Merge branch 'captcha-auto-submit' into kikeflare

README.MD

@@ -18,7 +18,6 @@ Improvements in this fork:
 - Choose protection modes "none", "pow" or "pow+captcha" per-domain or per-domain+path, with paths taking priority.
 - Whitelist IPs/subnets.
 - Maintenance mode page for selected domains.
-- Include dataplaneapi, to sync map files to disk if edited during runtime.
 - In POW only mode, provide instructions and an encoded script to find the solution.
 - Many bugfixes.
 
@@ -32,10 +31,11 @@ Add some env vars to docker-compose file:
 - RECAPTCHA_SECRET - your recaptcha secret key
 - CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
 - POW_COOKIE_SECRET - different random string, a salt for pow cookies
+- HMAC_COOKIE_SECRET - different random string, a salt for pow cookies
 - RAY_ID - string to identify the HAProxy node by
 - BUCKET_DURATION - how long between bucket changes, invalidating cookies
-- BACKEND_NAME - name of backend to build from hosts.map
+- BACKEND_NAME - Optional, name of backend to build from hosts.map
-- SERVER_PREFIX - prefix of server names used in server-template
+- SERVER_PREFIX - Optional, prefix of server names used in server-template
 
 Add a domain name + backend IP to `haproxy/hosts.map` like:
 ```plain
@@ -58,7 +58,6 @@ Before installing the tool, ensure that HAProxy is built with Lua support and ve
 - Copy [haproxy.cfg](haproxy/haproxy.cfg) to /etc/haproxy
   - Edit the `lua-load` directive to be the absolute path to [register.lua](src/scripts/register.lua)
   - Edit the paths of challenge.js and worker.js in the `http-request return` directive to the absolut path to the respective files in the haproxy/js folder
-- Copy [dataplaneapi.hcl](haproxy/dataplaneapi.hcl) to /etc/haproxy
 - Copy or link [scripts](src/scripts) to /etc/haproxy/scripts
 - Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules).
 - Copy the map files from the haproxy folder to /etc/haproxy

docker-compose.yml

@@ -18,15 +18,17 @@ services:
       - ./haproxy/blocked.map:/etc/haproxy/blocked.map
       - ./haproxy/whitelist.map:/etc/haproxy/whitelist.map
       - ./haproxy/maintenance.map:/etc/haproxy/maintenance.map
-      - ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl
       - ./haproxy/trace.txt:/etc/haproxy/trace.txt
       - ./src/scripts/:/etc/haproxy/scripts/
       - ./src/libs/:/etc/haproxy/libs/
       - ./haproxy/js/:/var/www/js/
       - ./haproxy/html/maintenance.html:/var/www/html/maintenance.html
     environment:
-      - RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
+      # These are the hcaptcha and recaptcha test keys, not leaking any dont worry :^)
-      - RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
+      - HCAPTCHA_SITEKEY=20000000-ffff-ffff-ffff-000000000002
+      - HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
+      #- RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
+      #- RECAPTCHA_SITEKEY=6LeIxAcTAAAAAJcZVRqyHh71UMIEGNQ_MXjiZKhI
       - CAPTCHA_COOKIE_SECRET=changeme
       - POW_COOKIE_SECRET=changeme
       - HMAC_COOKIE_SECRET=changeme

haproxy/Dockerfile

@@ -37,11 +37,6 @@ RUN set -eux; \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
 	\
-	wget -O dataplaneapi_2.4.4_Linux_x86_64.tar.gz https://github.com/haproxytech/dataplaneapi/releases/download/v2.4.4/dataplaneapi_2.4.4_Linux_x86_64.tar.gz; \
-	tar -zxvf dataplaneapi_2.4.4_Linux_x86_64.tar.gz; \
-	chmod +x build/dataplaneapi; \
-	cp build/dataplaneapi /usr/local/bin/; \
-	\
 	wget -O haproxy.tar.gz "$HAPROXY_URL"; \
 #	echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c; \
 	mkdir -p /usr/src/haproxy; \

haproxy/dataplaneapi.hcl

@@ -1,29 +0,0 @@
-config_version = 2
-
-name = "meet_bedbug"
