mirror of
https://gitgud.io/fatchan/haproxy-protection.git
synced 2025-05-09 02:05:37 +00:00
readme fix, improve, remove old shit cli and interaction diagram
This commit is contained in:
80
README.MD
80
README.MD
@@ -1,25 +1,22 @@
|
||||
## HaProxy DDoS protection system PoC
|
||||
## HAProxy DDoS protection system
|
||||
|
||||
A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a haproxy configuration and lua scripts allowing a holding page where users solve a captcha (think cloudflare CDN).
|
||||
Intended to stop bots, spam, probably some forms of ddos, etc.
|
||||
A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work.
|
||||
Intended to stop bots, spam, ddos, etc.
|
||||
|
||||
Some issues fixed and various improvements:
|
||||
Will soon™ be accompanied by a control panel allowing to manage clusters of servers with this installed. Allowing you to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime.
|
||||
|
||||
- Add a proof-of-work element to the bot-check page as an optional weaker but more user-friendly mode
|
||||
- Add more options to CLI for nocaptcha
|
||||
- Add examples and support for .onion/tor using the haproxy PROXY protocol to provide some kind of "ip" discrimination of tor users (circuit identifiers)
|
||||
- Add serving javascript files directly from haproxy with http-request return, so no extra backend is needed
|
||||
- Improved the appearance of the challenge page
|
||||
- Fix a lot of bugs
|
||||
- Fix resolving domain of hcaptcha, no longer uses a hack
|
||||
- Fix multiple security issues that could result in bypassing the captcha
|
||||
- Fix challenge cookies lasting forever, they are now limited by a bucket duration on server side
|
||||
- Ability to set values for domains (or domain+path!) to select off, pow, or captcha and override for paths over domains
|
||||
Improvements in this fork:
|
||||
|
||||
#### Screenshot
|
||||
|
||||
")
|
||||

|
||||
- Add a proof-of-work element, instead of only captcha.
|
||||
- Add examples and support for .onion/tor using the HAProxy PROXY protocol to provide some kind of "ip" discrimination of tor users (circuit identifiers).
|
||||
- Use HAProxy http-request return to improve performance/caching for the challenge page, without an extra backend http server.
|
||||
- Improved the appearance of the challenge page.
|
||||
- Remove dns resolution hack, use proper backend address.
|
||||
- Fix multiple security issues that could result in bypassing the captcha.
|
||||
- Add a bucket duration for cookie validity, so valid cookies don't last forever.
|
||||
- Ability to enable globally, per-domain or per-domain+path, with paths taking priority.
|
||||
- Include dataplaneapi, to sync map files to disk if edited during runtime.
|
||||
- Many bugfixes.
|
||||
|
||||
#### How to test
|
||||
|
||||
@@ -29,17 +26,22 @@ Add some env vars to docker-compose file:
|
||||
- HCAPTCHA_SECRET - your hcaptcha secret key
|
||||
- CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
|
||||
- POW_COOKIE_SECRET - different random string, a salt for pow cookies
|
||||
- RAY_ID - string to identify the haproxy node by
|
||||
- RAY_ID - string to identify the HAProxy node by
|
||||
- BUCKET_DURATION - how long between bucket changes, invalidating cookies
|
||||
- BACKEND_NAME - name of backend to build from hosts.map
|
||||
- SERVER_PREFIX - prefix of server names i.e. <prefix>n where n is the number, in server-template
|
||||
- SERVER_PREFIX - prefix of server names used in server-template
|
||||
|
||||
Add a domain name + backend IP to `haproxy/hosts.map` like:
|
||||
```plain
|
||||
localhost 127.0.0.1:81
|
||||
```
|
||||
|
||||
Run docker compose:
|
||||
```bash
|
||||
docker compose up
|
||||
```
|
||||
|
||||
- visit *http://127.0.0.1*
|
||||
Visit http://localhost
|
||||
|
||||
DDoS-protection mode is enabled by default.
|
||||
|
||||
@@ -47,35 +49,15 @@ DDoS-protection mode is enabled by default.
|
||||
|
||||
Before installing the tool, ensure that HAProxy is built with Lua support (in debian package and ubuntu recommended PPA, it is.)
|
||||
|
||||
- Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua)
|
||||
- Copy [haproxy.cfg](haproxy/haproxy.cfg) to /etc/haproxy
|
||||
- Edit the `lua-load` directive to be the absolute path to [register.lua](src/scripts/register.lua)
|
||||
- Edit the paths of sha1.js and worker.js in the `http-request return` directive to the absolut path to the respective files in the haproxy/js folder
|
||||
- Copy [dataplaneapi.hcl](haproxy/dataplaneapi.hcl) to /etc/haproxy
|
||||
- Copy or link [scripts](src/scripts) to /etc/haproxy/scripts
|
||||
- Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules).
|
||||
- Create `/etc/haproxy/ddos.map` for domains or paths with protection mode enabled
|
||||
- Copy the map files from the haproxy folder to /etc/haproxy
|
||||
|
||||
#### CLI
|
||||
The system comes with CLI. It can be used to manage protection global/per-domain and control nocaptcha mode.
|
||||
Ensure that stat socket is configured in HaProxy for CLI support.
|
||||
#### Screenshot
|
||||
|
||||
```bash
|
||||
Usage: ddos-cli <command> [options]
|
||||
|
||||
Command line interface to manage per-domain and global DDoS protection.
|
||||
|
||||
optional arguments:
|
||||
-h, --help Show this help message and exit.
|
||||
|
||||
Commands:
|
||||
Global management:
|
||||
src/cli/ddos-cli global status Show status of global server ddos mode.
|
||||
src/cli/ddos-cli global enable Enable global ddos mode.
|
||||
src/cli/ddos-cli global disable Disable global ddos mode.
|
||||
|
||||
Domain management:
|
||||
src/cli/ddos-cli domain list List all domains with ddos mode on.
|
||||
src/cli/ddos-cli domain nocaptcha List all domains with nocaptcha mode on.
|
||||
src/cli/ddos-cli domain status <domain> Get ddos mode status for a domain.
|
||||
src/cli/ddos-cli domain enable <domain> Enable ddos mode for a domain.
|
||||
src/cli/ddos-cli domain disable <domain> Disable ddos mode for a domain.
|
||||
src/cli/ddos-cli domain mode <domain> Toggle nocaptcha mode for a domain.
|
||||
|
||||
```
|
||||
")
|
||||

|
||||
|
Reference in New Issue
Block a user