combine POW and captcha into one

.gitignore

@@ -1 +0,0 @@
-docker-compose.yml

docker-compose.yml

@@ -8,10 +8,14 @@ services:
       - 80:80
     volumes:
       - ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
-      - ./haproxy/domains_under_ddos.txt:/usr/local/etc/haproxy/domains_under_ddos.txt
       - ./src/scripts/:/usr/local/etc/haproxy/scripts/
       - ./src/libs/:/usr/local/etc/haproxy/libs/
     environment:
-      - HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
-      - HCAPTCHA_SITEKEY=10000000-ffff-ffff-ffff-000000000001
-      - COOKIE_SECRET=changeme
+      - HCAPTCHA_SECRET=
+      - HCAPTCHA_SITEKEY=
+      - CAPTCHA_COOKIE_SECRET=
+      - POW_COOKIE_SECRET=
+  nginx:
+    image: "nginx:latest"
+    volumes:
+      - ./js:/usr/share/nginx/html

haproxy/domains_under_ddos.txt

@@ -1,2 +0,0 @@
-poge.com
-domain.com

haproxy/haproxy.cfg

@@ -15,13 +15,19 @@ frontend http-in
     bind *:80
 
     acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
-    acl domain_under_ddos hdr(host) -i -f /usr/local/etc/haproxy/domains_under_ddos.txt
+    acl pow_passed var(txn.pow_passed) -m bool
     acl captcha_passed var(txn.captcha_passed) -m bool
+    
     acl on_captcha_url path -m beg /bot-check
+    acl is_excluded path_end -i .js .ico
+    
+    use_backend servers if is_excluded
 
-    http-request use-service lua.hcaptcha-view	if on_captcha_url
-    http-request lua.hcaptcha-redirect          if !on_captcha_url ddos_mode_enabled OR domain_under_ddos
-    http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled OR domain_under_ddos
+    http-request use-service lua.hcaptcha-view	if on_captcha_url !is_excluded
+    http-request lua.hcaptcha-check          if !is_excluded !on_captcha_url ddos_mode_enabled
+    http-request lua.pow-check          if !is_excluded !on_captcha_url ddos_mode_enabled
+
+    http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded
 
     default_backend servers
 

js/worker.js

@@ -0,0 +1,27 @@
+async function hash(data, method) {
+	const buffer = new TextEncoder('utf-8').encode(data);
+	const hashBuffer = await crypto.subtle.digest(method, buffer)
+	return Array.from(new Uint8Array(hashBuffer));
+}
+
+onmessage = async function(e) {
+	const [challenge, difficulty, id, threads] = e.data;
+	console.log('Worker thread', id,'got challenge', challenge, 'with difficulty', difficulty);
+	let i = id;
+	let challengeIndex = parseInt(challenge[0], 16);
+	while(true) {
+		let result = await hash(challenge+i, 'sha-1');
+		let middle = true;
+		for(let imiddle = 1; imiddle <= difficulty; imiddle++) {
+			middle = (middle && (result[challengeIndex+imiddle] === 0x00));
+		}
+		if(result[challengeIndex] === 0xb0
+			&& middle === true
+			&& result[challengeIndex+difficulty+1] === 0x0b){
+			console.log('Worker thread found solution', challenge, i, result[challengeIndex], result[challengeIndex+1]);
+			postMessage([id, i]);
+			break;
+		}
+		i+=threads;
+	}
+}

src/libs/utils.lua

@@ -1,18 +1,27 @@
 local _M = {}
 
+local sha = require("sha")
 local secret_bucket_duration = 43200 -- 60 * 60 * 12 -- 12 hours
-function _M.generate_secret(context, salt, is_applet)
+
+function _M.generate_secret(context, salt, is_applet, iterations)
 	local start_sec = core.now()['sec']
 	local bucket = start_sec - (start_sec % secret_bucket_duration)
-    local ip = context.sf:src()
-	local user_agent
-	if is_applet == true then
-		user_agent = context.headers['user-agent'] or {}
-		user_agent = user_agent[0]
+	local ip = context.sf:src()
+	local user_agent = ""
+--TODO: fix bug here making this not be same value
+--	if is_applet == true then
+--		user_agent = context.headers['user-agent'] or {}
+--		user_agent = user_agent[0]
+--	else
+--		user_agent = context.sf:req_hdr('user-agent')
+--	end
+	if iterations == nil then
+		--hcaptcha secret is just this
+		return context.sc:xxh32(salt .. bucket .. ip .. user_agent)
 	else
-		user_agent = context.sf:req_hdr('user-agent')
+		--POW secret adds the iteration number by the user
+		return sha.sha1(salt .. bucket .. ip .. user_agent .. iterations)
 	end
-    return context.sc:xxh64(salt .. bucket .. ip .. user_agent)
 end
 
 return _M

src/scripts/hcaptcha.lua

@@ -5,10 +5,12 @@ local http = require("http")
 local utils = require("utils")
 local cookie = require("cookie")
 local json = require("json")
+local sha = require("sha")
 
 local captcha_secret = os.getenv("HCAPTCHA_SECRET")
 local captcha_sitekey = os.getenv("HCAPTCHA_SITEKEY")
-local cookie_secret = os.getenv("COOKIE_SECRET")
+local hcaptcha_cookie_secret = os.getenv("CAPTCHA_COOKIE_SECRET")
+local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
 
 local captcha_provider_domain = "hcaptcha.com"
 
