Hi

Would it be possible to make an option to add "cache-control: private" header to the testcookie responses? Or even making it default maybe?

Hello,

I saw you have a setting for cookie validation, which uses an argument string, that will be sent back to the server, in order to count how much times, it attempted to set the cookie.

Can't you make a mod to this work in POST way ? so we add the hidden field to the html ?

This would be great !!!

Thank You and Great Work !!

Использую testcookie с javascript обработкой.

Заметил в логах на серверах с данным модулем интересное поведение. При открытий браузера Firefox 44 версий, бывает так, что ни одна страница не открыта, но в тоже время, попытки открытия сайтов в логах. Позже нашёл что это из за списка "часто посещаемых страниц".

По проведённому анализу, при таких попытках запроса, javascript работает, но куки не принимает, и в итоге получается цикл бесконечный, который может заставить людей усомнится в модуле.

Не плохо было бы добавить заметку об этом. Ещё, предлагаю, пропускать запрос в обход модуля после определённого количества попыток.

Hello!

I saw this feature in commit log :) That's really cool! But could you share some docs about building it?

Здравствуйте.
Используем Ваш модуль, большое спасибо за него.
Но возникает такая проблема:
Без каких-либо причин, некоторые пользователи получают зацикленный редирект, бесконечно.
Выглядит таким образом:

217.118.79.39 - - [19/Feb/2018:05:28:43 +0100] "GET / HTTP/1.1" 200 990 domain.ru "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0 Mobile/15C153 Safari/604.1" "-"
217.118.79.39 - - [19/Feb/2018:05:28:43 +0100] "GET /?test_42=1 HTTP/1.1" 301 178 domain.ru "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0 Mobile/15C153 Safari/604.1" "-"
217.118.79.39 - - [19/Feb/2018:05:28:43 +0100] "GET / HTTP/1.1" 200 990 domain.ru "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0 Mobile/15C153 Safari/604.1" "-"
217.118.79.39 - - [19/Feb/2018:05:28:44 +0100] "GET /?test_42=1 HTTP/1.1" 301 178 domain "Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_1 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Version/11.0 Mobile/15C153 Safari/604.1" "-"

И так бесконечно.
На стороне пользователя все проверено, все в порядке.
На том же устройстве, если сменить IP - все в порядке.
Если другому устройству раздать проблемный IP - проблема остается.
Судя по всему привязано именно к IP.

Конфиг:

testcookie off;
testcookie_name FOR;
testcookie_secret secret;
testcookie_session $remote_addr;
testcookie_arg test_42;
testcookie_max_attempts 2;

#setting fallback url
testcookie_fallback http://$host/cookies.html;

testcookie_get_only on;

testcookie_redirect_via_refresh on;
testcookie_refresh_encrypt_cookie on;
testcookie_refresh_encrypt_cookie_key random;
testcookie_refresh_encrypt_cookie_iv random2;
testcookie_refresh_template '<html><head><meta charset="utf-8"></head><noscript><center>Вам нужно включить поддержку <a href="https://yandex.ru/support/common/browsers-settings/browsers-java-js-settings.html">js</a> в браузере, чтобы посетить данный сайт.</center></noscript><body><script type=\"text/javascript\" src=\"/aes.min.js\" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("$testcookie_enc_key"),b=toNumbers("$testcookie_enc_iv"),c=toNumbers("$testcookie_enc_set");document.cookie="FOR="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";location.href="$testcookie_nexturl";</script></body></html>';

location = /aes.min.js {
    gzip on;
    gzip_min_length 1000;
    gzip_types text/plain;
    root /usr/share/nginx/html;
 }

location = /cookies.html {
    root /usr/share/nginx/html;

Прошу помощи, сами разобраться не можем уже неделю.
CentOS Linux release 7.3.1611

Задача:
выключить testcookie для useraget-а YandexBot

Решение:
если user-aget совпадает, выставляем переменную goodbot в 1
Если goodbot = 1, отключаем testcookie

В документации сказано, что testcookie можно настраивать в контексте if, однако, это не работает и он все ровно остается включенным.

