Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

readme updates

Browse Source
This commit is contained in:
Thomas Lynch
2021-11-24 06:23:18 +11:00
parent 77ad645815
commit e6db267f5e
1 changed files with 19 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
README.MD
View File

@ -1,32 +1,35 @@
## HaProxy DDoS protection system PoC
The system provides functionality to protect certain (or all) resources on HaProxy from L7 DDoS attacks.
A fork of https://github.com/mora9715/haproxy_ddos_protector, a haproxy lua script allowing a holding page where users solve a captcha and proof-of-work (cpu intensive) task.
Intended to stop bots, spam, probably some forms of ddos, etc.
It works by requiring a user to have a specific cookie issued after successful captcha completion. If a user does not have the cookie, he gets redirected to a special captcha page.
Some issues fixed and various improvements:
It is by no means a cure for all ills, but should help you mitigate a moderate DDoS attack without disrupting the service.
#### How it works
![alternative text](http://www.plantuml.com/plantuml/proxy?cache=no&src=https://raw.githubusercontent.com/mora9715/haproxy_ddos_protector/master/docs/interaction_diagram.txt)
- Fix some bugs
- Fix a security issue where unsalted hash could let users bypass captcha
- Made the cookies not work permanently. They now expire based on a server-side bucket as part of the cookie hash, instead of client side expiry
- Added additional proof-of-work element to the challenge page, both pow+captcha must be completed
- Avoid using a hack to resolve domain names, usea backend in haproxy instead
- Improved the appearance of the challenge page
#### How to test
- export hcaptcha sitekey and secret:
```bash
export HCAPTCHA_SITEKEY=xxxXXxxx
export HCAPTCHA_SECRET=xxxXXxxx
```
They can be obtained after creating a free account on https://www.hcaptcha.com/
Add some env vars to docker-compose file:
- run docker compose:
- HCAPTCHA_SITEKEY - your hcaptcha site key
- HCAPTCHA_SECRET - your hcaptcha secret key
- CAPTCHA_COOKIE_SECRET - random string, a salt for cookies
- POW_COOKIE_SECRET - random string a salt for cookies
Run docker compose:
```bash
docker compose up
```
- visit *http://127.0.0.1*
For demostration purposes DDoS-protection mode was enabled by default.
DDoS-protection mode is enabled by default.
#### Installation
Before installing the tool, ensure that HaProxy is built with Lua support.
@ -37,7 +40,7 @@ Before installing the tool, ensure that HaProxy is built with Lua support.
- Copy [ddos-cli](src/cli/ddos-cli) to any convenient path.
- Create `/usr/local/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly)
#### CLI
#### CLI (not maintained)
The system comes with CLI. It can be used to manage global and per-domain protection.
Ensure that stat socket is configured in HaProxy for CLI support.
```bash
@ -61,10 +64,3 @@ Commands:
ddos-cli domain disable <domain> Disable ddos mode for a domain.
```
#### TO DO
- [x] Add CLI
- [x] Organize lua dependencies
- [x] Make per-user cookie secrets
- [ ] Add logging to CLI