From 9f988578a446c4fc244fbef94dc8fde469252506 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Mon, 28 Apr 2025 00:20:27 -0400 Subject: [PATCH] feat(data): add challenge-browser-like.yaml This is a huge change to Anubis and will make it a lot more invisible at the cost of requiring additional server configuration to make it happen. If you add this bit of nginx config to your location block: ```nginx proxy_set_header X-Http-Version $server_protocol; ``` And then adjust the bottom bot rule to this: ```yaml - import: (data)/common/challenge-browser-like.yaml ``` Anubis will be way less aggressive than it was before. This will let through any traffic that comes from a browser that actually is a browser via some more advanced heuristics. I think that this rule alone is the key feature of v1.18.0. Signed-off-by: Xe Iaso --- data/botPolicies.yaml | 7 ++----- data/bots/cloudflare-workers.yaml | 5 ++--- data/common/challenge-browser-like.yaml | 16 ++++++++++++++++ data/common/legacy-challenge-everything.yaml | 5 +++++ 4 files changed, 25 insertions(+), 8 deletions(-) create mode 100644 data/common/challenge-browser-like.yaml create mode 100644 data/common/legacy-challenge-everything.yaml diff --git a/data/botPolicies.yaml b/data/botPolicies.yaml index 12319b39..ca688ef2 100644 --- a/data/botPolicies.yaml +++ b/data/botPolicies.yaml @@ -43,10 +43,7 @@ bots: # report_as: 4 # lie to the operator # algorithm: slow # intentionally waste CPU cycles and time -# Generic catchall rule -- name: generic-browser - user_agent_regex: >- - Mozilla|Opera - action: CHALLENGE +# Challenge things that claim to be a browser but are not +- import: (data)/common/challenge-browser-like.yaml dnsbl: false diff --git a/data/bots/cloudflare-workers.yaml b/data/bots/cloudflare-workers.yaml index 3fe051be..80718352 100644 --- a/data/bots/cloudflare-workers.yaml +++ b/data/bots/cloudflare-workers.yaml @@ -1,4 +1,3 @@ - name: cloudflare-workers - headers_regex: - CF-Worker: .* - action: DENY \ No newline at end of file + expression: '"Cf-Worker" in headers' + action: CHALLENGE \ No newline at end of file diff --git a/data/common/challenge-browser-like.yaml b/data/common/challenge-browser-like.yaml new file mode 100644 index 00000000..afd4cc87 --- /dev/null +++ b/data/common/challenge-browser-like.yaml @@ -0,0 +1,16 @@ + # Challenge anything with HTTP/1.1 that claims to be a browser + - name: challenge-lies-browser-but-http-1.1 + action: CHALLENGE + expression: + all: + - '"X-Http-Version" in headers' + - headers["X-Http-Version"] == "HTTP/1.1" + - >- + ( userAgent.contains("Mozilla") + || userAgent.contains("Opera") + || userAgent.contains("Safari") + || userAgent.contains("Edge") + || userAgent.contains("Gecko") + || userAgent.contains("Windows") + || userAgent.contains("Linux") + ) \ No newline at end of file diff --git a/data/common/legacy-challenge-everything.yaml b/data/common/legacy-challenge-everything.yaml new file mode 100644 index 00000000..722d9cc6 --- /dev/null +++ b/data/common/legacy-challenge-everything.yaml @@ -0,0 +1,5 @@ +# Generic catchall rule +- name: generic-browser + user_agent_regex: >- + Mozilla|Opera + action: CHALLENGE \ No newline at end of file