В блок if мы точно попадаем, проверялось как логированием переменной, так и добавлением внутрь if'а return 200 к примеру.

Что не так?

Конфигурация:

http {
..
map $http_user_agent $goodbot {
default 0;
~*(YandexBot) 1;
}

}

server {
...

testcookie off;
testcookie_name BPC;
testcookie_secret secret;
testcookie_session $remote_addr;
testcookie_arg attempt;
testcookie_max_attempts 3;
testcookie_fallback /cookies.html?backurl=http://$host$uri?$query_string;
testcookie_get_only on;
testcookie_redirect_via_refresh on;
testcookie_refresh_template '<script>document.cookie="BPC=$testcookie_set";location.href="$testcookie_nexturl";</script>';

testcookie_whitelist {
8.8.8.8/32;
}

location / {
testcookie on;
if ( $goodbot = 1 ) {
testcookie off;
}
}
location = /cookies.html {
root /home/nginx/html;
}
}

Hi,
i've found a problem with the content-type length on custom redirections.
With this problem, custom redirects are broken because WebBrowsers can't receive the text/html content type (so the file is displayed/downloaded as octet/stream binary file).

r->headers_out.content_type_len = sizeof("text/html") - 1;

instead of :

r->headers_out.content_type.len = sizeof("text/html") - 1;

Fork/Commit with the correct content_type.len : LoadLow@bc81456

Does the module support nginx 1.2.x?
On my Debian 7.6
-o objs/addon/src/ngx_http_testcookie_filter_module.o
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c: In function ‘ngx_http_testcookie_get_uid’:
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c:1218:17: error: implicit declaration of function ‘ngx_radix128tree_find’ [-Werror=implicit-function-declaration]
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c:1218:22: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c: In function ‘ngx_http_testcookie_whitelist_block’:
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c:1988:5: error: implicit declaration of function ‘ngx_radix128tree_insert’ [-Werror=implicit-function-declaration]
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c: In function ‘ngx_http_testcookie_whitelist’:
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c:2063:19: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
/home/anubis/downloads/testcookie-nginx-module-master/src/ngx_http_testcookie_filter_module.c:2070:13: error: implicit declaration of function ‘ngx_radix128tree_delete’ [-Werror=implicit-function-declaration]
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/src/ngx_http_testcookie_filter_module.o] Error 1
make[1]: Leaving directory `/home/anubis/src/nginx-1.2.1'
make: *** [build] Error 2

Hello!

Thanks for nice toolkit!

We are using testcookie_redirect_via_refresh mode and we want to notify search engines to try later (with 503 code) when test cookie enabled. We are huge site and Search engines are very important for us.

We know about white list but it's not unified way and we could miss some subnet of SE bots and they will index broken content (page with redirection code) instead of real content.

We are using test cookie mitigation only when attack arrives and switch it of when it finishes. So we want some way to specify custom http code and ask SE bots to check us later (when attack finishes).

What do you think about this idea?

I have tried to whitelist a huge IP list ( google, yandex, etc ) using map and it doesnt work if you have "100.43.64.0/20" for example.

However, if you use

testcookie_whitelist {
100.43.64.0/20;
}

It works, but even so problems appear when you have over 500 IP's there...

What solution is there ? Google+Bing+Yandex = over 1000+ IP's and whitelist is really necessary...

Maybe "map" would work faster and better if subnets would work ?

two sites (1.com 2.com) all used testcookie
1.com/1.htm
< html >
< scipt src=2.com/1.js >< / script >
< / html >

I request 1.com/1.htm

so, 2.com will not get cookie and 2.com was sealed off

This seemingly where there is wrong

I have been trying out this module for a little while now, and just yesterday noticed some rather strange behavior. When I enable testcookie for a particular location there are certain clients that always fail the test no matter what. It appears to be based on the session identifier, because I am able to get it working by either changing the client's IP address or by changing testcookie_session to something other than $remote_addr (in this case, I used $remote_addr$http_user_agent as suggested in the docs). My concern is that while I may have gotten those particular clients to work, I don't have a good way to tell if I just shifted the problem somewhere else. Is it possible there is a certain cookie value that fails every time?

