docs(challenge): fix panic when validating challenges in privacy-mode browsers

Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/allow.txt

@@ -8,3 +8,4 @@ msgbox
 xeact
 ABee
 tencent
+maintnotifications

.github/actions/spelling/expect.txt

@@ -36,6 +36,7 @@ botstopper
 BPort
 Brightbot
 broked
+buildah
 byteslice
 Bytespider
 cachebuster
@@ -64,6 +65,7 @@ Codespaces
 confd
 connnection
 containerbuild
+containerregistry
 coreutils
 Cotoyogi
 Cromite
@@ -198,7 +200,6 @@ licstart
 lightpanda
 limsa
 Linting
-linuxbrew
 LLU
 loadbalancer
 lol
@@ -225,6 +226,7 @@ nobots
 NONINFRINGEMENT
 nosleep
 nullglob
+oci
 OCOB
 ogtag
 oklch
@@ -341,6 +343,7 @@ Velen
 vendored
 vhosts
 VKE
+vnd
 VPS
 Vultr
 weblate

.github/workflows/asset-verification.yml

@@ -0,0 +1,73 @@
+name: Asset Build Verification
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+
+jobs:
+  asset_verification:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: build essential
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential
+
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: latest
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - name: install node deps
+        run: |
+          npm ci
+
+      - name: Check for uncommitted changes before asset build
+        id: check-changes-before
+        run: |
+          if [[ -n $(git status --porcelain) ]]; then
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Fail if there are uncommitted changes before build
+        if: steps.check-changes-before.outputs.has_changes == 'true'
+        run: |
+          echo "There are uncommitted changes before running npm run assets"
+          git status
+          exit 1
+
+      - name: Run asset build
+        run: |
+          npm run assets
+
+      - name: Check for uncommitted changes after asset build
+        id: check-changes-after
+        run: |
+          if [[ -n $(git status --porcelain) ]]; then
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Fail if assets generated changes
+        if: steps.check-changes-after.outputs.has_changes == 'true'
+        run: |
+          echo "npm run assets generated uncommitted changes. This indicates the repository has outdated generated files."
+          echo "Please run 'npm run assets' locally and commit the changes."
+          git status
+          git diff
+          exit 1

.github/workflows/docker-pr.yml

@@ -2,7 +2,7 @@ name: Docker image builds (pull requests)
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 env:
   DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@@ -21,33 +21,24 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-        with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
-
-      - name: Install Brew dependencies
+      - name: build essential
         run: |
-          brew bundle
+          sudo apt-get update
+          sudo apt-get install -y build-essential
+
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: latest
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ghcr.io/${{ github.repository }}
 

.github/workflows/docker.yml

@@ -27,33 +27,24 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
+      - name: build essential
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential
+
       - name: Set lowercase image name
         run: |
           echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
 
-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
+          node-version: latest
 
-      - name: Install Brew dependencies
-        run: |
-          brew bundle
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
+
+      - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Log into registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -64,7 +55,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ${{ env.IMAGE }}
 

.github/workflows/docs-deploy.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |

.github/workflows/docs-test.yml

@@ -22,7 +22,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |

.github/workflows/go.yml

@@ -2,9 +2,9 @@ name: Go
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 permissions:
   contents: read
@@ -15,77 +15,51 @@ jobs:
     #runs-on: alrest-techarohq
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        persist-credentials: false
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
-    - name: build essential
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y build-essential
+      - name: build essential
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential
 
-    - name: Set up Homebrew
-      uses: Homebrew/actions/setup-homebrew@main
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: latest
 
-    - name: Setup Homebrew cellar cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      with:
-        path: |
-          /home/linuxbrew/.linuxbrew/Cellar
-          /home/linuxbrew/.linuxbrew/bin
-          /home/linuxbrew/.linuxbrew/etc
-          /home/linuxbrew/.linuxbrew/include
-          /home/linuxbrew/.linuxbrew/lib
-          /home/linuxbrew/.linuxbrew/opt
-          /home/linuxbrew/.linuxbrew/sbin
-          /home/linuxbrew/.linuxbrew/share
-          /home/linuxbrew/.linuxbrew/var
-        key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-homebrew-cellar-
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
 
