mirror of
https://gitgud.io/fatchan/haproxy-protection.git
synced 2025-05-09 02:05:37 +00:00
598790cb4f
- Move to new scheme with some hashing, sigs, and a random user key. close #13 - Change to sha256 rather than sha1 (temporary, but i guess its slightly more secure which is nice for now) ref #10 - Change POW output checked value - Add lib for randombytes, udpate lua sha lib - Remove outdated difficulty checks in frontend (was hardcoded 0 anyway) and since algo change is coming soon, there is no need to keep it
70 lines
3.3 KiB
Markdown
70 lines
3.3 KiB
Markdown
## HAProxy DDoS protection system
|
|
|
|
A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work.
|
|
Intended to stop bots, spam, ddos,
|
|
|
|
Integrates with https://gitgud.io/fatchan/haproxy-panel-next to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime.
|
|
|
|
Improvements in this fork:
|
|
|
|
- Add a proof-of-work element, instead of only captcha.
|
|
- Add examples and support for .onion/tor using the HAProxy PROXY protocol to provide some kind of "ip" discrimination of tor users (circuit identifiers).
|
|
- Use HAProxy http-request return to improve performance/caching for the challenge page, without an extra backend http server.
|
|
- Improved the appearance of the challenge page.
|
|
- Remove hcaptcha dns resolution hack, use proper backend address.
|
|
- Fix multiple security issues that could result in bypassing the captcha.
|
|
- Add a bucket duration for cookie validity, so valid cookies don't last forever.
|
|
- Cluster toggle, for pow mode only.
|
|
- Choose protection modes "none", "pow" or "pow+captcha" per-domain or per-domain+path, with paths taking priority.
|
|
- Whitelist IPs/subnets.
|
|
- Maintenance mode page for selected domains.
|
|
- Include dataplaneapi, to sync map files to disk if edited during runtime.
|
|
- In POW only mode, provide instructions and an encoded script to find the solution.
|
|
- Many bugfixes.
|
|
|
|
#### How to test
|
|
|
|
Add some env vars to docker-compose file:
|
|
|
|
- HCAPTCHA_SITEKEY - your hcaptcha site key
|
|
- HCAPTCHA_SECRET - your hcaptcha secret key
|
|
- RECAPTCHA_SITEKEY - your recaptcha site key
|
|
- RECAPTCHA_SECRET - your recaptcha secret key
|
|
- CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
|
|
- POW_COOKIE_SECRET - different random string, a salt for pow cookies
|
|
- RAY_ID - string to identify the HAProxy node by
|
|
- BUCKET_DURATION - how long between bucket changes, invalidating cookies
|
|
- BACKEND_NAME - name of backend to build from hosts.map
|
|
- SERVER_PREFIX - prefix of server names used in server-template
|
|
|
|
Add a domain name + backend IP to `haproxy/hosts.map` like:
|
|
```plain
|
|
localhost 127.0.0.1:81
|
|
```
|
|
|
|
Run docker compose:
|
|
```bash
|
|
docker compose up
|
|
```
|
|
|
|
Visit http://localhost
|
|
|
|
DDoS-protection mode is enabled by default.
|
|
|
|
#### Installation
|
|
|
|
Before installing the tool, ensure that HAProxy is built with Lua support and version >=2.5 for the native httpclient support. For Debian and Ubuntu (and -based) distros, see https://haproxy.debian.net/ for packages.
|
|
|
|
- Copy [haproxy.cfg](haproxy/haproxy.cfg) to /etc/haproxy
|
|
- Edit the `lua-load` directive to be the absolute path to [register.lua](src/scripts/register.lua)
|
|
- Edit the paths of challenge.js and worker.js in the `http-request return` directive to the absolut path to the respective files in the haproxy/js folder
|
|
- Copy [dataplaneapi.hcl](haproxy/dataplaneapi.hcl) to /etc/haproxy
|
|
- Copy or link [scripts](src/scripts) to /etc/haproxy/scripts
|
|
- Copy or link [libs](src/libs) to /etc/haproxy/libs (or a path where Lua looks for modules).
|
|
- Copy the map files from the haproxy folder to /etc/haproxy
|
|
|
|
#### Screenshot
|
|
|
|
|
|
|