feat(data): add challenge-browser-like.yaml

This is a huge change to Anubis and will make it a lot more invisible at the cost of requiring additional server configuration to make it happen. If you add this bit of nginx config to your location block: ```nginx proxy_set_header X-Http-Version $server_protocol; ``` And then adjust the bottom bot rule to this: ```yaml - import: (data)/common/challenge-browser-like.yaml ``` Anubis will be way less aggressive than it was before. This will let through any traffic that comes from a browser that actually is a browser via some more advanced heuristics. I think that this rule alone is the key feature of v1.18.0. Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-10 18:48:44 +00:00 · 2025-04-28 00:20:27 -04:00
parent ea4e5751ab
commit 9f988578a4
4 changed files with 25 additions and 8 deletions
--- a/data/botPolicies.yaml
+++ b/data/botPolicies.yaml
@@ -43,10 +43,7 @@ bots:
 #     report_as: 4    # lie to the operator
 #     algorithm: slow # intentionally waste CPU cycles and time

-# Generic catchall rule
- name: generic-browser
-  user_agent_regex: >-
-    Mozilla|Opera
-  action: CHALLENGE
+# Challenge things that claim to be a browser but are not
+- import: (data)/common/challenge-browser-like.yaml

 dnsbl: false
--- a/data/bots/cloudflare-workers.yaml
+++ b/data/bots/cloudflare-workers.yaml
@@ -1,4 +1,3 @@
 - name: cloudflare-workers
-  headers_regex:
-    CF-Worker: .*
-  action: DENY
+  expression: '"Cf-Worker" in headers'
+  action: CHALLENGE
--- a/data/common/challenge-browser-like.yaml
+++ b/data/common/challenge-browser-like.yaml
@@ -0,0 +1,16 @@
+  # Challenge anything with HTTP/1.1 that claims to be a browser
+  - name: challenge-lies-browser-but-http-1.1
+    action: CHALLENGE
+    expression:
+      all:
+      - '"X-Http-Version" in headers'
+      - headers["X-Http-Version"] == "HTTP/1.1"
+      - >-
+        (  userAgent.contains("Mozilla")
+        || userAgent.contains("Opera")
+        || userAgent.contains("Safari")
+        || userAgent.contains("Edge")
+        || userAgent.contains("Gecko")
+        || userAgent.contains("Windows")
+        || userAgent.contains("Linux")
+        )
--- a/data/common/legacy-challenge-everything.yaml
+++ b/data/common/legacy-challenge-everything.yaml
@@ -0,0 +1,5 @@
+# Generic catchall rule
+- name: generic-browser
+  user_agent_regex: >-
+    Mozilla|Opera
+  action: CHALLENGE