diff --git a/README.MD b/README.MD index e7afc8f..150a2d4 100644 --- a/README.MD +++ b/README.MD @@ -1,32 +1,35 @@ ## HaProxy DDoS protection system PoC -The system provides functionality to protect certain (or all) resources on HaProxy from L7 DDoS attacks. +A fork of https://github.com/mora9715/haproxy_ddos_protector, a haproxy lua script allowing a holding page where users solve a captcha and proof-of-work (cpu intensive) task. +Intended to stop bots, spam, probably some forms of ddos, etc. -It works by requiring a user to have a specific cookie issued after successful captcha completion. If a user does not have the cookie, he gets redirected to a special captcha page. +Some issues fixed and various improvements: -It is by no means a cure for all ills, but should help you mitigate a moderate DDoS attack without disrupting the service. - -#### How it works - -![alternative text](http://www.plantuml.com/plantuml/proxy?cache=no&src=https://raw.githubusercontent.com/mora9715/haproxy_ddos_protector/master/docs/interaction_diagram.txt) +- Fix some bugs +- Fix a security issue where unsalted hash could let users bypass captcha +- Made the cookies not work permanently. They now expire based on a server-side bucket as part of the cookie hash, instead of client side expiry +- Added additional proof-of-work element to the challenge page, both pow+captcha must be completed +- Avoid using a hack to resolve domain names, usea backend in haproxy instead +- Improved the appearance of the challenge page #### How to test -- export hcaptcha sitekey and secret: -```bash -export HCAPTCHA_SITEKEY=xxxXXxxx -export HCAPTCHA_SECRET=xxxXXxxx -``` -They can be obtained after creating a free account on https://www.hcaptcha.com/ +Add some env vars to docker-compose file: -- run docker compose: +- HCAPTCHA_SITEKEY - your hcaptcha site key +- HCAPTCHA_SECRET - your hcaptcha secret key +- CAPTCHA_COOKIE_SECRET - random string, a salt for cookies +- POW_COOKIE_SECRET - random string a salt for cookies + + +Run docker compose: ```bash docker compose up ``` - visit *http://127.0.0.1* -For demostration purposes DDoS-protection mode was enabled by default. +DDoS-protection mode is enabled by default. #### Installation Before installing the tool, ensure that HaProxy is built with Lua support. @@ -37,7 +40,7 @@ Before installing the tool, ensure that HaProxy is built with Lua support. - Copy [ddos-cli](src/cli/ddos-cli) to any convenient path. - Create `/usr/local/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly) -#### CLI +#### CLI (not maintained) The system comes with CLI. It can be used to manage global and per-domain protection. Ensure that stat socket is configured in HaProxy for CLI support. ```bash @@ -61,10 +64,3 @@ Commands: ddos-cli domain disable Disable ddos mode for a domain. ``` - - -#### TO DO -- [x] Add CLI -- [x] Organize lua dependencies -- [x] Make per-user cookie secrets -- [ ] Add logging to CLI