At the time we noticed this, there were 3 distinct IPs that experienced the problem, but of course there were likely more since the odds of us having the only three addresses that do not work is pretty slim. Unfortunately I don't have a simple way to test every address/useragent combination to see what works and what does not. Any ideas what might be going on?

Для конфигурации с кастомным HTML шаблоном хотелось бы иметь возможность задать статус HTTP ответа. Сейчас статус по-умолчанию 200. Потенциально это может привести к тому что поисковые боты, не включенные в список testcookie_whitelist, могут закэшировать кастомную страницу.

This is the bottom of the response of the "make" command. Please help, I have been trying to install this for so long.

При включенном модуле testcookie на уровне server режутся исходящие заголовки от бэкенда

header("x-my-custom-header: OK");

При этом клиент данный заголовок не получает. При установке параметра testcookie в off приложение начинает работать корректно.

-o objs/addon/src/ngx_http_testcookie_filter_module.o
/usr/src/kyprizel-testcookie-nginx-module-3ab5a4c/src/ngx_http_testcookie_filter_module.c
cc1: warnings being treated as errors
/usr/src/kyprizel-testcookie-nginx-module-3ab5a4c/src/ngx_http_testcookie_filter_module.c: In function Б─≤ngx_http_testcookie_get_uidБ─≥:
/usr/src/kyprizel-testcookie-nginx-module-3ab5a4c/src/ngx_http_testcookie_filter_module.c:1094: error: unused variable Б─≤sin6Б─≥
make[1]: *** [objs/addon/src/ngx_http_testcookie_filter_module.o] Error 1
make[1]: Leaving directory `/usr/src/custom/nginx-1.1.0'
make: *** [install] Error 2

**** Installation failed. Aborting package creation.

Is there a possibility to build shared module?

hi thanks for your job

i want use this great Anti-DDoS Module
but not working on my system
my system is Centos 6 + Nginx 1.4.4
error message is this

$ /etc/init.d/nginx start
Starting nginx: /bin/bash: line 1: 2903 Segmentation fault (core dumped) /usr/sbin/nginx -c /etc/nginx/nginx.conf
[FAILED]

nginx configure option

./configure --user=nobody --group=nobody --prefix=/usr/share --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log
--pid-path=/var/log/run/nginx.pid --lock-path=/var/log/lock/subsys/nginx --with-http_ssl_module --with-http_realip_module
--with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module
--with-http_stub_status_module --with-http_perl_module --with-mail_ssl_module --with-http_mp4_module --with-mail
--with-openssl=/usr/local/src/openssl-0.9.8y --with-openssl-opt=enable-tlsext --add-module=/usr/local/src/nginx-sflow-module-0.9.8
--add-module=/usr/local/src/modsecurity-2.8.0/nginx/modsecurity/
--add-module=/usr/local/src/testcookie-nginx-module

thanks for your Help

If the user opened the page and refresh it from time to time, then in the end he will get the page cookies.html, despite the fact that cookies are enabled.

Example:
5.76.194.133 - [11/Jul/2015:13:01:23 +0600] "GET /page.php?lng=1 HTTP/1.1" 307 186
5.76.194.133 - [11/Jul/2015:13:01:25 +0600] "GET /page.php?lng=1&attempt=1 HTTP/1.1" 200 12740
5.76.194.133 - [11/Jul/2015:14:33:38 +0600] "GET /page.php?lng=1&attempt=1 HTTP/1.1" 307 186
5.76.194.133 - [11/Jul/2015:14:33:41 +0600] "GET /page.php?lng=1&attempt=2 HTTP/1.1" 200 12740
5.76.194.133 - [11/Jul/2015:20:30:31 +0600] "GET /page.php?lng=1&attempt=2 HTTP/1.1" 307 186
5.76.194.133 - [11/Jul/2015:20:30:32 +0600] "GET /page.php?lng=1&attempt=3 HTTP/1.1" 200 12740
5.76.194.133 - [11/Jul/2015:20:38:17 +0600] "GET /page.php?lng=1&attempt=3 HTTP/1.1" 307 186
5.76.194.133 - [11/Jul/2015:20:38:17 +0600] "GET /cookies.html?backurl=http://***.com/page.php?lng=1&attempt=3 HTTP/1.1" 200 289

