arian/anubis-mirror
1
0
Fork 0
mirror of https://github.com/TecharoHQ/anubis.git synced 2026-04-08 09:38:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: arian:Xe/document-meta-default-config
Branches Tags
arian:main arian:dependabot/github_actions/github-actions-899c058108 arian:dependabot/go_modules/gomod-93cd730d29 arian:dependabot/npm_and_yarn/npm-34965409cd arian:Xe/feat-main-challenge-uses-preact arian:Xe/faq-min-browser-version arian:Xe/ddwrt-logo arian:Xe/toggle-source arian:Xe/pprof-2 arian:Xe/ci-multiple-go-versions arian:Xe/experimental-windows-binary arian:Xe/go-sh-for-build-scripts arian:Xe/doc-disabling-jit arian:add-claude-github-actions-1773949601522 arian:json/fix-pow-deref arian:Xe/no-govulncheck arian:Xe/docs-systemd-logging-to-file arian:json/gofix arian:json/add-cel-iterator arian:Xe/haproxy-smoke-test arian:Xe/sponsor-logo-sync arian:Xe/agent-hints arian:Xe/contributing-commitlint-etc arian:json/add-back-comments arian:Xe/fix-preact-static-path arian:Xe/document-meta-default-config arian:Xe/bump-go arian:revert-1370-dependabot/go_modules/gomod-76b51a1623 arian:Xe/iplist2rule arian:Xe/fix-nginx-gha arian:fix/nginxsmoke arian:Xe/expose-pprof-in-metrics arian:Xe/serialize-memory arian:Xe/nginx-config-test arian:Xe/no-more-kindness arian:Xe/adjust-accept-rule arian:Xe/honeypot arian:Xe/demote-explicit-deny-logs arian:fix/pin-versions arian:Xe/deprecate-report_as arian:Xe/dependabot-cooldown arian:Xe/logrotate arian:Xe/go-mod-tidy-check arian:Xe/redis-sentinel arian:docs/fix-1080 arian:fix/ogtags-sni arian:fix/ci-go-mod arian:chore/gomodupdates arian:fix/CVE2025_24369-flakyness arian:fix/upgrade-playwright arian:fix/nilpointerpanic arian:Xe/metrics-for-weigh-matches arian:Xe/fix-docs-deploy arian:Xe/dont-cookie-host-implicitly arian:Xe/ensure-embed-folder-matches-embed-fs arian:Xe/more-docker-client-programs arian:Xe/add-asset-build-verification-workflow arian:Xe/gh-1252/docker-registry-client-fix arian:Xe/chrome-version-number-deweighing arian:Xe/blog/abuse-reports arian:Xe/unblock-tencent-cloud arian:Xe/fix-serve-robots-txt arian:Xe/analytics-so-i-can-get-grants arian:Xe/fix-open-redirect-subrequest arian:Xe/remove-copilot-instructions arian:Xe/checker.List-and-like arian:Xe/block-tencent-cloud arian:Xe/fix-bbolt-errors arian:Xe/get-started-environments arian:Xe/show-error-state arian:Xe/fix-webcrypto-detection arian:Xe/even-less-paranoid arian:Xe/unflake-lib-package arian:Xe/default-config-macro arian:Xe/preact-deprecate arian:Xe/less-paranoid arian:Xe/wasm3 arian:Xe/double-slash-xess arian:Xe/double-slash-try-3 arian:Xe/fix-cookie-prefix-stutter arian:Xe/metarefresh-randomly-refresh-header arian:Xe/contentLength-in-expressions arian:Xe/ssh-ci-no-uname-av arian:Xe/ssh-ci-arm64 arian:Xe/actorify arian:Xe/log-filters arian:Xe/decaymap-sync-map arian:Xe/use-typescript arian:Xe/containerbuild-support-commas arian:Xe/npmjs-secvuln-fix arian:json/signingnudge arian:Xe/embed-services-folder arian:Xe/demote-temporal-assurance arian:Xe/store-s3 arian:json/requireED25519 arian:fix/multibot arian:json/docs arian:Xe/redirect-domain-wildcard arian:Xe/fix-force-language arian:Xe/anti-assistant arian:Xe/fix-main