-    - name: Install Brew dependencies
-      run: |
-        brew bundle
+      - name: Cache playwright binaries
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        id: playwright-cache
+        with:
+          path: |
+            ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('**/go.sum') }}
 
-    - name: Setup Golang caches
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-golang-
+      - name: install node deps
+        run: |
+          npm ci
 
-    - name: Cache playwright binaries
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      id: playwright-cache
-      with:
-        path: |
-          ~/.cache/ms-playwright
-        key: ${{ runner.os }}-playwright-${{ hashFiles('**/go.sum') }}
+      - name: install playwright browsers
+        run: |
+          npx --no-install playwright@1.52.0 install --with-deps
+          npx --no-install playwright@1.52.0 run-server --port 9001 &
 
-    - name: install node deps
-      run: |
-        npm ci
+      - name: Build
+        run: npm run build
 
-    - name: install playwright browsers
-      run: |
-        npx --no-install playwright@1.52.0 install --with-deps
-        npx --no-install playwright@1.52.0 run-server --port 9001 &
+      - name: Test
+        run: npm run test
 
-    - name: Build
-      run: npm run build
+      - name: Lint with staticcheck
+        uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
+        with:
+          version: "latest"
 
-    - name: Test
-      run: npm run test
-
-    - name: Lint with staticcheck
-      uses: dominikh/staticcheck-action@024238d2898c874f26d723e7d0ff4308c35589a2 # v1.4.0
-      with:
-        version: "latest"
-
-    - name: Govulncheck
-      run: |
-        go tool govulncheck ./...
+      - name: Govulncheck
+        run: |
+          go tool govulncheck ./...

.github/workflows/package-builds-stable.yml

@@ -25,39 +25,13 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
+          node-version: latest
 
-      - name: Install Brew dependencies
-        run: |
-          brew bundle
-
-      - name: Setup Golang caches
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
-          path: |
-            ~/.cache/go-build
-            ~/go/pkg/mod
-          key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-golang-
+          go-version: stable
 
       - name: install node deps
         run: |

.github/workflows/package-builds-unstable.yml

@@ -2,9 +2,9 @@ name: Package builds (unstable)
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 permissions:
   contents: read
@@ -15,60 +15,34 @@ jobs:
     #runs-on: alrest-techarohq
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        persist-credentials: false
-        fetch-tags: true
-        fetch-depth: 0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          fetch-tags: true
+          fetch-depth: 0
 
-    - name: build essential
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y build-essential
+      - name: build essential
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y build-essential
 
-    - name: Set up Homebrew
-      uses: Homebrew/actions/setup-homebrew@main
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: latest
 
-    - name: Setup Homebrew cellar cache
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      with:
-        path: |
-          /home/linuxbrew/.linuxbrew/Cellar
-          /home/linuxbrew/.linuxbrew/bin
-          /home/linuxbrew/.linuxbrew/etc
-          /home/linuxbrew/.linuxbrew/include
-          /home/linuxbrew/.linuxbrew/lib
-          /home/linuxbrew/.linuxbrew/opt
-          /home/linuxbrew/.linuxbrew/sbin
-          /home/linuxbrew/.linuxbrew/share
-          /home/linuxbrew/.linuxbrew/var
-        key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-go-homebrew-cellar-
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version: stable
 
-    - name: Install Brew dependencies
-      run: |
-        brew bundle
+      - name: install node deps
+        run: |
+          npm ci
 
-    - name: Setup Golang caches
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      with:
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod
-        key: ${{ runner.os }}-golang-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ runner.os }}-golang-
+      - name: Build Packages
+        run: |
+          go tool yeet
 
-    - name: install node deps
-      run: |
-        npm ci
-
-    - name: Build Packages
-      run: |
-        go tool yeet
-
-    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
-      with:
-        name: packages
-        path: var/*
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        with:
+          name: packages
+          path: var/*

.github/workflows/smoke-tests.yml

@@ -15,6 +15,7 @@ jobs:
       matrix:
         test:
           - default-config-macro
+          - docker-registry
           - double_slash
           - forced-language
           - git-clone

