diff --git a/README.MD b/README.MD index 6c846ad..85cd011 100644 --- a/README.MD +++ b/README.MD @@ -34,6 +34,7 @@ Add some env vars to docker-compose file: - HMAC_COOKIE_SECRET - different random string, a salt for pow cookies - RAY_ID - string to identify the HAProxy node by - BUCKET_DURATION - how long between bucket changes, invalidating cookies +- CHALLENGE_INCLUDES_IP - any value, whether to lock solved challenges to IP or tor circuit - BACKEND_NAME - Optional, name of backend to build from hosts.map - SERVER_PREFIX - Optional, prefix of server names used in server-template diff --git a/docker-compose.yml b/docker-compose.yml index 890b369..d357581 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,6 +36,7 @@ services: - BUCKET_DURATION=43200 - BACKEND_NAME=servers - SERVER_PREFIX=websrv + #- CHALLENGE_INCLUDES_IP=1 nginx: ports: - 81:80 diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg index e1f928b..3dc576b 100644 --- a/haproxy/haproxy.cfg +++ b/haproxy/haproxy.cfg @@ -1,111 +1,47 @@ global - lua-load /etc/haproxy/scripts/register.lua - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - user haproxy - group haproxy daemon - maxconn 10000 + maxconn 256 + log stdout format raw local0 debug + lua-load /etc/haproxy/scripts/register.lua + stats socket /var/run/haproxy.sock mode 666 level admin + stats socket 127.0.0.1:1999 level admin httpclient.ssl.verify none - #for haproxy panel - stats socket 127.0.0.1:1999 level operator - - stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners - stats timeout 30s - - # Default SSL material locations - ca-base /etc/ssl/certs - crt-base /etc/ssl/private - - # Default ciphers to use on SSL-enabled listening sockets. - # For more information, see ciphers(1SSL). This list is from: - # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - ssl-default-bind-options ssl-min-ver TLSv1.2 prefer-client-ciphers - ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM - ssl-default-server-options ssl-min-ver TLSv1.2 - ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 - ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM - - tune.ssl.default-dh-param 2048 - defaults - option logasap - log global mode http - option httplog -# option dontlognull - #timeout slow connection - timeout connect 5000 - #timeout slow request headers - timeout http-request 5000 - #timeout very very slow clients - timeout client 90000 - #timeout if server dead - timeout server 10000 - #timeout websockets after long time, not 0 just in case. it wil reconnect anyway. - timeout tunnel 900000 - #timeout for tarpitting bots - timeout tarpit 10000 - errorfile 429 /etc/haproxy/errors/429.http - errorfile 400 /etc/haproxy/errors/400.http - errorfile 403 /etc/haproxy/errors/403.http - errorfile 408 /etc/haproxy/errors/408.http - errorfile 500 /etc/haproxy/errors/500.http - errorfile 502 /etc/haproxy/errors/502.http - errorfile 503 /etc/haproxy/errors/503.http - errorfile 504 /etc/haproxy/errors/504.http - option forwardfor - option http-keep-alive + timeout connect 5000ms + timeout client 50000ms + timeout server 50000ms - ##### Better log format - log-format "%ci %s %ST %{+Q}r %B %ts CONC:[%ac/%fc/%bc/%sc] QUEUE:[%sq/%bq]" +#frontend stats-frontend +# bind *:2000 +# option tcplog +# mode tcp +# acl white_list src xxx.xxx.xxx.xxx +# tcp-request connection reject unless white_list +# default_backend stats-backend -# necessary to firewall, white_list acl in development -frontend stats-frontend - bind *:2000 - option tcplog - mode tcp - acl white_list src xxx.xxx.xxx.xxx - tcp-request connection reject unless white_list - default_backend stats-backend +#backend stats-backend +# mode tcp +# server stats-localhost 127.0.0.1:1999 -backend stats-backend - mode tcp - server stats-localhost 127.0.0.1:1999 - -backend per_ip_rates - stick-table type ip size 100k expire 1h store gpc0,gpc0_rate(30s),http_err_rate(5m) - -frontend www-http-https - - # Bind and multiple certs in folder - bind :::80 - bind :::443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 - - # HTTPS redirect - http-request redirect scheme https if !