2021-11-24 12:09:38 +11:00
2021-06-11 22:11:10 +03:00
2021-11-24 05:23:33 +11:00
2021-11-24 12:09:38 +11:00
2021-11-24 12:09:38 +11:00
2021-11-24 12:09:38 +11:00
2021-06-11 22:41:11 +03:00
2021-11-24 06:23:18 +11:00

HaProxy DDoS protection system PoC

A fork of https://github.com/mora9715/haproxy_ddos_protector, a haproxy lua script allowing a holding page where users solve a captcha and proof-of-work (cpu intensive) task. Intended to stop bots, spam, probably some forms of ddos, etc.

Some issues fixed and various improvements:

  • Fix some bugs
  • Fix a security issue where unsalted hash could let users bypass captcha
  • Made the cookies not work permanently. They now expire based on a server-side bucket as part of the cookie hash, instead of client side expiry
  • Added additional proof-of-work element to the challenge page, both pow+captcha must be completed
  • Avoid using a hack to resolve domain names, usea backend in haproxy instead
  • Improved the appearance of the challenge page

How to test

Add some env vars to docker-compose file:

  • HCAPTCHA_SITEKEY - your hcaptcha site key
  • HCAPTCHA_SECRET - your hcaptcha secret key
  • CAPTCHA_COOKIE_SECRET - random string, a salt for cookies
  • POW_COOKIE_SECRET - random string a salt for cookies

Run docker compose:

docker compose up

DDoS-protection mode is enabled by default.

Installation

Before installing the tool, ensure that HaProxy is built with Lua support.

  • Copy scripts to a folder accessible for HaProxy
  • Copy haproxy config and make sure that lua-load directive contains absolute path to register.lua
  • Copy libs to a path where Lua looks for modules.
  • Copy ddos-cli to any convenient path.
  • Create /usr/local/etc/haproxy/domains_under_ddos.txt with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly)

CLI (not maintained)

The system comes with CLI. It can be used to manage global and per-domain protection. Ensure that stat socket is configured in HaProxy for CLI support.

Usage: ddos-cli <command> [options]

Command line interface to manage per-domain and global DDoS protection.

optional arguments:
  -h, --help                         Show this help message and exit.

Commands:
 Global management:
  ddos-cli global status             Show status of global server ddos mode.
  ddos-cli global enable             Enable global ddos mode.
  ddos-cli global disable            Disable global ddos mode.

 Domain management:
  ddos-cli domain list               List all domains with ddos mode on.
  ddos-cli domain status <domain>    Get ddos mode status for a domain.
  ddos-cli domain enable <domain>    Enable ddos mode for a domain.
  ddos-cli domain disable <domain>   Disable ddos mode for a domain.

Description
HAProxy configuration and lua scripts implementing a challenge-response page where visitors solve a captcha and/or proof-of-work (cpu intensive) task. Intended to stop bots, spam, ddos, etc.
Readme 938 KiB
Languages
Lua 94.3%
JavaScript 4.1%
Dockerfile 1.1%
HTML 0.4%
Shell 0.1%