badbl0cks
f014330b14
All checks were successful
Build And Deploy / build-and-deploy (push) Successful in 1m16s
Replace single deploy/haproxy.cfg with deploy/haproxy/{haproxy.cfg,challenge.html}.
HAProxy now runs a WebCrypto-based proof-of-work challenge using a stick-table,
URI normalization and a challenge backend. docker-compose mounts the haproxy
directory, and also switches the site DB volume to ./db to be consistent. Update robots.txt.ts to
add a honeypot path for bad bot blocking.
85 lines
3 KiB
INI
85 lines
3 KiB
INI
global
|
|
daemon
|
|
log stdout format raw local0 info
|
|
maxconn 2000
|
|
# For normalize-uri
|
|
expose-experimental-directives
|
|
|
|
defaults
|
|
mode http
|
|
log global
|
|
timeout connect 5s
|
|
timeout client 30s
|
|
timeout server 30s
|
|
timeout check 5s
|
|
retries 3
|
|
option httplog
|
|
option dontlognull
|
|
option redispatch
|
|
|
|
frontend http
|
|
bind :80
|
|
mode http
|
|
|
|
http-request redirect scheme https unless { ssl_fc }
|
|
|
|
frontend www
|
|
bind :443 ssl crt /certs/fullcert.pem
|
|
|
|
# 2 general purpose tags in this stick-table (name defaults to frontend name, i.e. www)
|
|
stick-table type ipv6 size 1m expire 2d store gpt(2)
|
|
http-request track-sc0 src
|
|
http-request normalize-uri path-merge-slashes
|
|
http-request normalize-uri path-strip-dot
|
|
http-request normalize-uri path-strip-dotdot
|
|
|
|
# Drop the connection immediately if the requester previously requested the honeypot path)
|
|
http-request silent-drop if { sc_get_gpt(0,0) gt 0 }
|
|
|
|
# Protect all paths except /robots.txt, /.well-known/*, and /favicon.ico
|
|
acl unprotected_path path -m reg ^/(robots.txt|\.well-known/.*|favicon\.ico|_challenge)$
|
|
# Matches the default config of anubis of triggering on "Mozilla"
|
|
acl protected_ua hdr(User-Agent) -m beg Mozilla/
|
|
# Set stick table index 0 to 1 if request is for honeypot path
|
|
http-request sc-set-gpt(0,0) 1 if { path -m beg /blokmeplz/ }
|
|
http-request silent-drop if { path -m beg /blokmeplz/ }
|
|
|
|
acl accepted sc_get_gpt(1,0) gt 0
|
|
http-request return status 200 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0, no-cache" lf-file /usr/local/etc/haproxy/challenge.html if !unprotected_path protected_ua !accepted
|
|
use_backend challenge if { path -m beg /_challenge }
|
|
|
|
http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
|
|
default_backend main
|
|
|
|
backend challenge
|
|
mode http
|
|
option http-buffer-request
|
|
# The parameter to table must match the stick table used in the frontend.
|
|
http-request track-sc0 src table www
|
|
acl challenge_req method POST
|
|
http-request set-var(txn.tries) req.body_param(tries)
|
|
http-request set-var(txn.ts) req.body_param(ts)
|
|
http-request set-var(txn.host) hdr(Host),host_only
|
|
http-request set-var(txn.hash) src,concat(;,txn.host,),concat(;,txn.ts,),concat(;,txn.tries),sha2,hex
|
|
acl ts_recent date,neg,add(txn.ts) ge -60
|
|
# 4 is the difficulty, should match "diff" in challenge.html.
|
|
acl hash_good var(txn.hash) -m reg 0{4}.*
|
|
http-request sc-set-gpt(1,0) 1 if challenge_req ts_recent hash_good
|
|
http-request return status 200 if challenge_req hash_good
|
|
http-request return status 400 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0" string "Bad request" if !challenge_req OR !hash_good
|
|
|
|
backend main
|
|
mode http
|
|
balance leastconn
|
|
option httpchk GET /health
|
|
http-check expect status 200
|
|
|
|
server badblocks-personal-site badblocks-personal-site:4321 check resolvers docker resolve-prefer ipv4 init-addr none
|
|
|
|
resolvers docker
|
|
nameserver dns1 127.0.0.11:53
|
|
resolve_retries 3
|
|
timeout resolve 1s
|
|
timeout retry 1s
|
|
hold valid 10s
|
|
hold obsolete 30s
|