How to fix this issue?

max_attempts, according to docs, should have default value of 5.
However, it is being initialized to NGX_CONF_UNSET:
(line 1402)
conf->max_attempts = NGX_CONF_UNSET;
(line 1443)
ngx_conf_merge_value(conf->max_attempts, prev->max_attempts, NGX_CONF_UNSET);

This can cause unexpected behavior (redirecting all users to fallback url or 403) in case of no explicit testcookie_max_attempts stated in config (my case :)):
(lines 540-557)
if (attempt >= conf->max_attempts) { r->keepalive = 0; if (conf->fallback.len == 0) { return NGX_HTTP_FORBIDDEN; } if (conf->fallback_lengths != NULL && conf->fallback_values != NULL) { if (ngx_http_script_run(r, &compiled_fallback, conf->fallback_lengths->elts, 0, conf->fallback_values->elts) == NULL) { return NGX_ERROR; } buf = compiled_fallback.data; len = compiled_fallback.len; } else { buf = conf->fallback.data; len = conf->fallback.len; } goto redirect; }

new install, nginx1.10.2+centos6.5

curl -IL http://47.91.179.176 -H "host:www.655644633.com"

HTTP/1.1 307 Temporary Redirect
Server: TFCDN-1.10.2
Date: Tue, 14 Feb 2017 12:34:59 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 187
Connection: keep-alive
Keep-Alive: timeout=120
Set-Cookie: toffscdn_48c61463-8526-4877-85da-8bd34c06882a=d8818df614d5a2ae479c78731ab15d4b; path=/
Location: http://www.655644633.com/?_tfcdnCCID=1
Expires: Tue, 14 Feb 2017 12:34:58 GMT
Cache-Control: no-cache
ACDN-Toffstech-Version: 2017
X-Remote-Addr: 220.255.95.68

HTTP/1.1 200 OK
Server: TFCDN-1.10.2
Date: Tue, 14 Feb 2017 12:34:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 176
Connection: keep-alive
Keep-Alive: timeout=120
Last-Modified: Mon, 30 May 2016 19:31:44 GMT
ETag: "20e071f-b0-534144e79c528"
Accept-Ranges: bytes
Expires: Tue, 14 Feb 2017 12:34:58 GMT
Cache-Control: no-cache
ACDN-Toffstech-Version: 2017
X-Remote-Addr: 220.255.95.68

conf:

server
{
 listen 80;
 listen 443 ssl;
................

testcookie on;testcookie_name TFCDNCK_48c61463-8526-4877-85da-8bd34c06882a;testcookie_arg tfcdnCCID;testcookie_secret 48c61463-8526-4877-85da-8bd34c06882a;testcookie_session $remote_addr$http_user_agent;

..............
 location /
 {
 include /ALSvrMrg/SoftProgram/nginx/conf/_c_proxy.conf;

  proxy_no_cache 1;
  expires -1;
  proxy_pass http://a_23d961d4-0c42-454f-a36b-ff753ba8a7d8;
  break; 
 }
 location ~* /purge(/.*)
 {
..................

Hello!

It seems, that there is double GET parameters in Location after setting cookie, example:
telnet www.example.com 80

Trying XX.XX.XX.XX...
Connected to www.example.com.
Escape character is '^]'.
GET /?w=1 HTTP/1.1
Host: www.example.com

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.7.6
Date: Mon, 24 Nov 2014 16:13:08 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: testcookie_cookie=a4f54fe30b2b540198a947af9861a34a; path=/
Location: http://www.example.com/?w=1?w=1

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>

Would it be possible to request a feature?

It would be great if testcookie_refresh_template could be set from a subrequest to a named location.

Use Case: Subrequest can take variables and supply them to an external script via fastcgi / proxy_pass to produce a heavily encoded version of the script.

All the versions I tried does not seem to work.