arian:Xe/enhanced-temporal-reassurance arian:Xe/docker-buildx-bake2 arian:Xe-patch-1 arian:Xe/proof-of-react arian:Xe/decimal-nonce-post arian:Xe/fix-decimal-nonce arian:json/fixspelling arian:copilot/fix-bac27955-bb79-4b41-8954-7463ba8a52db arian:Xe/block-alibaba arian:Xe/block-huawei arian:Xe/1002-challenge-spent-field arian:Xe/funding-update-august-2025 arian:Xe/remove-hack arian:revert-952-dependabot/github_actions/github-actions-246dc3e5c9 arian:Xe/embed-challenge-id-in-generated-pages arian:Xe/silence-http-pipelining-error arian:Xe/remove-json-docs arian:Xe/fix-purejs-and-make-faster arian:Xe/purge-slow arian:Xe/allow-opengraph-response-urls arian:Xe/anubis-custom-logger arian:Xe/default-rules/customasynchttpclient arian:Xe/store-challenge-method-with-challenge arian:Xe/checks-v2 arian:Xe/cel-segments arian:Xe/chore-expose-thoth arian:Xe/test-xff-no-double-comma arian:Xe/nerf-try-again-button arian:Xe/test-palemoon arian:Xe/xss-fix-2 arian:Xe/xss-fix arian:release/v1.21.1 arian:Xe/v1.21.1-blogpost arian:Xe/russian-translation-with-fixes arian:Xe/fix-unknown-challenge-throw-new-challenge arian:Xe/web-event-loop-thrashing arian:Xe/promise-leak arian:revert-873-dependabot/go_modules/gomod-adef35df73 arian:Xe/osiris arian:dependabot/go_modules/gomod-adef35df73 arian:Xe/missing-header-function arian:Xe/smoke-test/caddy-and-unix-socket arian:Xe/ssh-ci/deflake arian:Xe/smoke-test/translations arian:release/v1.21.0 arian:Xe/health-ready-endpoints arian:Xe/ja4h arian:Xe/test-cookie-fix arian:Xe/docs-image-per-commit arian:Xe/smoke-test/git-push arian:Xe/git-server-test arian:Xe/disable-system-load-by-default arian:release/v1.21.0-pre2 arian:Xe/double-slash-try-2 arian:Xe/status-page arian:Xe/double-slash arian:Xe/changelog-mention-migration-breakage arian:Xe/nginx-micro arian:Xe/TI-20250709-0001 arian:Xe/thoth-client-dont-block-on-healthchecks arian:Xe/load-average arian:Xe/docs-remove-proof-of-work-branding arian:Xe/bbolt-cleanup-every-hour arian:Xe/optimize-bbolt arian:Xe/ogtags-use-store arian:Xe/devcontainer-playwright arian:Xe/store-interface arian:Xe/allow-commoncrawl arian:Xe/docs-botstopper arian:Xe/fix-anubis-systemd-runtimedir-instances arian:Xe/checker-registry arian:vic/set-cookies-to-secure arian:json/dup arian:Xe/docker-buildx-bake arian:Xe/valkey-2 arian:Xe/thr1 arian:Xe/v1.19.0-pre1 arian:Xe/thoth arian:Xe/valkey arian:wasm arian:Xe/expressions arian:Xe/go-tool-yeet arian:Xe/pkgserver arian:Xe/yeet-as-tool arian:release/v1.15.x arian:Xe/minimize-logging arian:revert-134-revert-120-Xe/cookie-settings arian:Xe/allow-internet-archive arian:Xe/hyper-galaxy-brain
arian:v1.25.0 arian:v1.24.0 arian:v1.24.0-pre1 arian:v1.23.1 arian:v1.23.0 arian:v1.23.0-pre2 arian:v1.23.0-pre1 arian:v1.22.0 arian:v1.22.0-pre2 arian:v1.22.0-pre1 arian:v1.21.3 arian:v1.21.2 arian:v1.21.1 arian:v1.21.0 arian:v1.21.0-pre3 arian:v1.21.0-pre2 arian:v1.21.0-pre1 arian:v1.20.0 arian:v1.20.0-pre2 arian:v1.20.0-pre1 arian:v1.19.1 arian:v1.19.0 arian:v1.19.0-pre1 arian:v1.18.0 arian:v1.18.0-pre1 arian:v1.17.1 arian:v1.17.0 arian:v1.17.0.signed arian:v1.17.0-beta4 arian:1.17.0-beta2 arian:v1.17.0-beta3 arian:v1.17.0-beta1 arian:v1.16.0 arian:v1.15.2 arian:v1.15.1 arian:v1.15.0 arian:v1.14.2 arian:v1.14.1 arian:v1.14.0 arian:v1.13.0 arian:v1.12.1
