt for cookies +- CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies +- POW_COOKIE_SECRET - different random string, a salt for pow cookies - RAY_ID - string to identify the haproxy node by - Run docker compose: ```bash docker compose up @@ -34,18 +40,25 @@ docker compose up DDoS-protection mode is enabled by default. #### Installation -Before installing the tool, ensure that HaProxy is built with Lua support. -- Copy [scripts](src/scripts) to a folder accessible for HaProxy +Before installing the tool, ensure that HaProxy is built with Lua support (in package and ubuntu recommended PPA, it is.) + - Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua) -- Copy [libs](src/libs) to a path where Lua looks for modules. -- Copy [ddos-cli](src/cli/ddos-cli) to any convenient path. -- Create `/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly) -- If you want to try with tor, change the haproxy mount in docker-compose to the haproxy/haproxy.tor.cfg and include your hidden_service folder (with keys, etc) in the tor folder +- Copy or link [scripts](src/scripts) to /etc/haproxy/scripts +- Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules). +- Create `/etc/haproxy/ddos.map` for domains with protection mode enabled +- Create `/etc/haproxy/no_captcha.map` for domains with no captcha, only pow + +If you want to try with tor and haproxy PROXY mode: +- Uncomment the tor service in `docker-compose.yml` +- Change the haproxy mount in `docker-compose.yml` for haproxy.cfg to haproxy.tor.cfg +- Add your hidden service folder (with keys, etc) to `tor/hidden_service` +- Run `docker-compose build` to rebuild the tor container with it. #### CLI -The system comes with CLI. It can be used to manage global and per-domain protection. +The system comes with CLI. It can be used to manage protection global/per-domain and control nocaptcha mode. Ensure that stat socket is configured in HaProxy for CLI support. + ```bash Usage: ddos-cli [options] diff --git a/docker-compose.yml b/docker-compose.yml index 76fc4d9..25e486e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,9 +1,9 @@ version: "3.9" services: - tor: - build: - context: ./ - dockerfile: tor/Dockerfile +# tor: +# build: +# context: ./ +# dockerfile: tor/Dockerfile haproxy: build: context: ./ diff --git a/img/captcha.png b/img/captcha.png new file mode 100644 index 0000000..3fe498e Binary files /dev/null and b/img/captcha.png differ diff --git a/img/nocaptcha.png b/img/nocaptcha.png new file mode 100644 index 0000000..6abbb02 Binary files /dev/null and b/img/nocaptcha.png differ