Thomas Lynch
fa4c437725
|
2 years ago | |
|---|---|---|
| haproxy | 2 years ago | |
| img | 3 years ago | |
| nginx | 3 years ago | |
| src | 2 years ago | |
| tor | 3 years ago | |
| .gitignore | 2 years ago | |
| LICENSE.md | 3 years ago | |
| README.MD | 2 years ago | |
| docker-compose.yml | 2 years ago | |
README.MD
HAProxy DDoS protection system
A fork and further development of a proof of concept from https://github.com/mora9715/haproxy_ddos_protector, a HAProxy configuration and lua scripts allowing a challenge-response page where users solve a captcha and/or proof-of-work. Intended to stop bots, spam, ddos, etc.
Will soon™ be accompanied by a control panel allowing to manage clusters of servers with this installed. Allowing you to add/remove/edit domains, protection rules, blocked ips, backend server IPs, etc during runtime.
Improvements in this fork:
- Add a proof-of-work element, instead of only captcha.
- Add examples and support for .onion/tor using the HAProxy PROXY protocol to provide some kind of "ip" discrimination of tor users (circuit identifiers).
- Use HAProxy http-request return to improve performance/caching for the challenge page, without an extra backend http server.
- Improved the appearance of the challenge page.
- Remove hcaptcha dns resolution hack, use proper backend address.
- Fix multiple security issues that could result in bypassing the captcha.
- Add a bucket duration for cookie validity, so valid cookies don't last forever.
- Cluster toggle, for pow mode only.
- Choose protection modes "none", "pow" or "pow+captcha" per-domain or per-domain+path, with paths taking priority.
- Whitelist IPs/subnets.
- Maintenance mode page for selected domains.
- Include dataplaneapi, to sync map files to disk if edited during runtime.
- In POW only mode, provide instructions and an encoded script to find the solution.
- Many bugfixes.
How to test
Add some env vars to docker-compose file:
- HCAPTCHA_SITEKEY - your hcaptcha site key
- HCAPTCHA_SECRET - your hcaptcha secret key
- CAPTCHA_COOKIE_SECRET - random string, a salt for captcha cookies
- POW_COOKIE_SECRET - different random string, a salt for pow cookies
- RAY_ID - string to identify the HAProxy node by
- BUCKET_DURATION - how long between bucket changes, invalidating cookies
- BACKEND_NAME - name of backend to build from hosts.map
- SERVER_PREFIX - prefix of server names used in server-template
Add a domain name + backend IP to haproxy/hosts.map like:
localhost 127.0.0.1:81
Run docker compose:
docker compose up
Visit http://localhost
DDoS-protection mode is enabled by default.
Installation
Before installing the tool, ensure that HAProxy is built with Lua support and version >=2.5 for the native httpclient support. For Debian and Ubuntu (and -based) distros, see https://haproxy.debian.net/ for packages.
- Copy haproxy.cfg to /etc/haproxy
- Edit the
lua-loaddirective to be the absolute path to register.lua - Edit the paths of sha1.js and worker.js in the
http-request returndirective to the absolut path to the respective files in the haproxy/js folder
- Edit the
- Copy dataplaneapi.hcl to /etc/haproxy
- Copy or link scripts to /etc/haproxy/scripts
- Copy or link libs to /etc/haproxy/libs (or a path where Lua looks for modules).
- Copy the map files from the haproxy folder to /etc/haproxy
Screenshot