-
-mode = "single"
-
-dataplaneapi {
-  user "admin" {
-    insecure = true
-    password = "adminpwd"
-  }
-
-  transaction {
-    transaction_dir = "/tmp/haproxy"
-  }
-
-  advertised {}
-}
-
-haproxy {
-  config_file = "/etc/haproxy/haproxy.cfg"
-  haproxy_bin = "/usr/local/sbin/haproxy"
-
-  reload {
-    reload_delay = 5
-    reload_cmd   = "service haproxy reload"
-    restart_cmd  = "service haproxy restart"
-  }
-}

haproxy/js/challenge.js

@@ -1,15 +1,17 @@
+function finishRedirect() {
+	window.location=location.search.slice(1)+location.hash || "/";
+}
+
 function finishPow(combined, answer) {
 	document.cookie='z_ddos_pow='+combined+'#'+answer+';expires=Thu, 31-Dec-37 23:55:55 GMT; path=/; SameSite=Strict; '+(location.protocol==='https:'?'Secure=true; ':'');
-	const submitButton = document.querySelector('input[type=submit]')
+	const hasCaptchaForm = document.querySelector('form');
-	if (submitButton) {
+	if (!hasCaptchaForm) {
-		//button is shown only if captcha is enabled
+		finishRedirect();
-		submitButton.disabled = false;
-		submitButton.value = 'Submit';
-	} else {
-		window.location=location.search.slice(1)+location.hash || "/";
 	}
 }
 
+const powFinished = new Promise((resolve, reject) => {
+	window.addEventListener('DOMContentLoaded', (event) => {
 		const combined = document.querySelector('[data-pow]').dataset.pow;
 		const [_userkey, challenge, _signature] = combined.split("#");
 		const start = Date.now();
@@ -23,7 +25,10 @@ if (window.Worker && crypto.subtle) {
 				const [workerId, answer] = e.data;
 				console.log('Worker', workerId, 'returned answer', answer, 'in', Date.now()-start+'ms');
 				const dummyTime = 5000 - (Date.now()-start);
-		window.setTimeout(() => finishPow(combined, answer), dummyTime);
+				window.setTimeout(() => {
+					finishPow(combined, answer);
+					resolve();
+				}, dummyTime);
 			}
 			const workers = [];
 			for (let i = 0; i < threads; i++) {
@@ -47,5 +52,32 @@ if (window.Worker && crypto.subtle) {
 				++i;
 			}
 			const dummyTime = 5000 - (Date.now()-start);
-	window.setTimeout(() => finishPow(combined, i), dummyTime);
+			window.setTimeout(() => {
+				finishPow(combined, i);
+				resolve();
+			}, dummyTime);
 		}
+	});
+});
+
+function onCaptchaSubmit(callback) {
+	const captchaElem = document.querySelector('[data-sitekey]');
+	captchaElem.insertAdjacentHTML('afterend', `<div class="lds-ring"><div></div><div></div><div></div><div></div></div>`);
+	captchaElem.remove();
+	powFinished.then(() => {
+		fetch('/bot-check', {
+			method: 'POST',
+			headers: {
+			  'Content-Type': 'application/x-www-form-urlencoded',
+			},
+			body: new URLSearchParams({
+				'h-captcha-response': callback,
+				'g-recaptcha-response': callback,
+			}),
+			redirect: 'manual',
+		}).then(res => {
+			finishRedirect();
+		})
+	});
+}
+

src/scripts/hcaptcha.lua

@@ -88,6 +88,7 @@ local body_template = [[
 		<noscript>
 			<style>.jsonly{display:none}</style>
 		</noscript>
+		<script src="/js/challenge.js"></script>
 	</head>
 	<body data-pow="%s">
 		%s
@@ -103,7 +104,6 @@ local body_template = [[
 			<p>Security and Performance by <a href="https://BasedFlare.com">BasedFlare</a></p>
 			<p>Node: <code>%s</code></p>
 		</footer>
-		<script src="/js/challenge.js"></script>
 	</body>
 </html>
 ]]
@@ -147,9 +147,8 @@ local captcha_section_template = [[
 			Please solve the captcha to continue.
 		</h3>
 		<form class="jsonly" method="POST">
-			<div class="%s" data-sitekey="%s"></div>
+			<div class="%s" data-sitekey="%s" data-callback="onCaptchaSubmit"></div>
 			<script src="%s" async defer></script>
-			<input type="submit" value="Calculating proof of work..." disabled>
 		</form>
 ]]