{ ssl_fc } - - # Tarpit when too many errors - http-request tarpit deny_status 429 if { sc_http_err_rate(0) gt 5 } - - # kikeflare ACL for separate backend - acl is_kikeflare hdr(host) -i kikeflare.com www.kikeflare.com +frontend http-in + bind *:80 # drop requests with invalid host header #acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found #http-request silent-drop unless is_existing_vhost + # debug only, /cdn-cgi/trace + #http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/trace.txt if { path /cdn-cgi/trace } + # acl for blocked IPs/subnets acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found http-request deny deny_status 403 if blocked_ip_or_subnet # acl for lua check whitelisted IPs/subnets and some excluded paths acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found - acl is_excluded path_end -i .css .js .png .jpg .ico .jpeg .gif .mp4 .webm .bmp .mov .svg .mp3 .ogg .wav .opus .apng .webp .pjpeg .jfif .txt .sid .pdf .webmanifest .xml .flac .m4a .aac - acl is_excluded path /favicon.ico /webring.json #add more + acl is_excluded path /favicon.ico #add more # acl ORs for when ddos_mode_enabled acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0 @@ -115,10 +51,8 @@ frontend www-http-https # serve challenge page scripts directly from haproxy acl is_challenge_js path /js/challenge.js acl is_worker_js path /js/worker.js - acl is_footerlogo_png path /img/footerlogo.png http-request return file /var/www/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_challenge_js http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js - http-request return file /var/www/img/footerlogo.png status 200 content-type "image/png" hdr "cache-control" "public, max-age=300" if is_footerlogo_png # acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo) acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/maintenance.map) -m found @@ -139,100 +73,29 @@ frontend www-http-https http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded - # redirect handle trailing slash and index.html - acl dont-redirect path_reg ^\/(captcha|randombanner|forms|logout|socket\.io)(\/|$) - acl needs-trailing-slash path_reg ^([^.\?]*[^/])$ - acl has-trailing-slash path_end / - http-request redirect scheme https append-slash if !dont-redirect needs-trailing-slash !is_kikeflare - http-request redirect location https://%[req.hdr(host)]%[path]index.html%[query] if !dont-redirect has-trailing-slash !is_kikeflare - - # remove www. - http-request redirect location https://%[req.hdr(host),regsub(^www.,)]%[capture.req.uri] if { hdr_beg(host) -i www } - # X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use) http-response set-header X-Cache-Status HIT if !{ srv_id -m found } http-response set-header X-Cache-Status MISS if { srv_id -m found } - # Track client by url32+src (Host header + URL path + src IP), deny if rate abuse - stick-table type binary len 8 size 200k expire 10s store http_req_rate(10s) - http-request track-sc0 url32+src - acl rate_abuse sc0_http_req_rate gt 50 - http-request tarpit deny_status 429 if rate_abuse + default_backend servers - # Send LetsEncrypt requests to alternative backend that handles certs - acl letsencrypt-acl path_beg /.well-known/acme-challenge/ - use_backend letsencrypt-backend if letsencrypt-acl - - # Socketio backend (doesnt try to upgrade to http2) - acl socketio path_beg /socket.io/ - use_backend no-http2-backend if socketio - - # Captcha backend with queue/maxconn - acl captcha path -i /captcha /captcha/ - use_backend maxconn-20-backend if captcha - - # Kikeflare acl separate backend - use_backend basic-cache-backend if is_kikeflare - - # Otherwise, send to main backend - default_backend complex-cache-backend - -cache long_cache +cache basic_cache total-max-size 2500 max-object-size 31457280 max-age 86400 -cache short_cache - total-max-size 50 - max-object-size 1000000 - max-age 600 +backend servers -cache micro_cache - total-max-size 50 - max-object-size 1000000 - max-age 60 - -backend letsencrypt-backend - server www-1 xxx.xxx.xxx.xxx:80 - -# a complex backend that has a few different caches, and is catered to work well specifically with jschan -backend complex-cache-backend + # simple example cache for files http-request set-var(txn.path) path + acl can_cache var(txn.path) -i -m end .png .jpg .jpeg .jpe .ico .webmanifest .xml .apng .bmp .webp .pjpeg .jfif .gif .mp4 .webm .mov .mkv .svg .m4a .aac .flac .mp3 .ogg .wav .opus .txt .pdf .sid + http-request cache-use basic_cache if can_cache + http-response cache-store basic_cache if can_cache - ##### longer cache - acl long_cached_file var(txn.path) -i -m end .css .js .png .jpg .ico .jpeg .gif .mp4 .webm .bmp .mov .svg .mp3 .ogg .wav .opus .apng .webp .pjpeg .jfif .txt .sid .pdf .webmanifest .xml .flac .m4a .m4v .ts .aac - acl long_cached_page var(txn.path) -i -m beg /rules.html /faq.html /robots.txt - http-request cache-use long_cache if long_cached_file or long_cached_page - http-response cache-store long_cache if long_cached_file or long_cached_page - - ##### shorter cache - acl short_cached_page var(txn.path) -i -m beg /index.html /news.html - http-request cache-use short_cache if short_cached_page - http-response cache-store short_cache if short_cached_page - - ##### micro cache - acl micro_cached_page var(txn.path) -i -m beg /boards.html /catalog.html /overboard.html /boards.json - http-request cache-use micro_cache if micro_cached_page - http-response cache-store micro_cache if micro_cached_page - - server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem alpn h2 - -# a simpler backend that caches mostly media and css/js -backend basic-cache-backend - http-request set-var(txn.path) path - - ##### longer cache - acl long_cached_file var(txn.path) -i -m end .css .js .png .jpg .ico .jpeg .gif .mp4 .webm .bmp .mov .svg .mp3 .ogg .wav .opus .apng .webp .pjpeg .jfif .txt .sid .pdf .webmanifest .xml .flac .m4a .m4v .ts .aac - http-request cache-use long_cache if long_cached_file - http-response cache-store long_cache if long_cached_file - - server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem alpn h2 - -backend no-http2-backend - server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem - -backend maxconn-20-backend - server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem maxconn 20 alpn h2 + # placeholder servers, activated by LUA or the control panel + server-template websrv 1-100 0.0.0.0:80 check disabled + # use server based on hostname + use-server %[req.hdr(host),lower,map(/etc/haproxy/backends.map)] if TRUE backend hcaptcha mode http diff --git a/haproxy/js/challenge.js b/haproxy/js/challenge.js index 651d257..88a3e3b 100644 --- a/haproxy/js/challenge.js +++ b/haproxy/js/challenge.js @@ -16,7 +16,7 @@ const powFinished = new Promise((resolve, reject) => { const [_userkey, challenge, _signature] = combined.split("#"); const start = Date.now(); if (window.Worker && crypto.subtle) { - const threads = Math.min(4,Math.ceil(window.navigator.hardwareConcurrency/2)); + const threads = Math.min(2,Math.ceil(window.navigator.hardwareConcurrency/2)); let finished = false; const messageHandler = (e) => { if (finished) { return; } diff --git a/src/libs/utils.lua b/src/libs/utils.lua index 0f26f92..af41593 100644 --- a/src/libs/utils.lua +++ b/src/libs/utils.lua @@ -2,6 +2,7 @@ local _M = {} local sha = require("sha") local secret_bucket_duration = tonumber(os.getenv("BUCKET_DURATION")) +local challenge_includes_ip = os.getenv("CHALLENGE_INCLUDES_IP") function _M.generate_secret(context, salt, user_key, is_applet) @@ -9,6 +10,12 @@ function _M.generate_secret(context, salt, user_key, is_applet) local start_sec = core.now()['sec'] local bucket = start_sec - (start_sec % secret_bucket_duration) + -- optional IP to lock challenges/user_keys to IP (for clearnet or single-onion aka 99% of cases) + local ip = "" + if challenge_includes_ip then + ip = context.sf:src() + end + -- user agent to counter very dumb spammers local user_agent = "" if is_applet == true then @@ -19,7 +26,7 @@ function _M.generate_secret(context, salt, user_key, is_applet) user_agent = context.sf:req_fhdr('user-agent') or "" end - return sha.sha256(salt .. bucket .. user_key .. user_agent) + return sha.sha256(salt .. bucket .. ip .. user_key .. user_agent) end