..
compare: arian:Xe/dependabot-cooldown
Branches Tags
arian:dependabot/github_actions/github-actions-899c058108 arian:dependabot/go_modules/gomod-93cd730d29 arian:dependabot/npm_and_yarn/npm-34965409cd arian:Xe/feat-main-challenge-uses-preact arian:main arian:Xe/faq-min-browser-version arian:Xe/ddwrt-logo arian:Xe/toggle-source arian:Xe/pprof-2 arian:Xe/ci-multiple-go-versions arian:Xe/experimental-windows-binary arian:Xe/go-sh-for-build-scripts arian:Xe/doc-disabling-jit arian:add-claude-github-actions-1773949601522 arian:json/fix-pow-deref arian:Xe/no-govulncheck arian:Xe/docs-systemd-logging-to-file arian:json/gofix arian:json/add-cel-iterator arian:Xe/haproxy-smoke-test arian:Xe/sponsor-logo-sync arian:Xe/agent-hints arian:Xe/contributing-commitlint-etc arian:json/add-back-comments arian:Xe/fix-preact-static-path arian:Xe/document-meta-default-config arian:Xe/bump-go arian:revert-1370-dependabot/go_modules/gomod-76b51a1623 arian:Xe/iplist2rule arian:Xe/fix-nginx-gha arian:fix/nginxsmoke arian:Xe/expose-pprof-in-metrics arian:Xe/serialize-memory arian:Xe/nginx-config-test arian:Xe/no-more-kindness arian:Xe/adjust-accept-rule arian:Xe/honeypot arian:Xe/demote-explicit-deny-logs arian:fix/pin-versions arian:Xe/deprecate-report_as arian:Xe/dependabot-cooldown arian:Xe/logrotate arian:Xe/go-mod-tidy-check arian:Xe/redis-sentinel arian:docs/fix-1080 arian:fix/ogtags-sni arian:fix/ci-go-mod arian:chore/gomodupdates arian:fix/CVE2025_24369-flakyness arian:fix/upgrade-playwright arian:fix/nilpointerpanic arian:Xe/metrics-for-weigh-matches arian:Xe/fix-docs-deploy arian:Xe/dont-cookie-host-implicitly arian:Xe/ensure-embed-folder-matches-embed-fs arian:Xe/more-docker-client-programs arian:Xe/add-asset-build-verification-workflow arian:Xe/gh-1252/docker-registry-client-fix arian:Xe/chrome-version-number-deweighing arian:Xe/blog/abuse-reports arian:Xe/unblock-tencent-cloud arian:Xe/fix-serve-robots-txt arian:Xe/analytics-so-i-can-get-grants arian:Xe/fix-open-redirect-subrequest arian:Xe/remove-copilot-instructions arian:Xe/checker.List-and-like arian:Xe/block-tencent-cloud arian:Xe/fix-bbolt-errors arian:Xe/get-started-environments arian:Xe/show-error-state arian:Xe/fix-webcrypto-detection arian:Xe/even-less-paranoid arian:Xe/unflake-lib-package arian:Xe/default-config-macro arian:Xe/preact-deprecate arian:Xe/less-paranoid arian:Xe/wasm3 arian:Xe/double-slash-xess arian:Xe/double-slash-try-3 arian:Xe/fix-cookie-prefix-stutter arian:Xe/metarefresh-randomly-refresh-header arian:Xe/contentLength-in-expressions arian:Xe/ssh-ci-no-uname-av arian:Xe/ssh-ci-arm64 arian:Xe/actorify arian:Xe/log-filters arian:Xe/decaymap-sync-map arian:Xe/use-typescript arian:Xe/containerbuild-support-commas arian:Xe/npmjs-secvuln-fix arian:json/signingnudge arian:Xe/embed-services-folder arian:Xe/demote-temporal-assurance arian:Xe/store-s3 arian:json/requireED25519 arian:fix/multibot arian:json/docs arian:Xe/redirect-domain-wildcard arian:Xe/fix-force-language arian:Xe/anti-assistant arian:Xe/fix-main arian:Xe/enhanced-temporal-reassurance arian:Xe/docker-buildx-bake2 arian:Xe-patch-1 