VERSION

@@ -1 +1 @@
-1.23.0
+1.23.1

cmd/anubis/main.go

@@ -83,7 +83,7 @@ var (
 	versionFlag              = flag.Bool("version", false, "print Anubis version")
 	publicUrl                = flag.String("public-url", "", "the externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for forwardAuth).")
 	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
-	customRealIPHeader      = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
+	customRealIPHeader       = flag.String("custom-real-ip-header", "", "if set, read remote IP from header of this name (in case your environment doesn't set X-Real-IP header)")
 
 	thothInsecure        = flag.Bool("thoth-insecure", false, "if set, connect to Thoth over plain HTTP/2, don't enable this unless support told you to")
 	thothURL             = flag.String("thoth-url", "", "if set, URL for Thoth, the IP reputation database for Anubis")
@@ -145,19 +145,19 @@ func parseBindNetFromAddr(address string) (string, string) {
 	return "", address
 }
 
-func parseSameSite(s string) (http.SameSite) {
-    switch strings.ToLower(s) {
-    case "none":
-        return http.SameSiteNoneMode
-    case "lax":
-        return http.SameSiteLaxMode
-    case "strict":
-        return http.SameSiteStrictMode
+func parseSameSite(s string) http.SameSite {
+	switch strings.ToLower(s) {
+	case "none":
+		return http.SameSiteNoneMode
+	case "lax":
+		return http.SameSiteLaxMode
+	case "strict":
+		return http.SameSiteStrictMode
 	case "default":
 		return http.SameSiteDefaultMode
-    default:
-        log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
-    }
+	default:
+		log.Fatalf("invalid cookie same-site mode: %s, valid values are None, Lax, Strict, and Default", s)
+	}
 	return http.SameSiteDefaultMode
 }
 

data/clients/docker-client.yaml

@@ -0,0 +1,60 @@
+- name: allow-docker-client
+  action: ALLOW
+  expression:
+    all:
+      - path.startsWith("/v2/")
+      - userAgent.contains("docker/")
+      - userAgent.contains("git-commit/")
+      - '"Accept" in headers'
+      - headers["Accept"].contains("vnd.docker.distribution")
+      - '"Baggage" in headers'
+      - headers["Baggage"].contains("trigger")
+
+- name: allow-crane-client
+  action: ALLOW
+  expression:
+    all:
+      - userAgent.contains("crane/")
+      - userAgent.contains("go-containerregistry/")
+
+- name: allow-docker-distribution-api-client
+  action: ALLOW
+  expression:
+    all:
+      - '"Docker-Distribution-Api-Version" in headers'
+      - '!(userAgent.contains("Mozilla"))'
+
+- name: allow-go-containerregistry-client
+  action: ALLOW
+  expression:
+    all:
+      - path.startsWith("/v2/")
+      - userAgent.contains("go-containerregistry/")
+
+- name: allow-buildah
+  action: ALLOW
+  expression:
+    all:
+      - path.startsWith("/v2/")
+      - userAgent.contains("Buildah/")
+
+- name: allow-podman
+  action: ALLOW
+  expression:
+    all:
+      - path.startsWith("/v2/")
+      - userAgent.contains("containers/")
+
+- name: allow-containerd
+  action: ALLOW
+  expression:
+    all:
+      - path.startsWith("/v2/")
+      - userAgent.contains("containerd/")
+
+- name: allow-renovate
+  action: ALLOW
+  expression:
+    all:
+      - path.startsWith("/v2/")
+      - userAgent.contains("Renovate/")

data/embed.go

@@ -3,6 +3,6 @@ package data
 import "embed"
 
 var (
-	//go:embed botPolicies.yaml all:apps all:bots all:clients all:common all:crawlers all:meta
+	//go:embed botPolicies.yaml all:apps all:bots all:clients all:common all:crawlers all:meta all:services
 	BotPolicies embed.FS
 )

