From e1c786a1d7871ccaec3f36330b1b42c447dc227b Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Sun, 18 Sep 2022 19:01:38 +1000
Subject: [PATCH 1/4] Add example snippet of how to acl/whitelist stats sockte

---
 haproxy/haproxy.cfg | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
index 22e77cc..3dc576b 100644
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -4,7 +4,7 @@ global
 	log stdout  format raw  local0  debug
 	lua-load /etc/haproxy/scripts/register.lua
 	stats socket /var/run/haproxy.sock mode 666 level admin
-	stats socket *:2000 level admin
+	stats socket 127.0.0.1:1999 level admin
 	httpclient.ssl.verify none
 
 defaults
@@ -13,6 +13,18 @@ defaults
 	timeout client 50000ms
 	timeout server 50000ms
 
+#frontend stats-frontend
+#	bind *:2000
+#	option tcplog
+#	mode tcp
+#	acl white_list src xxx.xxx.xxx.xxx
+#	tcp-request connection reject unless white_list
+#	default_backend stats-backend
+
+#backend stats-backend
+#	mode tcp
+#	server stats-localhost 127.0.0.1:1999
+
 frontend http-in
 	bind *:80
 

From 20a04f23c2740a4543b720117412b9f69ba1d24b Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Wed, 21 Sep 2022 19:47:47 +1000
Subject: [PATCH 2/4] Change wording for public branch

---
 src/scripts/hcaptcha.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scripts/hcaptcha.lua b/src/scripts/hcaptcha.lua
index 754a40b..03e5fc0 100644
--- a/src/scripts/hcaptcha.lua
+++ b/src/scripts/hcaptcha.lua
@@ -101,7 +101,7 @@ local body_template = [[
 		</noscript>
 		<footer>
 			<p>Security and Performance by <a href="https://gitgud.io/fatchan/haproxy-protection/">haproxy-protection</a></p>
-			<p>Vey ID: <code>%s</code></p>
+			<p>Node: <code>%s</code></p>
 		</footer>
 	</body>
 </html>

From 614b4376670c27f3223edcdac98171937fbedfd3 Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Wed, 21 Sep 2022 21:31:48 +1000
Subject: [PATCH 3/4] Add ability to include IPs in challenge hash generation,
 to lock cookies to IPs (like the pre-sig mode)

---
 README.MD          | 1 +
 docker-compose.yml | 1 +
 src/libs/utils.lua | 9 ++++++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/README.MD b/README.MD
index 6c846ad..85cd011 100644
--- a/README.MD
+++ b/README.MD
@@ -34,6 +34,7 @@ Add some env vars to docker-compose file:
 - HMAC_COOKIE_SECRET - different random string, a salt for pow cookies
 - RAY_ID - string to identify the HAProxy node by
 - BUCKET_DURATION - how long between bucket changes, invalidating cookies
+- CHALLENGE_INCLUDES_IP - any value, whether to lock solved challenges to IP or tor circuit
 - BACKEND_NAME - Optional, name of backend to build from hosts.map
 - SERVER_PREFIX - Optional, prefix of server names used in server-template
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 890b369..d357581 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -36,6 +36,7 @@ services:
       - BUCKET_DURATION=43200
       - BACKEND_NAME=servers
       - SERVER_PREFIX=websrv
+      #- CHALLENGE_INCLUDES_IP=1
   nginx:
     ports:
       - 81:80
diff --git a/src/libs/utils.lua b/src/libs/utils.lua
index 0f26f92..af41593 100644
--- a/src/libs/utils.lua
+++ b/src/libs/utils.lua
@@ -2,6 +2,7 @@ local _M = {}
 
 local sha = require("sha")
 local secret_bucket_duration = tonumber(os.getenv("BUCKET_DURATION"))
+local challenge_includes_ip = os.getenv("CHALLENGE_INCLUDES_IP")
 
 function _M.generate_secret(context, salt, user_key, is_applet)
 
@@ -9,6 +10,12 @@ function _M.generate_secret(context, salt, user_key, is_applet)
 	local start_sec = core.now()['sec']
 	local bucket = start_sec - (start_sec % secret_bucket_duration)
 
+	-- optional IP to lock challenges/user_keys to IP (for clearnet or single-onion aka 99% of cases)
+	local ip = ""
+	if challenge_includes_ip then
+		ip = context.sf:src()
+	end
+
 	-- user agent to counter very dumb spammers
 	local user_agent = ""
 	if is_applet == true then
@@ -19,7 +26,7 @@ function _M.generate_secret(context, salt, user_key, is_applet)
 		user_agent = context.sf:req_fhdr('user-agent') or ""
 	end
 
-	return sha.sha256(salt .. bucket .. user_key .. user_agent)
+	return sha.sha256(salt .. bucket .. ip .. user_key .. user_agent)
 
 end
 

From 521f9742c1441d6d267380f09ce75322dc5a150d Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Wed, 21 Sep 2022 21:32:33 +1000
Subject: [PATCH 4/4] revert back to 2 thread max again because turns out
 firefox didnt get better, just tor limits to 1 thread anyway

---
 haproxy/js/challenge.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/haproxy/js/challenge.js b/haproxy/js/challenge.js
index 651d257..88a3e3b 100644
--- a/haproxy/js/challenge.js
+++ b/haproxy/js/challenge.js
@@ -16,7 +16,7 @@ const powFinished = new Promise((resolve, reject) => {
 		const [_userkey, challenge, _signature] = combined.split("#");
 		const start = Date.now();
 		if (window.Worker && crypto.subtle) {
-			const threads = Math.min(4,Math.ceil(window.navigator.hardwareConcurrency/2));
+			const threads = Math.min(2,Math.ceil(window.navigator.hardwareConcurrency/2));
 			let finished = false;
 			const messageHandler = (e) => {
 				if (finished) { return; }