arian:Xe/proof-of-react arian:Xe/decimal-nonce-post arian:Xe/fix-decimal-nonce arian:json/fixspelling arian:copilot/fix-bac27955-bb79-4b41-8954-7463ba8a52db arian:Xe/block-alibaba arian:Xe/block-huawei arian:Xe/1002-challenge-spent-field arian:Xe/funding-update-august-2025 arian:Xe/remove-hack arian:revert-952-dependabot/github_actions/github-actions-246dc3e5c9 arian:Xe/embed-challenge-id-in-generated-pages arian:Xe/silence-http-pipelining-error arian:Xe/remove-json-docs arian:Xe/fix-purejs-and-make-faster arian:Xe/purge-slow arian:Xe/allow-opengraph-response-urls arian:Xe/anubis-custom-logger arian:Xe/default-rules/customasynchttpclient arian:Xe/store-challenge-method-with-challenge arian:Xe/checks-v2 arian:Xe/cel-segments arian:Xe/chore-expose-thoth arian:Xe/test-xff-no-double-comma arian:Xe/nerf-try-again-button arian:Xe/test-palemoon arian:Xe/xss-fix-2 arian:Xe/xss-fix arian:release/v1.21.1 arian:Xe/v1.21.1-blogpost arian:Xe/russian-translation-with-fixes arian:Xe/fix-unknown-challenge-throw-new-challenge arian:Xe/web-event-loop-thrashing arian:Xe/promise-leak arian:revert-873-dependabot/go_modules/gomod-adef35df73 arian:Xe/osiris arian:dependabot/go_modules/gomod-adef35df73 arian:Xe/missing-header-function arian:Xe/smoke-test/caddy-and-unix-socket arian:Xe/ssh-ci/deflake arian:Xe/smoke-test/translations arian:release/v1.21.0 arian:Xe/health-ready-endpoints arian:Xe/ja4h arian:Xe/test-cookie-fix arian:Xe/docs-image-per-commit arian:Xe/smoke-test/git-push arian:Xe/git-server-test arian:Xe/disable-system-load-by-default arian:release/v1.21.0-pre2 arian:Xe/double-slash-try-2 arian:Xe/status-page arian:Xe/double-slash arian:Xe/changelog-mention-migration-breakage arian:Xe/nginx-micro arian:Xe/TI-20250709-0001 arian:Xe/thoth-client-dont-block-on-healthchecks arian:Xe/load-average arian:Xe/docs-remove-proof-of-work-branding arian:Xe/bbolt-cleanup-every-hour arian:Xe/optimize-bbolt arian:Xe/ogtags-use-store arian:Xe/devcontainer-playwright arian:Xe/store-interface arian:Xe/allow-commoncrawl arian:Xe/docs-botstopper arian:Xe/fix-anubis-systemd-runtimedir-instances arian:Xe/checker-registry arian:vic/set-cookies-to-secure arian:json/dup arian:Xe/docker-buildx-bake arian:Xe/valkey-2 arian:Xe/thr1 arian:Xe/v1.19.0-pre1 arian:Xe/thoth arian:Xe/valkey arian:wasm arian:Xe/expressions arian:Xe/go-tool-yeet arian:Xe/pkgserver arian:Xe/yeet-as-tool arian:release/v1.15.x arian:Xe/minimize-logging arian:revert-134-revert-120-Xe/cookie-settings arian:Xe/allow-internet-archive arian:Xe/hyper-galaxy-brain
arian:v1.25.0 arian:v1.24.0 arian:v1.24.0-pre1 arian:v1.23.1 arian:v1.23.0 arian:v1.23.0-pre2 arian:v1.23.0-pre1 arian:v1.22.0 arian:v1.22.0-pre2 arian:v1.22.0-pre1 arian:v1.21.3 arian:v1.21.2 arian:v1.21.1 arian:v1.21.0 arian:v1.21.0-pre3 arian:v1.21.0-pre2 arian:v1.21.0-pre1 arian:v1.20.0 arian:v1.20.0-pre2 arian:v1.20.0-pre1 arian:v1.19.1 arian:v1.19.0 arian:v1.19.0-pre1 arian:v1.18.0 arian:v1.18.0-pre1 arian:v1.17.1 arian:v1.17.0 arian:v1.17.0.signed arian:v1.17.0-beta4 arian:1.17.0-beta2 arian:v1.17.0-beta3 arian:v1.17.0-beta1 arian:v1.16.0 arian:v1.15.2 arian:v1.15.1 arian:v1.15.0 arian:v1.14.2 arian:v1.14.1 arian:v1.14.0 arian:v1.13.0 arian:v1.12.1

