Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
508e45ae9cca857846570e092635c19640d1d1b4
haproxy-protection/README.MD
Thomas Lynch e6db267f5e readme updates
2021-11-24 06:23:18 +11:00

2.6 KiB
Raw Blame History

HaProxy DDoS protection system PoC

A fork of https://github.com/mora9715/haproxy_ddos_protector, a haproxy lua script allowing a holding page where users solve a captcha and proof-of-work (cpu intensive) task. Intended to stop bots, spam, probably some forms of ddos, etc.

Some issues fixed and various improvements:

  • Fix some bugs
  • Fix a security issue where unsalted hash could let users bypass captcha
  • Made the cookies not work permanently. They now expire based on a server-side bucket as part of the cookie hash, instead of client side expiry
  • Added additional proof-of-work element to the challenge page, both pow+captcha must be completed
  • Avoid using a hack to resolve domain names, usea backend in haproxy instead
  • Improved the appearance of the challenge page

How to test

Add some env vars to docker-compose file:

  • HCAPTCHA_SITEKEY - your hcaptcha site key
  • HCAPTCHA_SECRET - your hcaptcha secret key
  • CAPTCHA_COOKIE_SECRET - random string, a salt for cookies
  • POW_COOKIE_SECRET - random string a salt for cookies

Run docker compose:

docker compose up

DDoS-protection mode is enabled by default.

Installation

Before installing the tool, ensure that HaProxy is built with Lua support.

  • Copy scripts to a folder accessible for HaProxy
  • Copy haproxy config and make sure that lua-load directive contains absolute path to register.lua
  • Copy libs to a path where Lua looks for modules.
  • Copy ddos-cli to any convenient path.
  • Create /usr/local/etc/haproxy/domains_under_ddos.txt with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly)

CLI (not maintained)

The system comes with CLI. It can be used to manage global and per-domain protection. Ensure that stat socket is configured in HaProxy for CLI support.

Usage: ddos-cli <command> [options]

Command line interface to manage per-domain and global DDoS protection.

optional arguments:
  -h, --help                         Show this help message and exit.

Commands:
 Global management:
  ddos-cli global status             Show status of global server ddos mode.
  ddos-cli global enable             Enable global ddos mode.
  ddos-cli global disable            Disable global ddos mode.

 Domain management:
  ddos-cli domain list               List all domains with ddos mode on.
  ddos-cli domain status <domain>    Get ddos mode status for a domain.
  ddos-cli domain enable <domain>    Enable ddos mode for a domain.
  ddos-cli domain disable <domain>   Disable ddos mode for a domain.