Вопрос снимаю, разобрался ;) Большое спасибо вам за этот модуль, вместе с кэшированием - очень мощная штука ;)

Hello, how can I set the cookie to expire after 15 minutes?

rt

Реализуйте статистику отраженных ботов, то есть ip адреса, user-agent и на какую страницу пытался попасть бот.
Точнее log_format main '$remote_addr - $remote_user [$time_local] "$request$
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

Думаю создать отдельный лог файл с таким списком.
Если бот не смог попасть на страницу, то какую ошибку ему возвращает система, тоже нужно писать. По умолчанию вроде боту выдается ошибка 302.

Hello!

We found a security issue that may be used in CSRF attacks.

Request:

GET /%0D%0AX-Header-Attacker HTTP/1.1
Host: www.example.com

Response:

Location: http://www.example.com/
X-Header-Attacker:

Probably, URL in Location must be filtered to prevent ASCII codes less than 0x20h.

https://github.com/kyprizel/testcookie-nginx-module#testcookie_internal

В описании написано, что POST requests will be bypassed. Скорее всего это опечатка.
Но что именно означает, что внутренние редиректы выключены по-уполчанию из-за оптимизации? На каждый внутренний редирект вызывается проверка куки, и вместо одного раза, кука проверяется столько раз, сколько происходит редиректов плюс один? И каждый раз выполняется симметричное шифрование на каждой проверке? Или всё же зашифрованное значение кешируется?

testcookie_internal
syntax: testcookie_internal (on|off);
default: off
context: http, server, location
Process only GET requests, POST requests will be bypassed. Enable testcookie check for internal redirects (disabled by default for optimization purposes!), useful for this type of configs:
rewrite ^/(.*)$ /index.php?$1 last;

Заранее спасибо за ответ. И спасибо за ваш вклад в opensource.

Hello,

Is there a way for you make a variable that can be used inside vhost settings, to avoid logging to access_log, all the entries which have $testcookie_ok != 'yes' ?

It would help with log load, this way not recording the log entries generated by bots.

Thank You !

Hello!

I'm looking for some way to check if user passed testcookie validation. With this knowledge I want to build static banlist from testcookie output and deploy it with iptables ipset module and move away malicious traffic from the nginx.

I've found debug log messages about validation progress but they are working only when nginx compiled with debug mode.

Could you offer nginx variable with validation result information for request? I interested in both positive and negative result.

this module didn't work in python requests

When I try and install it I use this
./configure --with-http_realip_module --add-module=/root/testing/testcookie-nginx-module-master

on nginx 1.5.2 and when I do make and make install then do
nginx -V
it doesn't show the module nor does it work. testcookie still works after that.

You told me to install the http_realip module but it isn't installing correctly and there really aren't any tutorials, could you please help?

I love this module, its just awesome i really love it, but i also need fail2ban to block the tons of ip addresses which are sending tons of request. Before i did it over fail2ban and req-limit in nginx, worked fine but now im facing an issue. My website loads tons of different files when a legit users views my board, so i placed the req limit in the php location, since each request only loaded 1 php file. Now i dont find any way to use the req-limit properly with the cookie check. As example:

Im requesting domain.com/index.php and the cookie check page shows up instead of the index.php, but the access log, logs the index.php request. Now the req-limit module would still work, but as example if they request domain.com just, the cookie page will also show up and the req-limit wont work, since its only in the php location. Im unable to place it in the / location, because it would block legit users later on, is there any way to send them as example to domain.com/cookie.html when the cookie is getting checked&set?

When compile subj with testcookie-nginx-module cc failed with error:

cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g '-D FD_SETSIZE=32768' -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/src/openssl-1.1.0e/.openssl/include -I objs -I src/http -I src/http/modules -I src/http/v2
-o objs/addon/src/ngx_http_testcookie_access_module.o
/usr/src/testcookie-nginx-module/src/ngx_http_testcookie_access_module.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g '-D FD_SETSIZE=32768' -I src/core -I src/event -I src/event/modules -I src/os/unix -I /usr/local/src/openssl-1.1.0e/.openssl/include -I objs
-o objs/ngx_modules.o
objs/ngx_modules.c
/usr/src/testcookie-nginx-module/src/ngx_http_testcookie_access_module.c: In function 'ngx_http_testcookie_enc_set_variable':
/usr/src/testcookie-nginx-module/src/ngx_http_testcookie_access_module.c:929:33: error: storage size of 'evp_ctx' isn't known
EVP_CIPHER_CTX evp_ctx;
^
/usr/src/testcookie-nginx-module/src/ngx_http_testcookie_access_module.c:929:33: error: unused variable 'evp_ctx' [-Werror=unused-variable]
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/src/ngx_http_testcookie_access_module.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory `/usr/local/directadmin/custombuild/nginx-1.10.3'
make: *** [build] Error 2

