c0nw0nk / nginx-lua-anti-ddos Goto Github PK

A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect yourself from every attack type All Layer 7 Attacks Mitigating Historic Attacks DoS DoS Implications DDoS All Brute Force Attacks Zero day exploits Social Engineering Rainbow Tables Password Cracking Tools Password Lists Dictionary Attacks Time Delay Any Hosting Provider Any CMS or Custom Website Unlimited Attempt Frequency Search Attacks HTTP Basic Authentication HTTP Digest Authentication HTML Form Based Authentication Mask Attacks Rule-Based Search Attacks Combinator Attacks Botnet Attacks Unauthorized IPs IP Whitelisting Bruter THC Hydra John the Ripper Brutus Ophcrack unauthorized logins Injection Broken Authentication and Session Management Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging & Monitoring Drupal WordPress Joomla Flash Magento PHP Plone WHMCS Atlassian Products malicious traffic Adult video script avs KVS Kernel Video Sharing Clip Bucket Tube sites Content Management Systems Social networks scripts backends proxy proxies PHP Python Porn sites xxx adult gaming networks servers sites forums vbulletin phpbb mybb smf simple machines forum xenforo web hosting video streaming buffering ldap upstream downstream download upload rtmp vod video over dl hls dash hds mss livestream drm mp4 mp3 swf css js html php python sex m3u zip rar archive compressed mitigation code source sourcecode chan 4chan 4chan.org 8chan.net 8ch 8ch.net infinite chan 8kun 8kun.net anonymous anon tor services .onion torproject.org nginx.org nginx.com openresty.org darknet dark net deepweb deep web darkweb dark web mirror vpn reddit reddit.com adobe flash hackthissite.org dreamhack hack hacked hacking hacker hackers hackerz hackz hacks code coding script scripting scripter source leaks leaked leaking cve vulnerability great firewall china america japan russia .gov government http1 http2 http3 quic q3 litespeedtech litespeed apache torrents torrent torrenting webtorrent bittorrent bitorrent bit-torrent cyberlocker cyberlockers cyber locker cyberbunker warez keygen key generator free irc internet relay chat peer-to-peer p2p cryptocurrency crypto bitcoin miner browser xmr monero coinhive coin hive coin-hive litecoin ethereum cpu cycles popads pop-ads advert advertisement networks banner ads protect ovh blazingfast.io amazon steampowered valve store.steampowered.com steamcommunity thepiratebay lulzsec antisec xhamster pornhub porn.com pornhub.com xhamster.com xvideos xvdideos.com xnxx xnxx.com popads popcash cpm ppc

License: MIT License

Lua 100.00%

cloudflare anti-ddos ddos dos denial-of-service distributed-denial-of-service javascript html anti-ddos-script ddos-attack

nginx-lua-anti-ddos's Introduction

Nginx-Lua-Anti-DDoS

A Anti-DDoS script to protect Nginx web servers using Lua with a Javascript based authentication puzzle inspired by Cloudflare I am under attack mode I built my own Anti-DDoS authentication HTML page puzzle intergrating my Lua, Javascript, HTML and HTTP knowledge.

Mitigate a DDoS attack of any size using my free DDoS protection. Don't get ddos attacked!

If you're under attack and use my script during the attack, visitors will receive an interstitial page for about five seconds while I analyze the traffic to make sure it is a legitimate human visitor.

This can protect you from many different forms of DDoS works with both HTTP and HTTPS / SSL traffic.

No limit on attack size Uptime guarantee

Features :

These are some of the features I built into the script so far.

Security

I am Under Attack Mode (DDoS Authentication HTML Page)

IP Address Whitelist

IP Subnet Ranges Whitelist

IP Address Blacklist

IP Subnet Ranges Blacklist

User-Agent Whitelist

User-Agent Blacklist

Protected area / Restricted access field username / password box to restrict access to sites / paths.

WAF (Web Application Firewall)

IPv4 and IPv6 blocking and whitelisting including subnet ranges.

User-Agent blocking and whitelisting to block bad bots and exploits / scanners.

Ability to inspect POST Data / Fields and block malicious POST requests / exploits.

Ability to inspect URL for malicious content SQL/SQI Injections XSS attacks / exploits.

Ability to inspect query strings and arguements for malicious content / exploits.