2 Commits
Xe/documen ... Xe/dependa

Author SHA1 Message Date
Xe Iaso
cff364920a chore: update spelling 
Signed-off-by: Xe Iaso <me@xeiaso.net>
 2025-11-21 14:00:55 -05:00
Xe Iaso
09917dbf1b chore: add dependabot cooldown 
One of the things I need to worry about with Anubis is the idea that
could pwn a dependency and then get malicious code into prod without
realizing it, a-la Jia Tan. Given that Anubis relies on tools like
Dependabot to manage updating dependencies (good for other reasons),
it makes sense to have Dependabot have a 7 day cooldown for new
versions of dependencies.

This follows the advice from Yossarian on their blog at [1]. Thanks
for the post and easy to copy/paste snippets!

[1]: https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns

Signed-off-by: Xe Iaso <me@xeiaso.net>
 2025-11-21 13:57:00 -05:00
4 changed files with 7 additions and 84 deletions
Expand all files Collapse all files

1
.github/actions/spelling/allow.txt vendored
View File

@@ -10,3 +10,4 @@ ABee
tencent
maintnotifications
azurediamond
cooldown

6
.github/dependabot.yml vendored
View File

@@ -8,6 +8,8 @@ updates:
github-actions:
patterns:
- "*"
cooldown:
default-days: 7
- package-ecosystem: gomod
directory: /
@@ -17,6 +19,8 @@ updates:
gomod:
patterns:
- "*"
cooldown:
default-days: 7
- package-ecosystem: npm
directory: /
@@ -26,3 +30,5 @@ updates:
npm:
patterns:
- "*"
cooldown:
default-days: 7

55
data/common/acts-like-browser.yaml
View File

@@ -1,55 +0,0 @@
# Assert behaviour that only genuine browsers display. This ensures that modern Chrome
# or Firefox versions will get through without a challenge.
#
# These rules have been known to be bypassed by some of the worst automated scrapers.
# Use at your own risk.
- name: realistic-browser-catchall
expression:
all:
- '"User-Agent" in headers'
- '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
- '"Accept" in headers'
- '"Sec-Fetch-Dest" in headers'
- '"Sec-Fetch-Mode" in headers'
- '"Sec-Fetch-Site" in headers'
- '"Accept-Encoding" in headers'
- '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
- '"Accept-Language" in headers'
action: WEIGH
weight:
adjust: -10
# The Upgrade-Insecure-Requests header is typically sent by browsers, but not always
- name: upgrade-insecure-requests
expression: '"Upgrade-Insecure-Requests" in headers'
action: WEIGH
weight:
adjust: -2
# Chrome should behave like Chrome
- name: chrome-is-proper
expression:
all:
- userAgent.contains("Chrome")
- '"Sec-Ch-Ua" in headers'
- 'headers["Sec-Ch-Ua"].contains("Chromium")'
- '"Sec-Ch-Ua-Mobile" in headers'
- '"Sec-Ch-Ua-Platform" in headers'
action: WEIGH
weight:
adjust: -5
- name: should-have-accept
expression: '!("Accept" in headers)'
action: WEIGH
weight:
adjust: 5
# Generic catchall rule
- name: generic-browser
user_agent_regex: >-
Mozilla|Opera
action: WEIGH
weight:
adjust: 10

29
docs/docs/admin/configuration/import.mdx
View File

@@ -13,8 +13,6 @@ bots:
- # This correlates to data/bots/ai-catchall.yaml in the source tree
import: (data)/bots/ai-catchall.yaml
- import: (data)/bots/cloudflare-workers.yaml
# Import all the rules in the default configuration
- import: (data)/meta/default-config.yaml
```
Of note, a bot rule can either have inline bot configuration or import a bot config snippet. You cannot do both in a single bot rule.
@@ -37,33 +35,6 @@ config.BotOrImport: rule definition is invalid, you must set either bot rules or
Paths can either be prefixed with `(data)` to import from the [the data folder in the Anubis source tree](https://github.com/TecharoHQ/anubis/tree/main/data) or anywhere on the filesystem. If you don't have access to the Anubis source tree, check /usr/share/docs/anubis/data or in the tarball you extracted Anubis from.
## Importing the default configuration
If you want to base your configuration off of the default configuration, import `(data)/meta/default-config.yaml`:
```yaml
bots:
- import: (data)/meta/default-config.yaml
# Write your rules here
```
This will keep your configuration up to date as Anubis adapts to emerging threats.
## How do I exempt most modern browsers from Anubis challenges?
If you want to exempt most modern browsers from Anubis challenges, import `(data)/common/acts-like-browser.yaml`:
```yaml
bots:
- import: (data)/meta/default-config.yaml
- import: (data)/common/acts-like-browser.yaml
# Write your rules here
```
These rules will allow traffic that "looks like" it's from a modern copy of Edge, Safari, Chrome, or Firefox. These rules used to be enabled by default, however user reports have suggested that AI scraper bots have adapted to conform to these rules to scrape without regard for the infrastructure they are attacking.
Use these rules at your own risk.
## Importing from imports
You can also import from an imported file in case you want to import an entire folder of rules at once.