So by default the TestCookie whitelist is made to whitelist IPs from $remote_addr however, I need to set it up so that it whitelists $http_x_forwarded_for IPs, could you tell me how to modify it before or after (preferably after) installation how to do this?

Hello,

Could you add a option, that randomize this every 'X' seconds ? would be really nice too !

Thank You.

We test this module, everything is normal, very thank contributors.

Only not log info. can not find 302/307 in log files. This is my log config:

http{
..........
log_format test '{S;}$remote_addr{S;}$remote_user{S;}$time_local{S;}'
'$request{S;}$status{S;}$body_bytes_sent{S;}$bytes_sent{S;}'
'$http_referer{S;}$http_user_agent{S;}$gzip_ratio{S;}'
'$upstream_connect_time{S;}$upstream_response_time{S;}$host';

access_log syslog:server=52.76.xx.xx:5569,facility=local7,tag=nginx,severity=debug test ;
..........

Как удалить в адресе сайта
http://www.site.ru/?attempt=1
http://www.site.ru/?attempt=2
http://www.site.ru/?attempt=3
http://www.site.ru/?attempt=4
http://www.site.ru/?attempt=5

и т.д. уж очень мешает.
Данный префикс добавляется, когда на сайт заходишь с чистыми cookies

If I have rewrite ^/blog/([0-9]+)$ /blog.php?post_id=$1 last;, enabling internal will make the redirected URL /blog/1?post_id=1&attempt=1, which internally turns into /blog.php?post_id=1&post_id=1&attempt=1.

Is it possible to set option to not append anything to the request uri other than attempt testcookie arg?

Hi, why subdomains, results in a different cookie hash ? (You can't access resources from different domains like : test.com/index.php trying to access content from subdomain.test.com/test2.php).

Does it work for HEAD requests ? It seems not...

Hello,

I want to show a message to visitors before they get redirected, so I have adjusted the value 0 to like 5 seconds in https://github.com/kyprizel/testcookie-nginx-module/blob/master/src/ngx_http_testcookie_access_module.c#L139

But it seems it gets overridden? Is this a bug or am I missing something?

Thanks!

Hi!

At some users it happens in every browser that no cookie gets setted.

It looks like, the plugin doesnt add the iv and key to the source code. Any idea how to fix it?

Hi, thanks for your module, it's perfect!

I try to patch my file 'aes.min.js' on Centos 7 64bit

# ls -l
78a66859739b0c9e18bc5b4538c03bf9  aes.min.js
31f62873d818bc2cdc89be85d0e5f649  aes.patch

# yum install -y patch
# patch -l aes.min.js < aes.patch
patching file aes.min.js
Hunk #1 FAILED at 767 (different line endings).
Hunk #2 FAILED at 783 (different line endings).
2 out of 2 hunks FAILED -- saving rejects to file aes.min.js.rej
# ls -l
78a66859739b0c9e18bc5b4538c03bf9  aes.min.js
78a66859739b0c9e18bc5b4538c03bf9  aes.min.js.orig
31f62873d818bc2cdc89be85d0e5f649  aes.min.js.rej
31f62873d818bc2cdc89be85d0e5f649  aes.patch

I use your config 1-2-3-4 work all, but 5: https://github.com/kyprizel/testcookie-nginx-module/blob/master/doc/usecases.txt
5. HTTP GET flood, bots accept HTTP response headers, and can parse HTML, then decrypt cookies client-side, but w/o JS emulation

testcookie_refresh_template '<html><body>setting cookie...<script type=\"text/javascript\" src=\"/aes.min.js\" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers({use your favorite JS obfuscator to hide key value here}),b=toNumbers({use your favorite JS obfuscator to hide key value here}),c=toNumbers("$testcookie_enc_set");document.cookie="BPC="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";location.href="$testcookie_nexturl";</script></body></html>';
seems not working
It only show on Chrome:
setting cookie...

