From eb82a3d3912101d623dc40731500a817828c9d8e Mon Sep 17 00:00:00 2001 From: Thomas Lynch Date: Thu, 15 Jun 2023 20:52:36 +1000 Subject: [PATCH] ne wjson map format for excluding exits --- haproxy/haproxy.cfg | 4 ++-- haproxy/map/crawler-whitelist.map | 2 -- haproxy/map/ddos.map | 8 ++++---- src/lua/scripts/bot-check.lua | 33 +++++++++++++++++++------------ 4 files changed, 26 insertions(+), 21 deletions(-) diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg index b539ea9..3c025b2 100644 --- a/haproxy/haproxy.cfg +++ b/haproxy/haproxy.cfg @@ -84,8 +84,8 @@ frontend http-in # acl ORs for when ddos_mode_enabled acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found - acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m bool - acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m bool + acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m found + acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m found # serve challenge page scripts directly from haproxy http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/auto.min.js } diff --git a/haproxy/map/crawler-whitelist.map b/haproxy/map/crawler-whitelist.map index f1835f4..e69de29 100644 --- a/haproxy/map/crawler-whitelist.map +++ b/haproxy/map/crawler-whitelist.map @@ -1,2 +0,0 @@ -#127.0.0.1/24 -#10.0.0.0/24 diff --git a/haproxy/map/ddos.map b/haproxy/map/ddos.map index 997ee00..a707ad0 100644 --- a/haproxy/map/ddos.map +++ b/haproxy/map/ddos.map @@ -1,4 +1,4 @@ -127.0.0.1 1 -127.0.0.1/captcha 2 -localhost 1 -localhost/captcha 2 +127.0.0.1 {"m":1,"t":true} +127.0.0.1/captcha {"m":2} +localhost {"m":1} +localhost/captcha {"m":2} diff --git a/src/lua/scripts/bot-check.lua b/src/lua/scripts/bot-check.lua index 10781a0..5b7d4ad 100644 --- a/src/lua/scripts/bot-check.lua +++ b/src/lua/scripts/bot-check.lua @@ -53,7 +53,7 @@ local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET") local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET") local ray_id = os.getenv("RAY_ID") -- load captcha map and set hcaptcha/recaptch based off env vars -local captcha_map = Map.new("/etc/haproxy/map/ddos.map", Map._str); +local ddos_map = Map.new("/etc/haproxy/map/ddos.map", Map._str); local captcha_provider_domain = "" local captcha_classname = "" local captcha_script_src = "" @@ -156,10 +156,12 @@ function _M.view(applet) local captcha_enabled = false local path = applet.qs; --because on /.basedflare/bot-check?/whatever, .qs (query string) holds the "path" - local captcha_map_lookup = captcha_map:lookup(host..path) or captcha_map:lookup(host) or 0 - captcha_map_lookup = tonumber(captcha_map_lookup) - if captcha_map_lookup == 2 then - captcha_enabled = true + local ddos_map_lookup = ddos_map:lookup(host..path) or ddos_map:lookup(host) + if ddos_map_lookup ~= nil then + ddos_map_json = json.decode(ddos_map_lookup) + if ddos_map_json.m == 2 then + captcha_enabled = true + end end -- return simple json if they send accept: application/json header @@ -412,15 +414,20 @@ end function _M.decide_checks_necessary(txn) local host = txn.sf:hdr("Host") local path = txn.sf:path(); - local captcha_map_lookup = captcha_map:lookup(host..path) or captcha_map:lookup(host) or 0 - captcha_map_lookup = tonumber(captcha_map_lookup) - if captcha_map_lookup == 1 then - txn:set_var("txn.validate_pow", true) - elseif captcha_map_lookup == 2 then - txn:set_var("txn.validate_captcha", true) - txn:set_var("txn.validate_pow", true) + local ddos_map_lookup = ddos_map:lookup(host..path) or ddos_map:lookup(host) + if ddos_map_lookup ~= nil then + ddos_map_json = json.decode(ddos_map_lookup) + if ddos_map_json.m == 0 + or (ddos_map_json.t == true and txn.sf:hdr("X-Country-Code") ~= "T1") then + return + elseif ddos_map_json.m == 1 then + txn:set_var("txn.validate_pow", true) + elseif ddos_map_json.m == 2 then + txn:set_var("txn.validate_pow", true) + txn:set_var("txn.validate_captcha", true) + end end - -- otherwise, domain+path was set to 0 (whitelist) or there is no entry in the map + -- no entry in the map end -- check if captcha cookie is valid, separate secret from POW