readme improvement

README.MD

@@ -1,17 +1,24 @@
 ## HaProxy DDoS protection system PoC
 
-A fork of https://github.com/mora9715/haproxy_ddos_protector, a haproxy lua script allowing a holding page where users solve a captcha and proof-of-work (cpu intensive) task.
+A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a haproxy configuration and lua scripts allowing a holding page where users solve a captcha (think cloudflare CDN).
 Intended to stop bots, spam, probably some forms of ddos, etc.
 
 Some issues fixed and various improvements:
 
-- Fix some bugs
-- Fix a security issue where unsalted hash could let users bypass captcha
-- Made the cookies not work permanently. They now expire based on a server-side bucket as part of the cookie hash, instead of client side expiry
-- Added additional proof-of-work element to the challenge page, both pow+captcha must be completed
-- Avoid using a hack to resolve domain names, usea backend in haproxy instead
+- Add a proof-of-work element to the bot-check page as an optional weaker but more user-friendly mode
+- Add more options to CLI for nocaptcha
+- Add examples and support for .onion/tor using the haproxy PROXY protocol to provide some kind of "ip" discrimination of tor users (circuit identifiers)
+- Add serving javascript files directly from haproxy with http-request return, so no extra backend is needed
 - Improved the appearance of the challenge page
-- More options to CLI for nocaptcha
+- Fix a lot of bugs
+- Fix resolving domain of hcaptcha, no longer uses a hack
+- Fix multiple security issues that could result in bypassing the captcha
+- Fix challenge cookies lasting forever, they are now limited by a bucket duration on server side
+
+#### Screenshot
+
+![captcha](img/captcha.png "captcha mode (pow done asynchronously in background)")
+![nocaptcha](img/nocaptcha.png "no captcha mode")
 
 #### How to test
 
@@ -19,11 +26,10 @@ Add some env vars to docker-compose file:
 
 - HCAPTCHA_SITEKEY - your hcaptcha site key
 - HCAPTCHA_SECRET - your hcaptcha secret key
-- CAPTCHA_COOKIE_SECRET - random string, a salt for cookies
-- POW_COOKIE_SECRET - random string a salt for cookies
+- CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
+- POW_COOKIE_SECRET - different random string, a salt for pow cookies
 - RAY_ID - string to identify the haproxy node by
 
-
 Run docker compose:
 ```bash
 docker compose up
@@ -34,18 +40,25 @@ docker compose up
 DDoS-protection mode is enabled by default.
 
 #### Installation
-Before installing the tool, ensure that HaProxy is built with Lua support.
 
-- Copy [scripts](src/scripts) to a folder accessible for HaProxy
+Before installing the tool, ensure that HaProxy is built with Lua support (in package and ubuntu recommended PPA, it is.)
+
 - Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua)
-- Copy [libs](src/libs) to a path where Lua looks for modules.
-- Copy [ddos-cli](src/cli/ddos-cli) to any convenient path.
-- Create `/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly)
-- If you want to try with tor, change the haproxy mount in docker-compose to the haproxy/haproxy.tor.cfg and include your hidden_service folder (with keys, etc) in the tor folder
+- Copy or link [scripts](src/scripts) to /etc/haproxy/scripts
+- Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules).
+- Create `/etc/haproxy/ddos.map` for domains with protection mode enabled
+- Create `/etc/haproxy/no_captcha.map` for domains with no captcha, only pow
+
+If you want to try with tor and haproxy PROXY mode:
+- Uncomment the tor service in `docker-compose.yml`
+- Change the haproxy mount in `docker-compose.yml` for haproxy.cfg to haproxy.tor.cfg
+- Add your hidden service folder (with keys, etc) to `tor/hidden_service`
+- Run `docker-compose build` to rebuild the tor container with it.
 
 #### CLI
-The system comes with CLI. It can be used to manage global and per-domain protection.
+The system comes with CLI. It can be used to manage protection global/per-domain and control nocaptcha mode.
 Ensure that stat socket is configured in HaProxy for CLI support.
+
 ```bash
 Usage: ddos-cli <command> [options]
 

docker-compose.yml

@@ -1,9 +1,9 @@
 version: "3.9"
 services:
-  tor:
-    build:
-      context: ./
-      dockerfile: tor/Dockerfile
+#  tor:
+#    build:
+#      context: ./
+#      dockerfile: tor/Dockerfile
   haproxy:
     build:
       context: ./