?? can you give advice, thanks U!

End file aes.min.js

    unpadBytesOut: function(data) {
        var padCount = 0;
        var padByte = -1;
        var blockSize = 16;
        if (data.length > 16) {
        for (var i = data.length - 1; i >= data.length-1 - blockSize; i--) {
            if (data[i] <= blockSize) {
                if (padByte == -1)
                    padByte = data[i];
                if (data[i] != padByte) {
                    padCount = 0;
                    break;
                }
                padCount++;
            } else
                break;
            if (padCount == padByte)
                break;
        }
        if (padCount > 0)
            data.splice(data.length - padCount, padCount);
        }
    }
    /*
     * END MODE OF OPERATION SECTION
     */
};

End file aes.patch:

--- aes.min.js  2012-05-05 22:03:32.000000000 +0400
+++ aes.min.new.js  2012-05-05 22:15:46.000000000 +0400
@@ -767,6 +767,7 @@
        var padCount = 0;
        var padByte = -1;
        var blockSize = 16;
+        if (data.length > 16) {
        for (var i = data.length - 1; i >= data.length-1 - blockSize; i--) {
            if (data[i] <= blockSize) {
                if (padByte == -1)
@@ -783,6 +784,7 @@
        }
        if (padCount > 0)
            data.splice(data.length - padCount, padCount);
+        }
    }
    /*
     * END MODE OF OPERATION SECTION

hi：
i test the moudle and i have a problem,it does not redirect when i user "testcookie_redirect_via_refresh on;"
my nginx.conf
http {
include mime.types;
default_type application/octet-stream;
client_max_body_size 10m;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" "$host" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /web/nginx/logs/access.log  main;

server_names_hash_bucket_size 128;
sendfile on;
#tcp_nopush on;

#keepalive_timeout  0;
keepalive_timeout  65;

server_tokens off;

#gzip  on;
  gzip on;
  gzip_vary        on;
  gzip_min_length  1k;
  gzip_buffers     4 8k;
  gzip_http_version 1.0;
  gzip_comp_level  9;
  gzip_proxied     any;
  #gzip_types       text/plain text/html text/css application/x-javascript application/xml application/xml+rss text/javascript application/json;
  testcookie off;
  testcookie_name BPC;
  testcookie_secret keepmescret;
  testcookie_session $remote_addr;
  testcookie_arg attempt;
  testcookie_max_attempts 3;
  testcookie_get_only on;
  testcookie_redirect_via_refresh on;
  testcookie_refresh_template '<html><body><script>document.cookie="BPC=$testcookie_set";document.location.href="$testcookie_nexturl";</script></body></html>';



  testcookie_whitelist {
    10.3.254.96;
}

and vhosts
upstream passport.zongheng.com{

server 10.3.254.96:8087;

}

server{
listen 80;
server_name passport.zongheng.com;
location / {
include proxy_params;
proxy_pass http://passport.zongheng.com;

}
location ~ /simpleLogin.do {
   testcookie on;
   include proxy_params;
  proxy_pass http://passport.zongheng.com;
 }
 location = /aes.min.js {
    gzip on;
    gzip_min_length 1000;
    gzip_types text/plain;
    root /var/www;
}

error_page  500 502 503 504  /_x.html;

  location = /_x.html {
       root html;
  }

}

you have typo:

ngx_http_testcookie_filter_module.so

must be:

ngx_http_testcookie_access_module.so

2 problems:

no.1:

#10

and where is search engine spiders's whitelist

no.2:

we have some api (tens of thousands of Different host)use python script,how to whitelist setting

Hello,

Is there a way for you add a threshould check (for numbers of invalid hits/attempts) and a way to temporary ban the offendig IP based in $remote_addr or $proxy_add_x_forwarded_for ?

It would be good to offload the resources, during a botnet attack !

Thank You !