Add HAProxy PoW challenge, simple bad bot blocking, and adjust mounts

Replace single deploy/haproxy.cfg with deploy/haproxy/{haproxy.cfg,challenge.html}. HAProxy now runs a WebCrypto-based proof-of-work challenge using a stick-table, URI normalization and a challenge backend. docker-compose mounts the haproxy directory, and also switches the site DB volume to ./db to be consistent. Update robots.txt.ts to add a honeypot path for bad bot blocking.
2026-02-08 12:50:28 -08:00 · 2026-02-08 12:50:28 -08:00 · f014330b14
commit f014330b14
parent 1162c53c8f
5 changed files with 233 additions and 45 deletions
--- a/deploy/haproxy/haproxy.cfg
+++ b/deploy/haproxy/haproxy.cfg
@ -0,0 +1,85 @@
+global
+  daemon
+  log stdout format raw local0 info
+  maxconn 2000
+  # For normalize-uri
+  expose-experimental-directives
+
+defaults
+  mode http
+  log global
+  timeout connect 5s
+  timeout client 30s
+  timeout server 30s
+  timeout check 5s
+  retries 3
+  option httplog
+  option dontlognull
+  option redispatch
+
+frontend http
+  bind :80
+  mode http
+  
+  http-request redirect scheme https unless { ssl_fc }
+
+frontend www
+  bind :443 ssl crt /certs/fullcert.pem
+  
+  # 2 general purpose tags in this stick-table (name defaults to frontend name, i.e. www)
+  stick-table type ipv6 size 1m expire 2d store gpt(2)
+  http-request track-sc0 src
+  http-request normalize-uri path-merge-slashes
+  http-request normalize-uri path-strip-dot
+  http-request normalize-uri path-strip-dotdot
+  
+  # Drop the connection immediately if the requester previously requested the honeypot path)
+  http-request silent-drop if { sc_get_gpt(0,0) gt 0 }
+  
+  # Protect all paths except /robots.txt, /.well-known/*, and /favicon.ico
+  acl unprotected_path path -m reg ^/(robots.txt|\.well-known/.*|favicon\.ico|_challenge)$
+  # Matches the default config of anubis of triggering on "Mozilla"
+  acl protected_ua hdr(User-Agent) -m beg Mozilla/
+  # Set stick table index 0 to 1 if request is for honeypot path
+  http-request sc-set-gpt(0,0) 1 if { path -m beg /blokmeplz/ }
+  http-request silent-drop if { path -m beg /blokmeplz/ }
+  
+  acl accepted sc_get_gpt(1,0) gt 0
+  http-request return status 200 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0, no-cache" lf-file /usr/local/etc/haproxy/challenge.html if !unprotected_path protected_ua !accepted
+  use_backend challenge if { path -m beg /_challenge }
+  
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  default_backend main
+
+backend challenge
+  mode http
+  option http-buffer-request
+  # The parameter to table must match the stick table used in the frontend.
+  http-request track-sc0 src table www
+  acl challenge_req method POST
+  http-request set-var(txn.tries) req.body_param(tries)
+  http-request set-var(txn.ts) req.body_param(ts)
+  http-request set-var(txn.host) hdr(Host),host_only
+  http-request set-var(txn.hash) src,concat(;,txn.host,),concat(;,txn.ts,),concat(;,txn.tries),sha2,hex
+  acl ts_recent date,neg,add(txn.ts) ge -60
+  # 4 is the difficulty, should match "diff" in challenge.html.
+  acl hash_good var(txn.hash) -m reg 0{4}.*
+  http-request sc-set-gpt(1,0) 1 if challenge_req ts_recent hash_good
+  http-request return status 200 if challenge_req hash_good
+  http-request return status 400 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0" string "Bad request" if !challenge_req OR !hash_good
+  
+backend main
+  mode http
+  balance leastconn
+  option httpchk GET /health
+  http-check expect status 200
+
+  server badblocks-personal-site badblocks-personal-site:4321 check resolvers docker resolve-prefer ipv4 init-addr none
+  
+resolvers docker
+  nameserver dns1 127.0.0.11:53
+  resolve_retries 3
+  timeout resolve 1s
+  timeout retry 1s
+  hold valid	  10s
+  hold obsolete   30s