Ability to inspect all Request Headers provided by the client connecting.

Ability to inspect cookies for exploits.

Caching Speed and Performance

Query String Sorting

Query String Whitelist

Query String Removal (It is a blacklist but it will just drop / remove the argument from the URL not block the request)

Minification / Compression of files removing white space and nulled out code / lines JS JavaScript, CSS Stylesheets, HTML etc

Customization of error pages responses and webpage outputs

Custom error page interception to replace with your own error pages

Hide Web application errors such as PHP errorrs MySQL errors it will intercept them and display a custom error page instead of showing visitors sensative information

Modify webpage outputs to replace contents on pages / files

Information :

If you have any bugs issues or problems just post a Issue request.

https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues

If you fork or make any changes to improve this or fix problems please do make a pull request for the community who also use this.

https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/pulls

Usage / Installation :

Edit settings inside anti_ddos_challenge.lua to cater for your own unique needs or improve my work. (Please share your soloutions and additions)

https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/blob/master/lua/anti_ddos_challenge.lua#L55

Add this to your Nginx configuration folder.

nginx/conf/lua/

Once installed into your nginx/conf/ folder.

Add this to your HTTP block or it can be in a server or location block depending where you want this script to run for individual locations the entire server or every single website on the server.

access_by_lua_file anti_ddos_challenge.lua;

Example nginx.conf :

This will run for all websites on the nginx server

http {
#nginx config settings etc
access_by_lua_file anti_ddos_challenge.lua;
#more config settings and some server stuff
}

This will make it run for this website only

server {
#nginx config settings etc
access_by_lua_file anti_ddos_challenge.lua;
#more config settings and some server stuff
}

This will run in this location block only

location / {
#nginx config settings etc
access_by_lua_file anti_ddos_challenge.lua;
#more config settings and some server stuff
}

Other setup options

https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki

For setting up the script to run with Tor .onion services, Cloudflares proxy services, Configuration options of the script view the wiki.

Requirements :

NONE! :D You only need Nginx + Lua to use my scripts.

Where can you download Nginx + Lua ?

Openresty provide Nginx + Lua builds for Windows Linux etc here.

https://openresty.org/en/download.html

Nginx4windows has Windows specific builds with Lua here.

http://nginx-win.ecsds.eu/

Or you can download the source code for Nginx here and compile Nginx yourself with Lua.

https://nginx.org/en/download.html

About :

I was inspired to create this because of Cloudflare feature "I'm Under Attack Mode" https://www.cloudflare.com/

There are similar sites and services like BitMitigate but I prefer my own script over their methods.

If you're under attack and have this feature enabled during the attack, visitors will receive an interstitial page for about five seconds while we analyze the traffic to make sure it is a legitimate human visitor.

Advanced DDoS Attack Protection

Unmetered DDoS mitigation to maintain performance and availability

Denial of Service attacks continue to grow in sophistication and force: more distributed, greater volumes of traffic, and encroaching on the application layer.

A successful attack increases unnecessary costs on your infrastructure and IT/security staff. More importantly, it hurts your revenue, customer satisfaction, and brand.

To combat attacks and stay online, you’ll need a solution that’s resilient scalable, and intelligent.

Mitigate a DDoS attack of any size or duration, Don't get ddos attacked!

I love that feature so much ontop of having it enabled on all my Cloudflare proxied sites I decided to make it into a feature on my own servers so the traffic that hits my servers without coming from Cloudflares network is kept in check and authenticated! (Every little helps right!)

Thank you to @Cloudflare for the inspiration and your community for all the love, A big thanks to the @openresty community you guys rock Lua rocks you are all so awesome!

Lets build a better internet together! Where Speed, Privacy, Security and Compression matter!

