diff --git a/README.MD b/README.MD index 87edb20..6c846ad 100644 --- a/README.MD +++ b/README.MD @@ -18,7 +18,6 @@ Improvements in this fork: - Choose protection modes "none", "pow" or "pow+captcha" per-domain or per-domain+path, with paths taking priority. - Whitelist IPs/subnets. - Maintenance mode page for selected domains. -- Include dataplaneapi, to sync map files to disk if edited during runtime. - In POW only mode, provide instructions and an encoded script to find the solution. - Many bugfixes. @@ -32,10 +31,11 @@ Add some env vars to docker-compose file: - RECAPTCHA_SECRET - your recaptcha secret key - CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies - POW_COOKIE_SECRET - different random string, a salt for pow cookies +- HMAC_COOKIE_SECRET - different random string, a salt for pow cookies - RAY_ID - string to identify the HAProxy node by - BUCKET_DURATION - how long between bucket changes, invalidating cookies -- BACKEND_NAME - name of backend to build from hosts.map -- SERVER_PREFIX - prefix of server names used in server-template +- BACKEND_NAME - Optional, name of backend to build from hosts.map +- SERVER_PREFIX - Optional, prefix of server names used in server-template Add a domain name + backend IP to `haproxy/hosts.map` like: ```plain @@ -58,7 +58,6 @@ Before installing the tool, ensure that HAProxy is built with Lua support and ve - Copy [haproxy.cfg](haproxy/haproxy.cfg) to /etc/haproxy - Edit the `lua-load` directive to be the absolute path to [register.lua](src/scripts/register.lua) - Edit the paths of challenge.js and worker.js in the `http-request return` directive to the absolut path to the respective files in the haproxy/js folder -- Copy [dataplaneapi.hcl](haproxy/dataplaneapi.hcl) to /etc/haproxy - Copy or link [scripts](src/scripts) to /etc/haproxy/scripts - Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules). - Copy the map files from the haproxy folder to /etc/haproxy diff --git a/docker-compose.yml b/docker-compose.yml index 84feedd..890b369 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,15 +18,17 @@ services: - ./haproxy/blocked.map:/etc/haproxy/blocked.map - ./haproxy/whitelist.map:/etc/haproxy/whitelist.map - ./haproxy/maintenance.map:/etc/haproxy/maintenance.map - - ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl - ./haproxy/trace.txt:/etc/haproxy/trace.txt - ./src/scripts/:/etc/haproxy/scripts/ - ./src/libs/:/etc/haproxy/libs/ - ./haproxy/js/:/var/www/js/ - ./haproxy/html/maintenance.html:/var/www/html/maintenance.html environment: - - RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe - - RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI + # These are the hcaptcha and recaptcha test keys, not leaking any dont worry :^) + - HCAPTCHA_SITEKEY=20000000-ffff-ffff-ffff-000000000002 + - HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000 + #- RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe + #- RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI - CAPTCHA_COOKIE_SECRET=changeme - POW_COOKIE_SECRET=changeme - HMAC_COOKIE_SECRET=changeme diff --git a/haproxy/Dockerfile b/haproxy/Dockerfile index 945995c..cec691b 100644 --- a/haproxy/Dockerfile +++ b/haproxy/Dockerfile @@ -37,11 +37,6 @@ RUN set -eux; \ ; \ rm -rf /var/lib/apt/lists/*; \ \ - wget -O dataplaneapi_2.4.4_Linux_x86_64.tar.gz https://github.com/haproxytech/dataplaneapi/releases/download/v2.4.4/dataplaneapi_2.4.4_Linux_x86_64.tar.gz; \ - tar -zxvf dataplaneapi_2.4.4_Linux_x86_64.tar.gz; \ - chmod +x build/dataplaneapi; \ - cp build/dataplaneapi /usr/local/bin/; \ - \ wget -O haproxy.tar.gz "$HAPROXY_URL"; \ # echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \ mkdir -p /usr/src/haproxy; \ diff --git a/haproxy/dataplaneapi.hcl b/haproxy/dataplaneapi.hcl deleted file mode 100644 index 97a9094..0000000 --- a/haproxy/dataplaneapi.hcl +++ /dev/null @@ -1,29 +0,0 @@ -config_version = 2 - -name = "meet_bedbug" - -mode = "single" - -dataplaneapi { - user "admin" { - insecure = true - password = "adminpwd" - } - - transaction { - transaction_dir = "/tmp/haproxy" - } - - advertised {} -} - -haproxy { - config_file = "/etc/haproxy/haproxy.cfg" - haproxy_bin = "/usr/local/sbin/haproxy" - - reload { - reload_delay = 5 - reload_cmd = "service haproxy reload" - restart_cmd = "service haproxy restart" - } -} diff --git a/haproxy/js/challenge.js b/haproxy/js/challenge.js index 954c26e..651d257 100644 --- a/haproxy/js/challenge.js +++ b/haproxy/js/challenge.js @@ -1,51 +1,83 @@ +function finishRedirect() { + window.location=location.search.slice(1)+location.hash || "/"; +} + function finishPow(combined, answer) { document.cookie='z_ddos_pow='+combined+'#'+answer+';expires=Thu, 31-Dec-37 23:55:55 GMT; path=/; SameSite=Strict; '+(location.protocol==='https:'?'Secure=true; ':''); - const submitButton = document.querySelector('input[type=submit]') - if (submitButton) { - //button is shown only if captcha is enabled - submitButton.disabled = false; - submitButton.value = 'Submit'; - } else { - window.location=location.search.slice(1)+location.hash || "/"; + const hasCaptchaForm = document.querySelector('form'); + if (!hasCaptchaForm) { + finishRedirect(); } } -const combined = document.querySelector('[data-pow]').dataset.pow; -const [_userkey, challenge, _signature] = combined.split("#"); -const start = Date.now(); -if (window.Worker && crypto.subtle) { - const threads = Math.min(4,Math.ceil(window.navigator.hardwareConcurrency/2)); - let finished = false; - const messageHandler = (e) => { - if (finished) { return; } - finished = true; - workers.forEach(w => w.terminate()); - const [workerId, answer] = e.data; - console.log('Worker', workerId, 'returned answer', answer, 'in', Date.now()-start+'ms'); - const dummyTime = 5000 - (Date.now()-start); - window.setTimeout(() => finishPow(combined, answer), dummyTime); - } - const workers = []; - for (let i = 0; i < threads; i++) { - const shaWorker = new Worker('/js/worker.js'); - shaWorker.onmessage = messageHandler; - workers.push(shaWorker); - } - workers.forEach((w, i) => w.postMessage([challenge, i, threads])); -} else { - console.warn('No webworker or crypto.subtle support, using legacy method in main/UI thread!'); - function sha256(ascii){function rightRotate(value,amount){return(value>>>amount)|(value<<(32-amount))};var mathPow=Math.pow;var maxWord=mathPow(2,32);var lengthProperty='length';var i,j;var result='';var words=[];var asciiBitLength=ascii[lengthProperty]*8;var hash=sha256.h=sha256.h||[];var k=sha256.k=sha256.k||[];var primeCounter=k[lengthProperty];var isComposite={};for(var candidate=2;primeCounter<64;candidate+=1){if(!isComposite[candidate]){for(i=0;i<313;i+=candidate){isComposite[i]=candidate}hash[primeCounter]=(mathPow(candidate,.5)*maxWord)|0;k[primeCounter++]=(mathPow(candidate,1/3)*maxWord)|0}}ascii+='\x80';while(ascii[lengthProperty]%64-56){ascii+='\x00';}for(i=0;i>8){return;}words[i>>2]|=j<<((3-i)%4)*8}words[words[lengthProperty]]=((asciiBitLength/maxWord)|0);words[words[lengthProperty]]=(asciiBitLength);for(j=0;j>>3))+w[i-7]+(rightRotate(w2,17)^rightRotate(w2,19)^(w2>>>10)))|0);var temp2=(rightRotate(a,2)^rightRotate(a,13)^rightRotate(a,22))+((a&hash[1])^(a&hash[2])^(hash[1]&hash[2]));hash=[(temp1+temp2)|0].concat(hash);hash[4]=(hash[4]+temp1)|0}for(i=0;i<8;i+=1){hash[i]=(hash[i]+oldHash[i])|0}}for(i=0;i<8;i+=1){for(j=3;j+1;j-=1){var b=(hash[i]>>(j*8))&255;result+=((b<16)?0:'')+b.toString(16)}}return result} - const challengeIndex = parseInt(challenge[0], 16)*2; - let i = 0 - , result; - while(true) { - result = sha256(challenge+i); - if (result.substring(challengeIndex, challengeIndex+4) === '0041'){ - console.log('Main thread found solution:', i, result); - break; +const powFinished = new Promise((resolve, reject) => { + window.addEventListener('DOMContentLoaded', (event) => { + const combined = document.querySelector('[data-pow]').dataset.pow; + const [_userkey, challenge, _signature] = combined.split("#"); + const start = Date.now(); + if (window.Worker && crypto.subtle) { + const threads = Math.min(4,Math.ceil(window.navigator.hardwareConcurrency/2)); + let finished = false; + const messageHandler = (e) => { + if (finished) { return; } + finished = true; + workers.forEach(w => w.terminate()); + const [workerId, answer] = e.data; + console.log('Worker', workerId, 'returned answer', answer, 'in', Date.now()-start+'ms'); + const dummyTime = 5000 - (Date.now()-start); + window.setTimeout(() => { + finishPow(combined, answer); + resolve(); + }, dummyTime); + } + const workers = []; + for (let i = 0; i < threads; i++) { + const shaWorker = new Worker('/js/worker.js'); + shaWorker.onmessage = messageHandler; + workers.push(shaWorker); + } + workers.forEach((w, i) => w.postMessage([challenge, i, threads])); + } else { + console.warn('No webworker or crypto.subtle support, using legacy method in main/UI thread!'); + function sha256(ascii){function rightRotate(value,amount){return(value>>>amount)|(value<<(32-amount))};var mathPow=Math.pow;var maxWord=mathPow(2,32);var lengthProperty='length';var i,j;var result='';var words=[];var asciiBitLength=ascii[lengthProperty]*8;var hash=sha256.h=sha256.h||[];var k=sha256.k=sha256.k||[];var primeCounter=k[lengthProperty];var isComposite={};for(var candidate=2;primeCounter<64;candidate+=1){if(!isComposite[candidate]){for(i=0;i<313;i+=candidate){isComposite[i]=candidate}hash[primeCounter]=(mathPow(candidate,.5)*maxWord)|0;k[primeCounter++]=(mathPow(candidate,1/3)*maxWord)|0}}ascii+='\x80';while(ascii[lengthProperty]%64-56){ascii+='\x00';}for(i=0;i>8){return;}words[i>>2]|=j<<((3-i)%4)*8}words[words[lengthProperty]]=((asciiBitLength/maxWord)|0);words[words[lengthProperty]]=(asciiBitLength);for(j=0;j>>3))+w[i-7]+(rightRotate(w2,17)^rightRotate(w2,19)^(w2>>>10)))|0);var temp2=(rightRotate(a,2)^rightRotate(a,13)^rightRotate(a,22))+((a&hash[1])^(a&hash[2])^(hash[1]&hash[2]));hash=[(temp1+temp2)|0].concat(hash);hash[4]=(hash[4]+temp1)|0}for(i=0;i<8;i+=1){hash[i]=(hash[i]+oldHash[i])|0}}for(i=0;i<8;i+=1){for(j=3;j+1;j-=1){var b=(hash[i]>>(j*8))&255;result+=((b<16)?0:'')+b.toString(16)}}return result} + const challengeIndex = parseInt(challenge[0], 16)*2; + let i = 0 + , result; + while(true) { + result = sha256(challenge+i); + if (result.substring(challengeIndex, challengeIndex+4) === '0041'){ + console.log('Main thread found solution:', i, result); + break; + } + ++i; + } + const dummyTime = 5000 - (Date.now()-start); + window.setTimeout(() => { + finishPow(combined, i); + resolve(); + }, dummyTime); } - ++i; - } - const dummyTime = 5000 - (Date.now()-start); - window.setTimeout(() => finishPow(combined, i), dummyTime); + }); +}); + +function onCaptchaSubmit(callback) { + const captchaElem = document.querySelector('[data-sitekey]'); + captchaElem.insertAdjacentHTML('afterend', `
`); + captchaElem.remove(); + powFinished.then(() => { + fetch('/bot-check', { + method: 'POST', + headers: { + 'Content-Type': 'application/x-www-form-urlencoded', + }, + body: new URLSearchParams({ + 'h-captcha-response': callback, + 'g-recaptcha-response': callback, + }), + redirect: 'manual', + }).then(res => { + finishRedirect(); + }) + }); } + diff --git a/img/captcha.png b/img/captcha.png index 3fe498e..19545a7 100644 Binary files a/img/captcha.png and b/img/captcha.png differ diff --git a/img/nocaptcha.png b/img/nocaptcha.png index 6abbb02..4de99d7 100644 Binary files a/img/nocaptcha.png and b/img/nocaptcha.png differ diff --git a/src/scripts/hcaptcha.lua b/src/scripts/hcaptcha.lua index 130636a..64796dd 100644 --- a/src/scripts/hcaptcha.lua +++ b/src/scripts/hcaptcha.lua @@ -88,6 +88,7 @@ local body_template = [[ + %s @@ -103,7 +104,6 @@ local body_template = [[

Security and Performance by BasedFlare

Node: %s

- ]] @@ -147,9 +147,8 @@ local captcha_section_template = [[ Please solve the captcha to continue.
-
+
-
]]