data/embed_test.go

@@ -0,0 +1,38 @@
+package data
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// TestBotPoliciesEmbed ensures all YAML files in the directory tree
+// are accessible in the embedded BotPolicies filesystem.
+func TestBotPoliciesEmbed(t *testing.T) {
+	yamlFiles, err := filepath.Glob("./**/*.yaml")
+	if err != nil {
+		t.Fatalf("Failed to glob YAML files: %v", err)
+	}
+
+	if len(yamlFiles) == 0 {
+		t.Fatal("No YAML files found in directory tree")
+	}
+
+	t.Logf("Found %d YAML files to verify", len(yamlFiles))
+
+	for _, filePath := range yamlFiles {
+		embeddedPath := strings.TrimPrefix(filePath, "./")
+
+		t.Run(embeddedPath, func(t *testing.T) {
+			content, err := BotPolicies.ReadFile(embeddedPath)
+			if err != nil {
+				t.Errorf("Failed to read %s from embedded filesystem: %v", embeddedPath, err)
+				return
+			}
+
+			if len(content) == 0 {
+				t.Errorf("File %s exists in embedded filesystem but is empty", embeddedPath)
+			}
+		})
+	}
+}

docs/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/node AS build
+FROM docker.io/library/node:lts AS build
 
 WORKDIR /app
 COPY . .

docs/docs/CHANGELOG.md

@@ -13,8 +13,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- This changes the project to: -->
 
-- Fix `SERVE_ROBOTS_TXT` setting file after the double slash fix broke it.
-- Remove the default configuration rule to block Tencent cloud. If users see abuse from Tencent cloud IP ranges, please contact abuse@tencent.com and mention that you are using Anubis to protect your services. Please include source IP address, source port, timestamp, target IP address, target port, request headers (including the User-Agent header), and target endpoints/patterns.
+- Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an `ALLOW` threshold.
+- Expose WEIGHT rule matches as Prometheus metrics.
+- Allow more OCI registry clients [based on feedback](https://github.com/TecharoHQ/anubis/pull/1253#issuecomment-3506744184).
+- Expose services directory in the embedded `(data)` filesystem.
+- Add Ukrainian locale ([#1044](https://github.com/TecharoHQ/anubis/pull/1044)).
+- Allow Renovate as an OCI registry client.
+- Properly handle 4in6 addresses so that IP matching works with those addresses.
+- Add support to simple Valkey/Redis cluster mode
+
+## v1.23.1: Lyse Hext - Echo 1
+
+- Fix `SERVE_ROBOTS_TXT` setting after the double slash fix broke it.
+
+### Potentially breaking changes
+
+#### Remove default Tencent Cloud block rule
+
+v1.23.0 added a default rule to block Tencent Cloud. After an email from their abuse team where they promised to take action to clean up their reputation, I have removed the default block rule. If this network causes you problems, please contact [abuse@tencent.com](mailto:abuse@tencent.com) and supply the following information:
+
+- Time of abusive requests.
+- IP address, User-Agent header, or other unique identifiers that can help the abuse team educate the customer about their misbehaving infrastructure.
+- Does the abusive IP address request robots.txt? If not, be sure to include that information.
+- A brief description of the impact to your system such as high system load, pages not rendering, or database system crashes. This helps the provider establish the fact that their customer is causing you measurable harm.
+- Context as to what your service is, what it does, and why they should care.
+
+Mention that you are using Anubis or BotStopper to protect your services. If they do not respond to you, please [contact me](https://xeiaso.net/contact) as soon as possible.
+
+#### Docker / OCI registry clients
+
+Anubis v1.23.0 accidentally blocked Docker / OCI registry clients. In order to explicitly allow them, add an import for `(data)/clients/docker-client.yaml`:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+```
+
+This is technically a regression as these clients used to work in Anubis v1.22.0, however it is allowable to make this opt-in as most websites do not expect to be serving Docker / OCI registry client traffic.
 
