combine POW and captcha into one

2025-05-09 02:05:37 +00:00 · 2021-11-24 05:17:06 +11:00
parent 5c7e796440
commit 9f26e53798
10 changed files with 3088 additions and 29 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1 +0,0 @@
 docker-compose.yml
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -8,10 +8,14 @@ services:
      - 80:80
    volumes:
      - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
      - ./haproxy/domains_under_ddos.txt:/usr/local/etc/haproxy/domains_under_ddos.txt
      - ./src/scripts/:/usr/local/etc/haproxy/scripts/
      - ./src/libs/:/usr/local/etc/haproxy/libs/
    environment:
-      - HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
+      - HCAPTCHA_SECRET=
-      - HCAPTCHA_SITEKEY=10000000-ffff-ffff-ffff-000000000001
+      - HCAPTCHA_SITEKEY=
-      - COOKIE_SECRET=changeme
+      - CAPTCHA_COOKIE_SECRET=
      - POW_COOKIE_SECRET=
  nginx:
    image: "nginx:latest"
    volumes:
      - ./js:/usr/share/nginx/html
--- a/haproxy/domains_under_ddos.txt
+++ b/haproxy/domains_under_ddos.txt
@@ -1,2 +0,0 @@
 poge.com
 domain.com
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -15,13 +15,19 @@ frontend http-in
    bind *:80
    acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
-    acl domain_under_ddos hdr(host) -i -f /usr/local/etc/haproxy/domains_under_ddos.txt
+    acl pow_passed var(txn.pow_passed) -m bool
    acl captcha_passed var(txn.captcha_passed) -m bool
    acl on_captcha_url path -m beg /bot-check
-    http-request use-service lua.hcaptcha-view	if on_captcha_url
+    acl on_captcha_url path -m beg /bot-check
-    http-request lua.hcaptcha-redirect          if !on_captcha_url ddos_mode_enabled OR domain_under_ddos
+    acl is_excluded path_end -i .js .ico
-    http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled OR domain_under_ddos
+    
    use_backend servers if is_excluded
    http-request use-service lua.hcaptcha-view	if on_captcha_url !is_excluded
    http-request lua.hcaptcha-check          if !is_excluded !on_captcha_url ddos_mode_enabled
    http-request lua.pow-check          if !is_excluded !on_captcha_url ddos_mode_enabled
    http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded
    default_backend servers
--- a/js/sha1.js
+++ b/js/sha1.js
--- a/js/worker.js
+++ b/js/worker.js
@@ -0,0 +1,27 @@
 async function hash(data, method) {
 	const buffer = new TextEncoder('utf-8').encode(data);
 	const hashBuffer = await crypto.subtle.digest(method, buffer)
 	return Array.from(new Uint8Array(hashBuffer));
 }
 onmessage = async function(e) {
 	const [challenge, difficulty, id, threads] = e.data;
 	console.log('Worker thread', id,'got challenge', challenge, 'with difficulty', difficulty);
 	let i = id;
 	let challengeIndex = parseInt(challenge[0], 16);
 	while(true) {
 		let result = await hash(challenge+i, 'sha-1');
 		let middle = true;
 		for(let imiddle = 1; imiddle <= difficulty; imiddle++) {
 			middle = (middle && (result[challengeIndex+imiddle] === 0x00));
 		}
 		if(result[challengeIndex] === 0xb0
 			&& middle === true
 			&& result[challengeIndex+difficulty+1] === 0x0b){
 			console.log('Worker thread found solution', challenge, i, result[challengeIndex], result[challengeIndex+1]);
 			postMessage([id, i]);
 			break;
 		}
 		i+=threads;
 	}
 }
--- a/src/libs/sha.lua
+++ b/src/libs/sha.lua
--- a/src/libs/utils.lua
+++ b/src/libs/utils.lua
@@ -1,18 +1,27 @@
 local _M = {}
 local sha = require("sha")
 local secret_bucket_duration = 43200 -- 60 * 60 * 12 -- 12 hours
-function _M.generate_secret(context, salt, is_applet)
+
 function _M.generate_secret(context, salt, is_applet, iterations)
 	local start_sec = core.now()['sec']
 	local bucket = start_sec - (start_sec % secret_bucket_duration)
 	local ip = context.sf:src()
-	local user_agent
+	local user_agent = ""
-	if is_applet == true then
+--TODO: fix bug here making this not be same value
-		user_agent = context.headers['user-agent'] or {}
+--	if is_applet == true then
-		user_agent = user_agent[0]
+--		user_agent = context.headers['user-agent'] or {}
 --		user_agent = user_agent[0]
 --	else
 --		user_agent = context.sf:req_hdr('user-agent')
 --	end
 	if iterations == nil then
 		--hcaptcha secret is just this
 		return context.sc:xxh32(salt .. bucket .. ip .. user_agent)
 	else
-		user_agent = context.sf:req_hdr('user-agent')
+		--POW secret adds the iteration number by the user
 		return sha.sha1(salt .. bucket .. ip .. user_agent .. iterations)
 	end
    return context.sc:xxh64(salt .. bucket .. ip .. user_agent)
 end
 return _M
--- a/src/scripts/hcaptcha.lua
+++ b/src/scripts/hcaptcha.lua
