Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

- Change to using domain instead of resolving, because cloudflare blocked this even with the host header, and haproxy 2.7 appears to no longer need this 'hack'

Browse Source 
- Fix issue with matched_expiry being 0 and breaking captcha cookie
- Spacing
This commit is contained in:
Thomas Lynch
2023-02-13 21:59:02 +11:00
parent 5a15eddc4a
commit 87f66479d8
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/lua/scripts/bot-check.lua
View File

@ -228,6 +228,7 @@ function _M.view(applet)
) )
) )
valid_submission = true valid_submission = true
matched_expiry = number_expiry
end end
end end
@ -238,18 +239,24 @@ function _M.view(applet)
-- handle setting the captcha cookie -- handle setting the captcha cookie
local user_captcha_response = parsed_body["h-captcha-response"] or parsed_body["g-recaptcha-response"] local user_captcha_response = parsed_body["h-captcha-response"] or parsed_body["g-recaptcha-response"]
if valid_submission and user_captcha_response then -- only check captcha if POW is already correct if valid_submission and user_captcha_response then -- only check captcha if POW is already correct
-- format the url for verifying the captcha response -- format the url for verifying the captcha response
local captcha_url = string.format( local captcha_url = string.format(
"https://%s%s", "https://%s%s",
core.backends[captcha_backend_name].servers[captcha_backend_name]:get_addr(), --Seems this is no longer needed, captcha_provider_domain works since 2.7
--core.backends[captcha_backend_name].servers[captcha_backend_name]:get_addr(),
captcha_provider_domain,
captcha_siteverify_path captcha_siteverify_path
) )
-- construct the captcha body to send to the captcha url -- construct the captcha body to send to the captcha url
local captcha_body = url.buildQuery({ local captcha_body = url.buildQuery({
secret=captcha_secret, secret=captcha_secret,
response=user_captcha_response response=user_captcha_response
}) })
-- instantiate an http client and make the request -- instantiate an http client and make the request
local httpclient = core.httpclient() local httpclient = core.httpclient()
local res = httpclient:post{ local res = httpclient:post{
@ -257,17 +264,19 @@ function _M.view(applet)
body=captcha_body, body=captcha_body,
headers={ headers={
[ "host" ] = { captcha_provider_domain }, [ "host" ] = { captcha_provider_domain },
[ "content-type" ] = { "application/x-www-form-urlencoded" } [ "content-type" ] = { "application/x-www-form-urlencoded" },
[ "user-agent" ] = { "haproxy-protection (haproxy-protection/0.1; +https://gitgud.io/fatchan/haproxy-protection)" }
} }
} }
-- try parsing the response as json -- try parsing the response as json
local status, api_response = pcall(json.decode, res.body) local status, api_response = pcall(json.decode, res.body)
if not status then if not status then
api_response = {} api_response = {}
end end
-- the response was good i.e the captcha provider says they passed, give them a cookie -- the response was good i.e the captcha provider says they passed, give them a cookie
if api_response.success == true then if api_response.success == true then
local user_key = sha.bin_to_hex(randbytes(16)) local user_key = sha.bin_to_hex(randbytes(16))
local user_hash = utils.generate_challenge(applet, captcha_cookie_secret, user_key, true) local user_hash = utils.generate_challenge(applet, captcha_cookie_secret, user_key, true)
local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, user_key .. user_hash .. matched_expiry) local signature = sha.hmac(sha.sha3_256, hmac_cookie_secret, user_key .. user_hash .. matched_expiry)
@ -282,8 +291,8 @@ function _M.view(applet)
) )
) )
valid_submission = valid_submission and true valid_submission = valid_submission and true
end end
end end
if not valid_submission then if not valid_submission then