basic antibot using javascript
This commit is contained in:
parent
6e1c43c4cd
commit
446ee3761b
|
@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -19,7 +19,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -12,7 +12,7 @@ COPY fail2ban/ /opt/fail2ban
|
|||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl && \
|
||||
RUN apk --no-cache add php7-fpm certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
adduser -h /dev/null -g '' -s /sbin/nologin -D -H nginx
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
location = %ANTIBOT_URI% {
|
||||
|
||||
default_type 'text/html';
|
||||
|
||||
if ($request_method = GET) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
if not cookie.is_set("challenge") then
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = cookie.get("challenge")
|
||||
local code = javascript.get_code(challenge, "%ANTIBOT_URI%", cookie.get("uri"))
|
||||
ngx.say(code)
|
||||
}
|
||||
}
|
||||
|
||||
if ($request_method = POST) {
|
||||
content_by_lua_block {
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
if not cookie.is_set("challenge") then
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
ngx.req.read_body()
|
||||
local args, err = ngx.req.get_post_args(1)
|
||||
if err == "truncated" or not args or not args["challenge"] then
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
local challenge = args["challenge"]
|
||||
local check = javascript.check(cookie.get("challenge"), challenge)
|
||||
if not check then
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
cookie.set("javascript", "ok")
|
||||
cookie.save()
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,17 +1,19 @@
|
|||
access_by_lua_block {
|
||||
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_whitelist_ip = %USE_WHITELIST_IP%
|
||||
local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
||||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
|
||||
|
||||
-- include LUA code
|
||||
local whitelist = require "whitelist"
|
||||
local blacklist = require "blacklist"
|
||||
local dnsbl = require "dnsbl"
|
||||
local cookie = require "cookie"
|
||||
local whitelist = require "whitelist"
|
||||
local blacklist = require "blacklist"
|
||||
local dnsbl = require "dnsbl"
|
||||
local cookie = require "cookie"
|
||||
local javascript = require "javascript"
|
||||
|
||||
-- antibot
|
||||
local antibot_uri = "%ANTIBOT_URI%"
|
||||
|
@ -74,15 +76,28 @@ end
|
|||
|
||||
-- cookie check
|
||||
if use_antibot_cookie then
|
||||
if not cookie.is_set() then
|
||||
if ngx.var.uri ~= antibot_uri then
|
||||
cookie.set()
|
||||
if not cookie.is_set("uri") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set("uri", ngx.var.request_uri)
|
||||
cookie.save()
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
else
|
||||
if ngx.var.uri == antibot_uri then
|
||||
return ngx.redirect(cookie.get_uri())
|
||||
if ngx.var.request_uri == antibot_uri then
|
||||
return ngx.redirect(cookie.get("uri"))
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
-- javascript check
|
||||
if use_antibot_javascript then
|
||||
if not cookie.is_set("javascript") then
|
||||
if ngx.var.request_uri ~= antibot_uri then
|
||||
cookie.set("uri", ngx.var.request_uri)
|
||||
cookie.set("challenge", javascript.get_challenge())
|
||||
cookie.save()
|
||||
return ngx.redirect(antibot_uri)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -90,3 +105,5 @@ end
|
|||
ngx.exit(ngx.OK)
|
||||
|
||||
}
|
||||
|
||||
%INCLUDE_ANTIBOT_JAVASCRIPT%
|
||||
|
|
|
@ -154,7 +154,7 @@ SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
|
|||
SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
|
||||
SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-bunkerity-nginx}"
|
||||
ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
|
||||
USE_ANTIBOT_COOKIE="${USE_ANTIBOT_COOKIE-yes}"
|
||||
USE_ANTIBOT="${USE_ANTIBOT-cookie}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
|
@ -499,10 +499,20 @@ replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
|
|||
replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
|
||||
# antibot via cookie
|
||||
if [ "$USE_ANTIBOT_COOKIE" = "yes" ] ; then
|
||||
if [ "$USE_ANTIBOT" = "cookie" ] ; then
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
# antibot via javascript
|
||||
elif [ "$USE_ANTIBOT" = "javascript" ] ; then
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "true"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" "include /etc/nginx/antibot-javascript.conf;"
|
||||
replace_in_file "/etc/nginx/antibot-javascript.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
|
||||
else
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_JAVASCRIPT%" "false"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%INCLUDE_ANTIBOT_JAVASCRIPT%" ""
|
||||
fi
|
||||
|
||||
if [ "$USE_LIMIT_REQ" = "yes" ] ; then
|
||||
|
|
|
@ -1,22 +1,29 @@
|
|||
|
||||
local M = {}
|
||||
local session = require "resty.session"
|
||||
|
||||
function M.is_set ()
|
||||
local s = session.open()
|
||||
if s and s.data.uri then
|
||||
return true
|
||||
end
|
||||
return false
|
||||
local s = session.open()
|
||||
if not s then
|
||||
s = session.start()
|
||||
end
|
||||
|
||||
function M.set ()
|
||||
local s = session.start()
|
||||
s.data.uri = ngx.var.request_uri
|
||||
function M.is_set (key)
|
||||
if s.data[key] then
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
function M.set (key, value)
|
||||
s.data[key] = value
|
||||
end
|
||||
|
||||
function M.get (key)
|
||||
return s.data[key]
|
||||
end
|
||||
|
||||
function M.save ()
|
||||
s:save()
|
||||
end
|
||||
|
||||
function M.get_uri ()
|
||||
return session.open().data.uri
|
||||
end
|
||||
|
||||
return M
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
local M = {}
|
||||
local session = require "resty.session"
|
||||
|
||||
function M.get_challenge ()
|
||||
local charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIKLMNOPQRSTUVWXYZ0123456789"
|
||||
math.randomseed(os.clock()*os.time())
|
||||
local random = ""
|
||||
local rand = 0
|
||||
for i = 1, 20 do
|
||||
rand = math.random(1, #charset)
|
||||
random = random .. charset:sub(rand, rand)
|
||||
end
|
||||
return random
|
||||
end
|
||||
|
||||
function M.get_code (challenge, antibot_uri, original_uri)
|
||||
return string.format([[
|
||||
<html>
|
||||
<head>
|
||||
</head>
|
||||
<body>
|
||||
<script>
|
||||
async function digestMessage(message) {
|
||||
const msgUint8 = new TextEncoder().encode(message);
|
||||
const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
|
||||
const hashArray = Array.from(new Uint8Array(hashBuffer));
|
||||
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
|
||||
return hashHex;
|
||||
}
|
||||
(async () => {
|
||||
const digestHex = await digestMessage('%s');
|
||||
xhr = new XMLHttpRequest();
|
||||
xhr.open('POST', '%s');
|
||||
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
|
||||
xhr.onload = function() {
|
||||
if (xhr.status === 200) {
|
||||
window.location.replace('%s');
|
||||
}
|
||||
};
|
||||
xhr.send(encodeURI('challenge=' + digestHex));
|
||||
})();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
]], challenge, antibot_uri, original_uri)
|
||||
end
|
||||
|
||||
function M.check (challenge, user)
|
||||
local resty_sha256 = require "resty.sha256"
|
||||
local str = require "resty.string"
|
||||
local sha256 = resty_sha256:new()
|
||||
sha256:update(challenge)
|
||||
local digest = sha256:final()
|
||||
return str.to_hex(digest) == user
|
||||
end
|
||||
|
||||
return M
|
Loading…
Reference in New Issue