Here are links to my favorite communities :)

http://openresty.org/en/

https://community.cloudflare.com/

Protected attack types :

All Layer 7 Attacks
Mitigating Historic Attacks
DoS
DoS Implications
DDoS
All Brute Force Attacks
Zero day exploits
Social Engineering
Rainbow Tables
Password Cracking Tools
Password Lists
Dictionary Attacks
Time Delay
Any Hosting Provider
Any CMS or Custom Website
Unlimited Attempt Frequency
Search Attacks
HTTP Basic Authentication
HTTP Digest Authentication
HTML Form Based Authentication
Mask Attacks
Rule-Based Search Attacks
Combinator Attacks
Botnet Attacks
Unauthorized IPs
IP Whitelisting
Bruter
THC Hydra
John the Ripper
Brutus
Ophcrack
unauthorized logins
Injection
Broken Authentication and Session Management
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring
And many others…

Features :

Advanced DDoS Attack Protection

My script gives you Unmetered DDoS mitigation to maintain performance and availability for free Denial of Service attacks continue to grow in sophistication and force: more distributed, greater volumes of traffic, and encroaching on the application layer. A successful attack increases unnecessary costs on your infrastructure and IT/security staff. More importantly, it hurts your revenue, customer satisfaction, and brand. To combat attacks and stay online, you’ll need a solution that’s resilient scalable, and intelligent.

Common Types of DDoS Attacks

Block Malicious Bot Abuse

Block abusive bots from damaging Internet properties through content scraping, fraudulent checkout, and account takeover.

Prevent Customer Data Breach

Prevent attackers from compromising sensitive customer data, such as user credentials, credit card information, and other personally identifiable information.

Layered Security Defense

layered security approach combines multiple DDoS mitigation capabilities into one service. It prevents disruptions caused by bad traffic, while allowing good traffic through, keeping websites, applications and APIs highly available and performant.

HTTP Flood (Layer 7)

HTTP flood attacks generate high volumes of HTTP, GET, or POST requests from multiple sources, targeting the application layer, causing service degradation or unavailability.

Defend against the largest attacks

Shared Network Intelligence / Collective Intelligence

With every new property, contributor and person using this script your help and contributions to this script makes everyones network safer. You are helping identify and block new and evolving threats across the entire internet back bone / infrastructure.

No Performance Tradeoffs

Eliminate security induced latencies by integrating my script with your servers. You do not need to rely on third party services like Cloudflare, BitMitigate, Sucuri or other such CDN Cloud distributed networks or companies anymore I have given you the tool for free.

Web Application Firewall

enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests and protectects your existing infrastructure.

Rate Limiting

Control to block suspicious visitors

Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer.

Rate Limiting provides the ability to configure thresholds, define responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints. It adds granular HTTP/HTTPS traffic control. This also reduces bandwidth costs by eliminating unpredictable traffic spikes or attacks.

Protect any Web Application

This script can protect every web application ever built.

Drupal
WordPress
Joomla
Flash
Magento
PHP
Plone
WHMCS
Atlassian Products
Adult video script avs
KVS Kernel Video Sharing
Clip Bucket
Tube sites
Content Management Systems
Social networks
scripts
backends proxy proxies
PHP
Python
Porn sites xxx adult
gaming networks servers sites
forums
vbulletin
phpbb
mybb
smf simple machines forum
xenforo
web hosting
And many more...

Tor network / Project .onion :

You can also use this script to protect servers and sites on the Tor network preventing ddos on .onion links. It can help stop attacks on the deepweb / darkweb aswell as on the mainline internet for those who browse your site through the tor browser it makes sure they are legitimate users.

HTTP(S) / HTTP2 / HTTP3 / QUIC :

So with modern internet protocols yes this script does work with all of them! It can protect both encrypted and unencrypted connections and traffic served over TCP aswell as UDP the new method for HTTP3/QUIC connections.

Works with :

Nginx

Nginx + Lua

Openresty

Custom Nginx builds with Lua compiled

Litespeed / Litespeedtech as can be seen here https://openlitespeed.org/kb/openlitespeed-lua-module/ the reason this works with Litespeed Lua is because they use Openresty Lua builds on their server as can be understood here https://openlitespeed.org/kb/openlitespeed-lua-module/#Use

