Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

readme improvement

Browse Source
This commit is contained in:
Thomas Lynch
2021-11-26 17:19:12 +11:00
parent e651d25dbb
commit 6d9ec35d9d
4 changed files with 34 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
README.MD
View File

@ -1,17 +1,24 @@
## HaProxy DDoS protection system PoC ## HaProxy DDoS protection system PoC
A fork of https://github.com/mora9715/haproxy_ddos_protector, a haproxy lua script allowing a holding page where users solve a captcha and proof-of-work (cpu intensive) task. A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a haproxy configuration and lua scripts allowing a holding page where users solve a captcha (think cloudflare CDN).
Intended to stop bots, spam, probably some forms of ddos, etc. Intended to stop bots, spam, probably some forms of ddos, etc.
Some issues fixed and various improvements: Some issues fixed and various improvements:
- Fix some bugs - Add a proof-of-work element to the bot-check page as an optional weaker but more user-friendly mode
- Fix a security issue where unsalted hash could let users bypass captcha - Add more options to CLI for nocaptcha
- Made the cookies not work permanently. They now expire based on a server-side bucket as part of the cookie hash, instead of client side expiry - Add examples and support for .onion/tor using the haproxy PROXY protocol to provide some kind of "ip" discrimination of tor users (circuit identifiers)
- Added additional proof-of-work element to the challenge page, both pow+captcha must be completed - Add serving javascript files directly from haproxy with http-request return, so no extra backend is needed
- Avoid using a hack to resolve domain names, usea backend in haproxy instead
- Improved the appearance of the challenge page - Improved the appearance of the challenge page
- More options to CLI for nocaptcha - Fix a lot of bugs
- Fix resolving domain of hcaptcha, no longer uses a hack
- Fix multiple security issues that could result in bypassing the captcha
- Fix challenge cookies lasting forever, they are now limited by a bucket duration on server side
#### Screenshot
![captcha](img/captcha.png "captcha mode (pow done asynchronously in background)")
![nocaptcha](img/nocaptcha.png "no captcha mode")
#### How to test #### How to test
@ -19,11 +26,10 @@ Add some env vars to docker-compose file:
- HCAPTCHA_SITEKEY - your hcaptcha site key - HCAPTCHA_SITEKEY - your hcaptcha site key
- HCAPTCHA_SECRET - your hcaptcha secret key - HCAPTCHA_SECRET - your hcaptcha secret key
- CAPTCHA_COOKIE_SECRET - random string, a salt for cookies - CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
- POW_COOKIE_SECRET - random string a salt for cookies - POW_COOKIE_SECRET - different random string, a salt for pow cookies
- RAY_ID - string to identify the haproxy node by - RAY_ID - string to identify the haproxy node by
Run docker compose: Run docker compose:
```bash ```bash
docker compose up docker compose up
@ -34,18 +40,25 @@ docker compose up
DDoS-protection mode is enabled by default. DDoS-protection mode is enabled by default.
#### Installation #### Installation
Before installing the tool, ensure that HaProxy is built with Lua support.
- Copy [scripts](src/scripts) to a folder accessible for HaProxy Before installing the tool, ensure that HaProxy is built with Lua support (in package and ubuntu recommended PPA, it is.)
- Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua) - Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua)
- Copy [libs](src/libs) to a path where Lua looks for modules. - Copy or link [scripts](src/scripts) to /etc/haproxy/scripts
- Copy [ddos-cli](src/cli/ddos-cli) to any convenient path. - Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules).
- Create `/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly) - Create `/etc/haproxy/ddos.map` for domains with protection mode enabled
- If you want to try with tor, change the haproxy mount in docker-compose to the haproxy/haproxy.tor.cfg and include your hidden_service folder (with keys, etc) in the tor folder - Create `/etc/haproxy/no_captcha.map` for domains with no captcha, only pow
If you want to try with tor and haproxy PROXY mode:
- Uncomment the tor service in `docker-compose.yml`
- Change the haproxy mount in `docker-compose.yml` for haproxy.cfg to haproxy.tor.cfg
- Add your hidden service folder (with keys, etc) to `tor/hidden_service`
- Run `docker-compose build` to rebuild the tor container with it.
#### CLI #### CLI
The system comes with CLI. It can be used to manage global and per-domain protection. The system comes with CLI. It can be used to manage protection global/per-domain and control nocaptcha mode.
Ensure that stat socket is configured in HaProxy for CLI support. Ensure that stat socket is configured in HaProxy for CLI support.
```bash ```bash
Usage: ddos-cli <command> [options] Usage: ddos-cli <command> [options]

8
docker-compose.yml
View File

@ -1,9 +1,9 @@
version: "3.9" version: "3.9"
services: services:
tor: # tor:
build: # build:
context: ./ # context: ./
dockerfile: tor/Dockerfile # dockerfile: tor/Dockerfile
haproxy: haproxy:
build: build:
context: ./ context: ./

BIN
img/captcha.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
img/nocaptcha.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB