Add HAProxy PoW challenge, simple bad bot blocking, and adjust mounts

Replace single deploy/haproxy.cfg with deploy/haproxy/{haproxy.cfg,challenge.html}.
HAProxy now runs a WebCrypto-based proof-of-work challenge using a stick-table,
URI normalization and a challenge backend. docker-compose mounts the haproxy
directory, and also switches the site DB volume to ./db to be consistent. Update robots.txt.ts to
add a honeypot path for bad bot blocking.

deploy/docker-compose.yml

@@ -4,7 +4,7 @@ services:
     restart: always
     container_name: badblocks-personal-site
     volumes:
-      - /srv/badblocks-personal-site/db:/db
+      - ./db:/db
     networks:
       - proxynet
     env_file:
@@ -70,7 +70,7 @@ services:
       - "${PUBLIC_IP}:443:443"
       - "${PUBLIC_IP}:8404:8404"
     volumes:
-      - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ./haproxy:/usr/local/etc/haproxy:ro
       - ./certs:/certs:ro
     restart: always
     networks:

deploy/haproxy.cfg

@@ -1,43 +0,0 @@
-global
-  daemon
-  log stdout format raw local0 info
-  maxconn 2000
-
-defaults
-  mode http
-  log global
-  timeout connect 5s
-  timeout client 30s
-  timeout server 30s
-  timeout check 5s
-  retries 3
-  option httplog
-  option dontlognull
-  option redispatch
-
-frontend http
-  bind :80
-  mode http
-  
-  http-request redirect scheme https unless { ssl_fc }
-
-frontend https
-  bind :443 ssl crt /certs/fullcert.pem
-  
-  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
-  default_backend main
-
-backend main
-  balance leastconn
-  option httpchk GET /
-  http-check expect status 200
-
-  server badblocks-personal-site badblocks-personal-site:4321 check resolvers docker resolve-prefer ipv4 init-addr none
-  
-resolvers docker
-  nameserver dns1 127.0.0.11:53
-  resolve_retries 3
-  timeout resolve 1s
-  timeout retry 1s
-  hold valid	  10s
-  hold obsolete   30s

deploy/haproxy/challenge.html

@@ -0,0 +1,143 @@
+<!doctype html>
+<meta name="viewport" content="width=device-width" />
+<title>Challenge Accepted!</title>
+<style>
+  body {
+    background: #ddd;
+    color: #000;
+    margin: 0;
+    padding: 0;
+  }
+  #progress {
+    position: absolute;
+    margin: 0;
+    top: 50%%;
+    left: 50%%;
+    transform: translate(-50%%, -50%%);
+    text-align: center;
+    font-size: 125%%;
+  }
+  #progressBar {
+    font-size: 250%%;
+    user-select: none;
+  }
+  #progressBar.done {
+    transition:
+      font-size 2s linear,
+      opacity 2s linear;
+    font-size: 1000%%;
+    opacity: 0.5;
+  }
+  .animate {
+    animation: spin 2s infinite linear;
+  }
+  @keyframes spin {
+    to {
+      transform: rotate(360deg);
+    }
+  }
+  iframe {
+    display: none;
+  }
+  footer {
+    position: fixed;
+    bottom: 4px;
+    width: 100%%;
+    text-align: center;
+  }
+</style>
+<form method="post" target="post" action="/_challenge" name="challenge">
+  <input type="hidden" name="ip" value="%[src]" />
+  <input type="hidden" name="ts" value="%[date]" />
+  <input type="hidden" name="diff" value="4" />
+  <input type="hidden" name="tries" value="" />
+</form>
+<div id="progress">
+  <span id="progressText"></span>
+  <div id="progressBar"></div>
+</div>
+<iframe srcdoc="" src="about:blank" name="post"></iframe>
+<script>
+  "use strict";
+
+  async function challenge(diff, ip, ts) {
+    let te = new TextEncoder();
+    let tries = 0;
+    progressText.innerText = "✋ Checking connection, please wait";
+    progressBar.innerText = "🌀";
+    progressBar.className = "animate";
+    for (; tries < 10_000_000; tries++) {
+      let hash = await crypto.subtle.digest(
+        "SHA-256",
+        te.encode([ip, location.hostname, ts, tries].join(";")),
+      );
+      let y = new Uint8Array(hash);
+      let i = 0;
+      while (i < diff / 2) {
+        if (y[i] > 0x0f) break;
+        if (i * 2 + 1 >= diff) return tries;
+        if (y[i++] > 0) break;
+        if (i * 2 >= diff) return tries;
+      }
+    }
+  }
+
+  async function startChallenge(form) {
+    if (!("subtle" in window.crypto)) {
+      if (location.protocol !== "https:") {
+        progress.innerText =
+          "No WebCrypto support. This must be served over a HTTPS connection.";
+      } else {
+        progress.innerText =
+          "No WebCrypto support in your browser. " +
+          "This is required to pass the challenge.";
+      }
+      return;
+    }
+
+    let backoff = 0;
+    let tryOnce = (_) => {
+      if (backoff > 8) {
+        progressText.innerText =
+          "Failed to submit after several tries. Try reloading.";
+        return;
+      }
+      setTimeout(
+        async (_) => submitAnswer(form),
+        1000 * (Math.pow(2, backoff++) - 1),
+      );
+    };
+    form.addEventListener("error", tryOnce);
+    let iframe = document.querySelector("iframe");
+    iframe.addEventListener("load", (_) =>
+      location.hash.length ? location.reload() : location.replace(location),
+    );
+    tryOnce();
+  }
+
+  async function submitAnswer(form) {
+    let start = new Date();
+    let tries = await challenge(form.diff.value, form.ip.value, form.ts.value);
+    if (tries === undefined) {
+      progressText.innerText =
+        "Unable to calculate challenge. Try reloading or a different browser.";
+      progressBar.innerText = "🤯";
+      progressBar.className = "error";
+      return;
+    }
+    form.tries.value = tries;
+    progressText.innerText = "Took " + (new Date() - start) + "ms";
+    console.log(`${tries} tries.\n${progressText.innerText}`);
+    progressBar.className = "done";
+    progressBar.innerText = "✅";
+    form.submit();
+  }
+
+  window.addEventListener("load", (_) =>
+    startChallenge(document.forms.challenge),
+  );
+</script>
+<noscript
+  >Malicious scrapers break the web. To continue, you'll need JavaScript
+  enabled.</noscript
+>

deploy/haproxy/haproxy.cfg

@@ -0,0 +1,85 @@
+global
+  daemon
+  log stdout format raw local0 info
+  maxconn 2000
+  # For normalize-uri
+  expose-experimental-directives
+
+defaults
+  mode http
+  log global
+  timeout connect 5s
+  timeout client 30s
+  timeout server 30s
+  timeout check 5s
+  retries 3
+  option httplog
+  option dontlognull
+  option redispatch
+
+frontend http
+  bind :80
+  mode http
+  
+  http-request redirect scheme https unless { ssl_fc }
+
+frontend www
+  bind :443 ssl crt /certs/fullcert.pem
+  
+  # 2 general purpose tags in this stick-table (name defaults to frontend name, i.e. www)
+  stick-table type ipv6 size 1m expire 2d store gpt(2)
+  http-request track-sc0 src
+  http-request normalize-uri path-merge-slashes
+  http-request normalize-uri path-strip-dot
+  http-request normalize-uri path-strip-dotdot
+  
+  # Drop the connection immediately if the requester previously requested the honeypot path)
+  http-request silent-drop if { sc_get_gpt(0,0) gt 0 }
+  
+  # Protect all paths except /robots.txt, /.well-known/*, and /favicon.ico
+  acl unprotected_path path -m reg ^/(robots.txt|\.well-known/.*|favicon\.ico|_challenge)$
+  # Matches the default config of anubis of triggering on "Mozilla"
+  acl protected_ua hdr(User-Agent) -m beg Mozilla/
+  # Set stick table index 0 to 1 if request is for honeypot path
+  http-request sc-set-gpt(0,0) 1 if { path -m beg /blokmeplz/ }
+  http-request silent-drop if { path -m beg /blokmeplz/ }
+  
+  acl accepted sc_get_gpt(1,0) gt 0
+  http-request return status 200 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0, no-cache" lf-file /usr/local/etc/haproxy/challenge.html if !unprotected_path protected_ua !accepted
+  use_backend challenge if { path -m beg /_challenge }
+  
+  http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+  default_backend main
+
+backend challenge
+  mode http
+  option http-buffer-request
+  # The parameter to table must match the stick table used in the frontend.
+  http-request track-sc0 src table www
+  acl challenge_req method POST
+  http-request set-var(txn.tries) req.body_param(tries)
+  http-request set-var(txn.ts) req.body_param(ts)
+  http-request set-var(txn.host) hdr(Host),host_only
+  http-request set-var(txn.hash) src,concat(;,txn.host,),concat(;,txn.ts,),concat(;,txn.tries),sha2,hex
+  acl ts_recent date,neg,add(txn.ts) ge -60
+  # 4 is the difficulty, should match "diff" in challenge.html.
+  acl hash_good var(txn.hash) -m reg 0{4}.*
+  http-request sc-set-gpt(1,0) 1 if challenge_req ts_recent hash_good
+  http-request return status 200 if challenge_req hash_good
+  http-request return status 400 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0" string "Bad request" if !challenge_req OR !hash_good
+  
+backend main
+  mode http
+  balance leastconn
+  option httpchk GET /health
+  http-check expect status 200
+
+  server badblocks-personal-site badblocks-personal-site:4321 check resolvers docker resolve-prefer ipv4 init-addr none
+  
+resolvers docker
+  nameserver dns1 127.0.0.11:53
+  resolve_retries 3
+  timeout resolve 1s
+  timeout retry 1s
+  hold valid	  10s
+  hold obsolete   30s

src/pages/robots.txt.ts

@@ -69,6 +69,9 @@ DisallowAITraining: /
 Content-Usage: ai=n
 Allow: /
 
+User-Agent: *
+Disallow: /blokmeplz/
+
 Sitemap: ${sitemapURL.href}
 `;