nginx-lua-anti-ddos's People

Contributors

Stargazers

Watchers

Forkers

antonsmolkov nginx-modules mdshahroufbd djwbyte sskafandri dodiitt edavrio disaster123 w796933 vihro didindinn andrei-yurevich lychhayly lnlinh31 whitestoni venomone kxknet therealelyayo paiji-th retsubasa raymanchester fastlyos dz0ny ada-first vormz prophishing peter21581 hien skaylat xarenwo immense055 belalabdelwahab jonike duynguyen1879 5l1v3r1 n3phthys venmade jkvint pagosasia h1kkan picassio aran-ahsan oghie mrquiet cadyrayller russ168 luzhniy vmajster pdn1-net chinesemarc chenluyong maxalex301 simhaonline kyroskoh faizmain jonleeworld sylvvvia tools-env infinityhacks han4235 vincentsg404 xenforodev p3km3k lexjusto virtualhorror xllxll whittinghamj bis-gmbh dynamic2500 legly wenlaizhou trissiethehusky kenser admdev8 ykpon surendra-patil megamcloud kaoozie xingline expired-brain badassmofo4life unutmaz ferdiucuncu daliranas invalidtask douglas-saylor-killoughlaw phonglh79 masarinetwork my-waf benclementt axr6 atakbey lallafatyma sockyone lentropy urantialife ylwzbk mrt2410 amirwhitehat crazyhackgut

nginx-lua-anti-ddos's Issues

Memory leak

Issue Description

Enabling the script makes nginx use 10Gb+ of RAM after a single HTTP request, making the whole system lock up.

Versions:

Browser(s): -
Nginx version: openresty/1.15.8.2
Operating system of web server running Nginx: Debian 4.9.168-1+deb9u5

Nginx config:

server {
        listen 443 ssl;

       access_by_lua_file /etc/openresty/anti_ddos_challenge.lua;
       location ~ /(.*)$ {
                proxy_http_version 1.1;
                proxy_set_header Host $host;
                proxy_pass http://127.0.0.1:4090/$1?$args;
        }
}

Settings:

I only changed the local secret line

Error 500 after checking browser

Hello, I installed your module, translated and configured (changed the key), as a result, after the redirect, it displays a 500 error

Screenhoots:
https://i.imgur.com/NhIRqEP.png

Applications version:
nginx: 1.14.2
lua: 2.0.5

Is there a way to decide in own lua code when to show Js puzzle?

Hi,

I already have a bunch of lua code running and want to show the puzzle dynamically only for specific ips from my lua code.

Is this possible?

Greets,
Stefan

Getting 404 after loading LUA in Openresty

Hey there,

I'm getting a 404 error after loading LUA in Openresty.

I've put this in my http block in nginx.conf:

access_by_lua_file /home/anti_ddos_challenge.lua;

I've setup Openresty like this: https://www.digitalocean.com/community/tutorials/how-to-use-the-openresty-web-framework-for-nginx-on-ubuntu-16-04

Add blacklist ip

How add bots to blacklist.conf nginx

CPU usage

Now using script for real ddos mitigation. When i instaled your script insted of my old code - cpu usage highly increased.

Features Request List

Okay i have fully tested your script. It work very well however it is easy to bypass your script. Below i list features you should implement to provide better security.

Sensor Mode (Requested Already)
Reverse dns checkup on crawling bots (Google, Yahoo etc..)
Random Delay in short range (Before javascript puzzle starts)
Randomize more javascript puzzle
Cookie validation with session (store session on server)
Implement better javascript encryption (current one can be easily decoded)
SpamHaus integration (Enable/Disable block user that is in spamhaus botnet database)

Optional Features:

Implement themes system so people can change interestial page design
Config system, so people will no need to scroll over entire file to make changes
Partial Module so each module is loaded from other file it will make it easier for future changes.

404 not found error

Issue title

Issue Description

after adding the LUA line to the server config the 404 occurred, as soon as i remove this line it will load the index.html as usual, is there a setting i missed?

Versions:

Browser(s):
Nginx version: openresty
Operating system of web server running Nginx:ubuntu

Nginx config:

http {
include mime.types;
default_type application/octet-stream;
lua_shared_dict antiddos 10m; #Anti-DDoS shared memory zone

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;

server {
    listen       80;
    server_name  ***;
     #charset koi8-r;
    access_by_lua_file conf/lua/anti_ddos_challenge.lua;
  #  access_log  logs/host.access.log  main;

    location / {
        root   html;
        index  index.html index.htm;
    }

    error_page  404              /50x.html;

Screenshot(s):

[Screenshot(s) for difficult to describe visual issues are mandatory. Post links instead of Inline Images for Screenshots containing Adult material.]