@@ -21,6 +23,7 @@ local body_template = [[
 		<style>
 			:root{--text-color:#c5c8c6;--bg-color:#1d1f21}
 		    @media (prefers-color-scheme:light){:root{--text-color:#333;--bg-color:#EEE}}
+		    .h-captcha{min-height:85px;display:block}
 			a,a:visited{color:var(--text-color)}
 			body,html{height:100vh}
 			body{display:flex;flex-direction:column;background-color:var(--bg-color);color:var(--text-color);font-family:Helvetica,Arial,sans-serif;text-align:center;margin:0}
@@ -28,7 +31,7 @@ local body_template = [[
 			footer{font-size:small;margin-top:auto;margin-bottom:50px}h3{padding-top:30vh}
 		</style>
 	</head>
-	<body>
+	<body data-pow="%s">
 		<h3>Captcha completion required</h3>
 		<p>We have detected unusual activity on the requested resource.</p>
 		<p>Please solve this captcha to prove you are not a robot.</p>
@@ -41,9 +44,10 @@ local body_template = [[
 		<form method="POST">
 			<div class="h-captcha" data-sitekey="%s"></div>
 			<script src="https://hcaptcha.com/1/api.js" async defer></script>
-			<input type="submit" value="Submit">
+			<input type="submit" value="Calculating proof of work..." disabled>
 		</form>
 		<footer>Supported by <a href="https://kikeflare.com">KikeFlare</a></footer>
+		<script src="/sha1.js"></script>
 	</body>
 </html>
 ]]
@@ -52,7 +56,8 @@ function _M.view(applet)
     local response_body
     local response_status_code
     if applet.method == "GET" then
-        response_body = string.format(body_template, captcha_sitekey)
+    	generated_work = utils.generate_secret(applet, pow_cookie_secret, true, "")
+        response_body = string.format(body_template, generated_work, captcha_sitekey)
         response_status_code = 403
 	    applet:set_status(response_status_code)
 	    applet:add_header("content-type", "text/html")
@@ -75,7 +80,7 @@ function _M.view(applet)
                 api_response = {}
             end
             if api_response.success == true then
-                local floating_hash = utils.generate_secret(applet, cookie_secret, true)
+                local floating_hash = utils.generate_secret(applet, hcaptcha_cookie_secret, true, nil)
                 applet:add_header(
                     "set-cookie",
                     string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/", floating_hash)
@@ -97,13 +102,24 @@ end
 
 function _M.check_captcha_status(txn)
     local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
-    local expected_cookie = utils.generate_secret(txn, cookie_secret)
-    --core.Debug("RECEIVED SECRET COOKIE: " .. parsed_request_cookies["z_ddos_captcha"])
-    --core.Debug("EXPECTED SECRET COOKIE: " .. expected_cookie)
+    local expected_cookie = utils.generate_secret(txn, hcaptcha_cookie_secret, false, nil)
     if parsed_request_cookies["z_ddos_captcha"] == expected_cookie then
-        core.Debug("CAPTCHA STATUS CHECK SUCCESS")
+        --core.Debug("CAPTCHA STATUS CHECK SUCCESS")
         return txn:set_var("txn.captcha_passed", true)
     end
 end
 
+function _M.check_pow_status(txn)
+    local parsed_request_cookies = cookie.get_cookie_table(txn.sf:hdr("Cookie"))
+    if parsed_request_cookies["z_ddos_pow"] then
+	    local generated_work = utils.generate_secret(txn, pow_cookie_secret, false, "")
+	    local iterations = parsed_request_cookies["z_ddos_pow"]
+	    local completed_work = sha.sha1(generated_work .. iterations)
+		local challenge_offset = tonumber(generated_work:sub(1,1),16) * 2
+	    if completed_work:sub(challenge_offset+1, challenge_offset+4) == 'b00b' then -- i dont know lua properly :^)
+	        return txn:set_var("txn.pow_passed", true)
+	    end
+	end
+end
+
 return _M

src/scripts/register.lua

@@ -3,4 +3,5 @@ package.path = package.path  .. "./?.lua;/usr/local/etc/haproxy/scripts/?.lua;/u
 local hcaptcha = require("hcaptcha")
 
 core.register_service("hcaptcha-view", "http", hcaptcha.view)
-core.register_action("hcaptcha-redirect", { 'http-req', }, hcaptcha.check_captcha_status)
+core.register_action("hcaptcha-check", { 'http-req', }, hcaptcha.check_captcha_status)
+core.register_action("pow-check", { 'http-req', }, hcaptcha.check_pow_status)