@@ -5,10 +5,12 @@ local http = require("http")
 local utils = require("utils")
 local cookie = require("cookie")
 local json = require("json")
 local sha = require("sha")
 local captcha_secret = os.getenv("HCAPTCHA_SECRET")
 local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY")
-local cookie_secret = os.getenv("COOKIE_SECRET")
+local hcaptcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET")
 local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
 local captcha_provider_domain = "hcaptcha.com"
@@ -21,6 +23,7 @@ local body_template = [[
 		<style>
 			:root{--text-color:#c5c8c6;--bg-color:#1d1f21}
 		    @media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}}
 		    .h-captcha{min-height:85px;display:block}
 			a,a:visited{color:var(--text-color)}
 			body,html{height:100vh}
 			body{display:flex;flex-direction:column;background-color:var(--bg-color);color:var(--text-color);font-family:Helvetica,Arial,sans-serif;text-align:center;margin:0}
@@ -28,7 +31,7 @@ local body_template = [[
 			footer{font-size:small;margin-top:auto;margin-bottom:50px}h3{padding-top:30vh}
 		</style>
 	</head>
-	<body>
+	<body data-pow="%s">
 		<h3>Captcha completion required</h3>
 		<p>We have detected unusual activity on the requested resource.</p>
 		<p>Please solve this captcha to prove you are not a robot.</p>
@@ -41,9 +44,10 @@ local body_template = [[
 		<form method="POST">
 			<div class="h-captcha" data-sitekey="%s"></div>
 			<script src="https://hcaptcha.com/1/api.js" async defer></script>
-			<input type="submit" value="Submit">
+			<input type="submit" value="Calculating proof of work..." disabled>
 		</form>
 		<footer>Supported by <a href="https://kikeflare.com">KikeFlare</a></footer>
 		<script src="/sha1.js"></script>
 	</body>
 </html>
 ]]
@@ -52,7 +56,8 @@ function _M.view(applet)
    local response_body
    local response_status_code
    if applet.method == "GET" then
-        response_body = string.format(body_template, captcha_sitekey)
+    	generated_work = utils.generate_secret(applet, pow_cookie_secret, true, "")
        response_body = string.format(body_template, generated_work, captcha_sitekey)
        response_status_code = 403
 	    applet:set_status(response_status_code)
 	    applet:add_header("content-type", "text/html")
@@ -75,7 +80,7 @@ function _M.view(applet)
                api_response = {}
            end
            if api_response.success == true then
-                local floating_hash = utils.generate_secret(applet, cookie_secret, true)
+                local floating_hash = utils.generate_secret(applet, hcaptcha_cookie_secret, true, nil)
                applet:add_header(
                    "set-cookie",
                    string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/", floating_hash)
@@ -97,13 +102,24 @@ end
 function _M.check_captcha_status(txn)
    local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
-    local expected_cookie = utils.generate_secret(txn, cookie_secret)
+    local expected_cookie = utils.generate_secret(txn, hcaptcha_cookie_secret, false, nil)
    --core.Debug("RECEIVED SECRET COOKIE: " .. parsed_request_cookies["z_ddos_captcha"])
    --core.Debug("EXPECTED SECRET COOKIE: " .. expected_cookie)
    if parsed_request_cookies["z_ddos_captcha"] == expected_cookie then
-        core.Debug("CAPTCHA STATUS CHECK SUCCESS")
+        --core.Debug("CAPTCHA STATUS CHECK SUCCESS")
        return txn:set_var("txn.captcha_passed", true)
    end
 end
 function _M.check_pow_status(txn)
    local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
    if parsed_request_cookies["z_ddos_pow"] then
 	    local generated_work = utils.generate_secret(txn, pow_cookie_secret, false, "")
 	    local iterations = parsed_request_cookies["z_ddos_pow"]
 	    local completed_work = sha.sha1(generated_work .. iterations)
 		local challenge_offset = tonumber(generated_work:sub(1,1),16) * 2
 	    if completed_work:sub(challenge_offset+1, challenge_offset+4) == 'b00b' then -- i dont know lua properly :^)
 	        return txn:set_var("txn.pow_passed", true)
 	    end
 	end
 end
 return _M
--- a/src/scripts/register.lua
+++ b/src/scripts/register.lua
@@ -3,4 +3,5 @@ package.path = package.path  .. "./?.lua;/usr/local/etc/haproxy/scripts/?.lua;/u
 local hcaptcha = require("hcaptcha")
 core.register_service("hcaptcha-view", "http", hcaptcha.view)
-core.register_action("hcaptcha-redirect", { 'http-req', }, hcaptcha.check_captcha_status)
+core.register_action("hcaptcha-check", { 'http-req', }, hcaptcha.check_captcha_status)
 core.register_action("pow-check", { 'http-req', }, hcaptcha.check_pow_status)