Settings:

[List here all the changes you made to the default settings]

Other optional information you want to add other than the above:

Add new obfuscator

Can you add new obfuscator obfuscator.io js code?

add an activation protection options on a rate limiting

I think add Rate limiting options is very nice.

For example
a standard Rate limiting 100 requests per second, if over that set that user ip address rate limiting to a low value E.g. 50 requests per second with a time period. like 3600 seconds, if that user still hit this low value rate limiting then active the protection. (a global statistics or a solo vhost) if don't have hit the low value of rate limiting will expired after period seconds in ngx.shared.DICT.
requests more than X times in X second then ban ip in ngx.shared.DICT (403)
requests more than X times in X second then ban ip use ipset & iptables. (Network layer blocking).

In addition, better control should be divided into:
trigger
action

E.g
trigger: 100q/1s/ip
action: low-value-rate-limiting-50qps
period: 3600s

trigger: ip is low-value-rate-limiting and 50q/s
action: protection
period: 3600s

trigger: 10000q/3600s/ip
action: deny
period: 300s

trigger: 15000q/7200s/ip
action: deny-ipset
period: 1800s

trigger: 10q/1s/ip and uri=/api/*
action: api-delay
period: 30

trigger: 20q/1s/ip and uri=/api/*
action: api-low-value-rate-limiting-5qps
period: 3600

trigger: ip is api-low-value-rate-limiting-5qps and 5q/s
action: deny
period: 1800s

trigger: x..
action: x...
period: x....

trigger: 20000q/86400s/ip
action: deny-ipset
period: 86400s

This looks more like waf

Is it possible to disable it for specific scenario using if is evil ?

Issue title

Is it possible to disable it for specific scenario using if is evil ?

Issue Description

Lets say can i do this :

    if ($request_uri = /blabla/blabla) { 
      set antiddos  off; 
    }

if ($request_uri = /blabla/blabla) { 
access_by_lua_file off;
}

Something that can allow me to disable it when i need it for specific if !

Versions:

Browser(s):
Nginx version:
Operating system of web server running Nginx:

Nginx config:

paste your nginx config here

Screenshot(s):

[Screenshot(s) for difficult to describe visual issues are mandatory. Post links instead of Inline Images for Screenshots containing Adult material.]

Settings:

[List here all the changes you made to the default settings]

Other optional information you want to add other than the above:

local master_switch dont affect script execution

Issue title

Master_switch doesnt seem to work

Issue Description

local master_switch = 2 - doesnt disable the script

Versions:

Browser(s): chrome 87
Nginx version: ingress nginx helm chart 3.10.1 (NGINX 1.19.4)
Operating system of web server running Nginx: COS

Nginx config:

I use kubernetes ingress nginx
paste your nginx config here

[feature suggestion] add logo to page

Hi,

Hope you are doing well !

Is it possible to add a logo to the waiting page ? It would nice to customise this page.

Cheers,
X

local expire_time bug

Greetings.
Using script with tor browser 9.0.5 (based on Mozilla Firefox 68.5.0esr) (64-bit) and onion address.

local remote_addr = "tor" as settings

If i set any numbers for "local expire_time" less than 86400 (86399 and less) - auth page doesnt change to website.

Contact

Sorry to ask here, but I need to talk with you!
May I have any contact?

Licence

What is this project's licence?

javascript puzzle no longer works since 2020

Example:
x-auth-answer result | 21253816 should be: 24212124

so the results no longer match - this happens since new year 2020.

Md5 encryption

Will the md5 encryption method be replaced by sha256?
Since the sha256 method considers it more reliable.

how should i use it ?

where to put and use the .lua file and how to run it ?

Use with VESTACP

I am using VESTACP. NGINX is the reverse proxy and HTTPD is the web server.

How can I add this? I have tried adding it to nginx.conf but vestacp fails.

The protection can be bypassed if the visitor refreshes the page

As the title says.

Bug with charset

When I translate to my Russian language, i rain into a problem with charset, but i found a solution, seting attribute with value: charset="UTF-8" in 616 line

problem with install module

hello, im use nginx 1.17.8 with ubuntu xenial and after put the script i take a error...

nginx: [emerg] unknown directive "access_by_lua_file" in /etc/nginx/conf.d/default.conf:11

how can i fix?

