basic antibot feature through cookie

compile.sh

@@ -3,7 +3,7 @@
 NTASK=$(nproc)
 
 # install build dependencies
-apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev
+apk add --no-cache --virtual build autoconf libtool automake git geoip-dev yajl-dev g++ curl-dev libxml2-dev pcre-dev make linux-headers libmaxminddb-dev musl-dev lua-dev
 
 # compile and install ModSecurity library
 cd /tmp
@@ -45,6 +45,24 @@ git clone https://github.com/openresty/lua-resty-dns.git
 cd lua-resty-dns
 make install
 cd /tmp
+git clone https://github.com/bungle/lua-resty-session.git
+cd lua-resty-session
+cp -r lib/resty/* /usr/local/lib/lua/resty
+cd /tmp
+git clone https://github.com/bungle/lua-resty-random.git
+cd lua-resty-random
+make install
+cd /tmp
+git clone https://github.com/openresty/lua-resty-string.git
+cd lua-resty-string
+make install
+cd /tmp
+git clone https://github.com/openresty/lua-cjson.git
+cd lua-cjson
+make -j $NTASK
+make install
+make install-extra
+cd /tmp
 git clone https://github.com/openresty/lua-nginx-module.git
 export LUAJIT_LIB=/usr/local/lib
 export LUAJIT_INC=/usr/local/include/luajit-2.1

confs/main-lua.conf

@@ -5,11 +5,16 @@ local use_whitelist_reverse		= %USE_WHITELIST_REVERSE%
 local use_blacklist_ip			= %USE_BLACKLIST_IP%
 local use_blacklist_reverse		= %USE_BLACKLIST_REVERSE%
 local use_dnsbl				= %USE_DNSBL%
+local use_antibot_cookie		= %USE_ANTIBOT_COOKIE%
 
 -- include LUA code
 local whitelist = require "whitelist"
 local blacklist = require "blacklist"
 local dnsbl	= require "dnsbl"
+local cookie	= require "cookie"
+
+-- antibot
+local antibot_uri = "%ANTIBOT_URI%"
 
 -- check if already in whitelist cache
 if use_whitelist_ip and whitelist.ip_cached_ok() then
@@ -67,6 +72,21 @@ if use_dnsbl and not dnsbl.cached() then
 	end
 end
 
+-- cookie check
+if use_antibot_cookie then
+	if not cookie.is_set() then
+		if ngx.var.uri ~= antibot_uri then
+			cookie.set()
+			return ngx.redirect(antibot_uri)
+		end
+		return ngx.exit(ngx.HTTP_FORBIDDEN)
+	else
+		if ngx.var.uri == antibot_uri then
+			return ngx.redirect(cookie.get_uri())
+		end
+	end
+end
+
 ngx.exit(ngx.OK)
 
 }

entrypoint.sh

@@ -153,6 +153,8 @@ SELF_SIGNED_SSL_CITY="${SELF_SIGNED_SSL_CITY-Bern}"
 SELF_SIGNED_SSL_ORG="${SELF_SIGNED_SSL_ORG-AcmeInc}"
 SELF_SIGNED_SSL_OU="${SELF_SIGNED_SSL_OU-IT}"
 SELF_SIGNED_SSL_CN="${SELF_SIGNED_SSL_CN-bunkerity-nginx}"
+ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
+USE_ANTIBOT_COOKIE="${USE_ANTIBOT_COOKIE-yes}"
 
 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@@ -493,6 +495,16 @@ fi
 list=$(spaces_to_lua "$DNSBL_LIST")
 replace_in_file "/usr/local/lib/lua/dnsbl.lua" "%DNSBL_LIST%" "$list"
 
+# antibot uri
+replace_in_file "/etc/nginx/main-lua.conf" "%ANTIBOT_URI%" "$ANTIBOT_URI"
+
+# antibot via cookie
+if [ "$USE_ANTIBOT_COOKIE" = "yes" ] ; then
+	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "true"
+else
+	replace_in_file "/etc/nginx/main-lua.conf" "%USE_ANTIBOT_COOKIE%" "false"
+fi
+
 if [ "$USE_LIMIT_REQ" = "yes" ] ; then
 	replace_in_file "/etc/nginx/nginx.conf" "%LIMIT_REQ_ZONE%" "limit_req_zone \$binary_remote_addr zone=limit:${LIMIT_REQ_CACHE} rate=${LIMIT_REQ_RATE};"
 	replace_in_file "/etc/nginx/server.conf" "%LIMIT_REQ%" "include /etc/nginx/limit-req.conf;"

lua/cookie.lua

@@ -0,0 +1,22 @@
+local M         = {}
+local session   = require "resty.session"
+
+function M.is_set ()
+        local s = session.open()
+        if s and s.data.uri then
+                return true
+        end
+        return false
+end
+
+function M.set ()
+	local s = session.start()
+	s.data.uri = ngx.var.request_uri
+	s:save()
+end
+
+function M.get_uri ()
+	return session.open().data.uri
+end
+
+return M