Downloaded .html file

Dos

Add google captcha

Can you add google captcha invisible v2?

I am Under Attack Mode to Automatically enable during attack and disable when attack ends

add Auto Switch ?

IP whitelist for ranges doesn't works

Issue title

The IP ranges i allowed bellow doesn't get whitelisted by the script !
I've tried to many times but still not working !

Issue Description

Versions:

Browser(s):
Nginx version:
Operating system of web server running Nginx:

Nginx config:

local ip_whitelist = {
"66.102.0.0/20","66.102.0.0/24","66.102.1.0/24","66.102.2.0/24","66.102.3.0/24","66.102.4.0/24","66.102.8.0/23","66.102.12.0/24","66.249.64.0/19","66.249.64.0/20","66.249.80.0/22","66.249.84.0/23","66.249.88.0/24",
}

Screenshot(s):

[Screenshot(s) for difficult to describe visual issues are mandatory. Post links instead of Inline Images for Screenshots containing Adult material.]

Settings:

[List here all the changes you made to the default settings]

Other optional information you want to add other than the above:

Add useragent whitelist

Please add user agent whitelist

A way to check all the stuff in the background

Issue title

It is actually not an issue, just suggestion of functionality expansion

Issue Description

is there a way to make all the math and checks in the background without delay of user connection?
For example connecting to some backend services from frontend to minimize noticeable connection delay for user. And inf the check fails after connection - add this ip to blacklist (and maybe drop connection)

I am still exploring your beautiful work with that script and nginx capabilities.
Thank you!

hi

tell me how to check javascript on request through lua? whether it is included or not

Bandwidth and CPU drain

Any tip to reduce the CPU and bandwidth usage?

I'm currently using 2x KVM VPS in round robin with 20 and 8 cores, but with a simple attack, I reach 700 Mbit on both and 100% CPU usage.

Maybe a mitigation system that ban the hosts in netflow could work?

If you have any suggestion please let me know

User Agent Whitelist Does not Work

Issue title

User Agent whitelist is not working

Issue Description

i've done whitelist for google but it is not working at all, google bot still receives 503 error. table code below:

local user_agent_whitelist_var = ngx.var.http_user_agent
local user_agent_whitelist_table = {
{
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
2,
},
{
"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
1,
},
{
"Googlebot/2.1 (+http://www.google.com/bot.html)",
1,
},
{
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3694.0 Safari/537.36 Chrome-Lighthouse",
1,
},
{
"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3694.0 Mobile Safari/537.36 Chrome-Lighthouse",
1,
},
{
"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko; Google Page Speed Insights) Chrome/27.0.1453 Mobile Safari/537.36",
1,
},
{
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko; Google Page Speed Insights) Chrome/27.0.1453 Safari/537.36",
1,
},
{
"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/W.X.Y.Z‡ Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
1,
},
{
"Mozilla/5.0 (compatible; Bingbot/2.0; +http://www.bing.com/bingbot.htm)",
1,
},
{
"APIs-Google (+https://developers.google.com/webmasters/APIs-Google.html)",
1,
},
}

Versions:

Browser(s):
Nginx version: Latest OpenResty
Operating system of web server running Nginx: Centos7

Nginx config:

paste your nginx config here

Screenshot(s):

[Screenshot(s) for difficult to describe visual issues are mandatory. Post links instead of Inline Images for Screenshots containing Adult material.]

Settings:

Haven't changed anything.

Other optional information you want to add other than the above:

what reason for 404? all host is same

404 Not Found
openresty

server {
listen 443 ssl;

  server_name  www.godo322.com;
  ssl on;
  ssl_certificate  /ssl/www.godo322.com.crt;
  ssl_certificate_key  /ssl/www.godo322.com.key;
  keepalive_timeout    60 ;
 access_by_lua_file anti_ddos_challenge.lua;
  location / {
  proxy_pass  https://netdisk462;
  include proxy.conf;
             }

How to use query_string_expected_args_only_table?

Hello,

my site has a URL style like this for the search function: http://localhost/search/?pa=myquery&might=myselectedcategory
Basically these are the only two parameters I have how can I make the script filter anything else except of these two parameters?

currently my config looks like this:

 local query_string_expected_args_only_table = {

	{
		".*", --any site
		{ --query strings to allow ONLY all others apart from those you list here will be removed from the URL
			"pa",
			"might",
		},
	},

which does not not seem to do the trick if I just want pa and might to work.

TODO: List for myself

A TODO List of things i want to improve and have completed in improving. 👊

Performance Optimizations

Remove table.insert Here you can see the performance i made the script gain by removing table.insert https://springrts.com/wiki/Lua_Performance#TEST_12:_Adding_Table_Items_.28table.insert_vs._.5B_.5D.29 If you think about millions of requests that is a huge impact.
Remove uses of pairs and ipairs in foreach loops to gain performance. https://springrts.com/wiki/Lua_Performance#TEST_9:_for-loops
Replace string.gsub with ngx.re.gsub for cached regex uses Having serious issues with the last couple of instances in my script this is proving to be a night mare to use over string.gsub.
https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/blob/master/lua/anti_ddos_challenge.lua#L1432
https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/blob/master/lua/anti_ddos_challenge.lua#L1437

Anti-DDoS Features

Limit connections / Max requests from an IP to a configurable number lets say 1000 requests a second can also set custom paths, domains, urls etc to protect with this. Completed to be pushed out with update still I am going to finish the Auto feature before releasing this since it is all rolled up in one.
Finish building automated Anti-DDoS detection 10% complete so far.
Rather than manually having to turn the script on / off for certain sites file paths etc the script will have the inteligence to do it itself. Something Cloudflare and such companies also lack in is the ability to have this automated feature to them by the time your under attack its to late your site has been down for some time this feature will prevent the down time.

Increase Web Application Firewall Features

IPv4 and IPv6 blocking and whitelisting including subnet ranges.
User-Agent blocking and whitelisting to block bad bots and exploits / scanners.
Add ability to inspect POST Data / Fields and block malicious POST requests / exploits.
Add ability to inspect URL for malicious content SQL/SQI Injections XSS attacks / exploits.
Add ability to inspect query strings and arguements for malicious content / exploits.
Add ability to inspect all Request Headers provided by the client connecting.
Add ability to inspect cookies for exploits.

Caching Speed and Performance Features

Query String Sorting I was inspired by Cloudflare to build this feature and add it in it is a really useful cool and effective speed feature for all websites Cloudflares loss is that they charge people $3000 dollars for it what is a disgusting thing to do so i give it to you all for free. https://blog.cloudflare.com/increasing-cache-hit-rates-with-query-string-sort/ Added ee2320e
Query String Whitelist Added ee2320e
Query String Removal (It is a blacklist but it will just drop / remove the argument from the URL not block the request) Added ee2320e

I can bypass the protection when JavaScript turned off

I tried both Chrome and Firefox.

Problem integrating with tor hidden service

Issue title

It is stuck in continuous loop of the five second countdown, then it auto-reloads and counts again

Issue Description

After setup on whonix-nginx server, I tested on a pc. I checked the access and error logs, all is normal. But the script is stuck in loop, please help. Thank you very much.

Versions:

Browser(s): Tor
Nginx version: 1.14.2
Operating system of web server running Nginx: whonix

Nginx config:

Only one line (the one in readme) is added, but the config doesn't seem to be the issue here

Settings:

[List here all the changes you made to the default settings]

Other optional information you want to add other than the above:

How to know...

I would like to know how I know it is working.

Whitelist search engines

Is it possible to whitelist search engines IP ranges to bypass the authentication?

Doesn't works on iphone devices

Issue title

Doesn't works on iPhone devices

Issue Description

When accessing a protected website on google chrome browser or safari on iPhone devices the checking your browser screen appears but after 5 sec passes it show the some page again and again it never let you access the website !

Versions:

Browser(s): Google Chrome + safari ( i didn't try Firefox or android browsers )
Nginx version: 1.15.8
Operating system of web server running Nginx: centos 7

Nginx config:

defaults

Screenshot(s):

[Screenshot(s) for difficult to describe visual issues are mandatory. Post links instead of Inline Images for Screenshots containing Adult material.]

Settings:

[List here all the changes you made to the default settings]

Other optional information you want to add other than the above:

Disable JavaSript

Hey,
is it possible to disable JavaSript?
If yes how?

Thanks for your answer in advance!

Directadmin

Hello,

Can this script run together with directadmin with nginx_apache mode?

WAF filters always ends-up in default error 500 Page

Hello,

first of all thanks for your nice work, I really like this "tiny" script ;)
Anyways I'm facing an issue I was not able to figure out myself.
I'm running this script on top of my Django application, problem now is that everytime a WAF filtered path/file applies or in other words gets blocked, openresty just returns the default error 500 page instead of my applications custom error page.
At my log i just see: 2020/07/25 21:32:19 [error] 69#69: *25 rewrite or internal redirection cycle while internally redirecting to "/403.html", client: 192.168.240.5, server: localhost, request: "GET /wsgi.py HTTP/1.1", host: "localhost"

nginx.conf (shorted):

...
http {
     upstream backend {
        server 127.0.0.1:8000 max_fails=3 fail_timeout=60s;
     }
...
 server {
        listen 80;
        access_by_lua_file ddos_challenge.lua;
        aio threads=default;
...
location @proxy_to_app {
            proxy_pass http://backend;
            aio threads;
            proxy_read_timeout     100s;
            proxy_connect_timeout  100s;
            proxy_http_version 1.1;
            proxy_redirect off;
            proxy_buffers 16 4k;
            proxy_buffer_size 2k;
            proxy_intercept_errors on;
            proxy_set_header Host $host;
            uwsgi_intercept_errors on;
            gzip on;
            gzip_min_length 1024;
            gzip_comp_level 3;
            gzip_vary on;
            gzip_disable msie6;
            gzip_proxied expired no-cache no-store private auth;
            gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
            }

location / {
            try_files $uri @proxy_to_app;
            }
...
error_page 412 414 416 444 495 496 497 500 501 502 504 507 /custom_error.html;
        location = /custom_error.html {
            root /app/templates/;
            internal;
        }

Any Idea how I get my custom_error.html displayed if the WAF gets a hit?

Greetz

Nginx logging

Hi. How to disable nginx logging for authorise page? I wanted to log requests after authorisation only.
Or how to split general nginx loging into 2 files: auth page and authorised requests?

Getting error 404 when loading module .

Issue title

Issue Description

Hello when I included module , tried Nginx.conf / website conf / location block.
Always same error .

Okey find out I had to specify location of the file but now .
Strange issue when page load it download the website content .
named as "download" I think its because im using a trick to rename my html file to no extension .
location block : (location / {
try_files $uri $uri/ @htmlext;
}

location ~ \.html$ {
    try_files $uri =404;
}

location @htmlext {
    rewrite ^(.*)$ $1.html last;)

Your request failed error and Kaspersky block

I always get "Your request failed" message after 5s counter then it redirects me to the requested page. How can prevent this message from being displayed?
https://i.imgur.com/EKzpyWE.png

Sometimes Kaspersky prevents page redirect and displays this error.
https://i.imgur.com/aIqphm1.png

attempt to concatenate local 'tor_remote_addr' (a nil value)

stack traceback:
coroutine 0:
        /var/www/src/nginx_anti_ddos_challenge.lua: in function </var/www/src/nginx_anti_ddos_challenge.lua:1>```

### Versions:

- Browser(s): not matters
- Nginx version: 1.14.2
- Operating system of web server running Nginx: Debian 10

### Nginx config:

access_by_lua_file /var/www/src/nginx_anti_ddos_challenge.lua;

ip blacklist not working

tried to ban myself as

local ip_blacklist = {
"xx.99.0.0/18",
}

logs

2020/05/16 17:37:03 [warn] 1244#1244: *11 [lua] _G write guard:12: __newindex(): writing a global lua variable ('shuffle') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
        /etc/nginx/anti_ddos_challenge.lua:2454: in main chunk, client: xx.99.118.30, server: example.com, request: "GET /index.php HTTP/2.0", host: "example.com"

the same things stands for ip_whitelist doesn't work also some other user reported #44

also i have another question can you provide a more friendly log output or allowing user to somewhat log "functions" or create custom log formats something similar to nginx ?

log_format raw 'FROM: $remote_addr  | STATUS: $status | TO: $request | CACHE: $upstream_cache_status';

Thank you.

hello

How to add a subnet?

local ip_whitelist = {
--"127.0.0.1", --localhost
--"192.168.0.1", --localhost
}