 ## v1.23.0: Lyse Hext
 

docs/docs/admin/roles/_category_.json

@@ -0,0 +1,8 @@
+{
+  "label": "Server Roles",
+  "position": 40,
+  "link": {
+    "type": "generated-index",
+    "description": "Various server roles you will need to keep in mind with Anubis."
+  }
+}

docs/docs/admin/roles/oci-registry.mdx

@@ -0,0 +1,10 @@
+# OCI Registries
+
+If you are serving an OCI registry behind Anubis, you will need to import the `(data)/clients/docker-client.yaml` file in order to make sure that OCI registry clients can download images:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+# ... the rest of your config
+```

lib/anubis.go

@@ -117,10 +117,12 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	}
 
 	chall := challenge.Challenge{
-		ID:         id.String(),
-		Method:     rule.Challenge.Algorithm,
-		RandomData: fmt.Sprintf("%x", randomData),
-		IssuedAt:   time.Now(),
+		ID:             id.String(),
+		Method:         rule.Challenge.Algorithm,
+		RandomData:     fmt.Sprintf("%x", randomData),
+		IssuedAt:       time.Now(),
+		Difficulty:     rule.Challenge.Difficulty,
+		PolicyRuleHash: rule.Hash(),
 		Metadata: map[string]string{
 			"User-Agent": r.Header.Get("User-Agent"),
 			"X-Real-Ip":  r.Header.Get("X-Real-Ip"),
@@ -137,6 +139,44 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	return &chall, err
 }
 
+func (s *Server) hydrateChallengeRule(rule *policy.Bot, chall *challenge.Challenge, lg *slog.Logger) *policy.Bot {
+	if chall == nil {
+		return rule
+	}
+
+	if rule == nil {
+		rule = &policy.Bot{
+			Rules: &checker.List{},
+		}
+	}
+
+	if chall.Difficulty == 0 {
+		// fall back to whatever the policy currently says or the global default
+		if rule.Challenge != nil && rule.Challenge.Difficulty != 0 {
+			chall.Difficulty = rule.Challenge.Difficulty
+		} else {
+			chall.Difficulty = s.policy.DefaultDifficulty
+		}
+	}
+
+	if rule.Challenge == nil {
+		lg.Warn("rule missing challenge configuration; using stored challenge metadata", "rule", rule.Name)
+		rule.Challenge = &config.ChallengeRules{}
+	}
+
+	if rule.Challenge.Difficulty == 0 {
+		rule.Challenge.Difficulty = chall.Difficulty
+	}
+	if rule.Challenge.ReportAs == 0 {
+		rule.Challenge.ReportAs = chall.Difficulty
+	}
+	if rule.Challenge.Algorithm == "" {
+		rule.Challenge.Algorithm = chall.Method
+	}
+
+	return rule
+}
+
 func (s *Server) maybeReverseProxyHttpStatusOnly(w http.ResponseWriter, r *http.Request) {
 	s.maybeReverseProxy(w, r, true)
 }
@@ -461,6 +501,8 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	rule = s.hydrateChallengeRule(rule, chall, lg)
+
 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
 		lg.Error("check failed", "err", err)
@@ -576,6 +618,7 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 				return cr("bot/"+b.Name, b.Action, weight), &b, nil
 			case config.RuleWeigh:
 				lg.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
+				policy.Applications.WithLabelValues("bot/"+b.Name, "WEIGH").Add(1)
 				weight += b.Weight.Adjust
 			}
 		}

lib/anubis_test.go

@@ -2,6 +2,7 @@ package lib
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -18,8 +19,10 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
+	"github.com/TecharoHQ/anubis/lib/store"
 	"github.com/TecharoHQ/anubis/lib/thoth/thothmock"
 )
 
@@ -1027,6 +1030,59 @@ func TestPassChallengeXSS(t *testing.T) {
 	})
 }
 
+func TestPassChallengeNilRuleChallengeFallback(t *testing.T) {
+	pol := loadPolicies(t, "testdata/zero_difficulty.yaml", 0)
+
+	srv := spawnAnubis(t, Options{
+		Next:   http.NewServeMux(),
+		Policy: pol,
+	})
+
+	allowThreshold, err := policy.ParsedThresholdFromConfig(config.Threshold{
+		Name: "allow-all",
+		Expression: &config.ExpressionOrList{
+			Expression: "true",
+		},
+		Action: config.RuleAllow,
+	})
+	if err != nil {
+		t.Fatalf("can't compile test threshold: %v", err)
+	}
+	srv.policy.Thresholds = []*policy.Threshold{allowThreshold}
+	srv.policy.Bots = nil
+
+	chall := challenge.Challenge{
+		ID:         "test-challenge",
+		Method:     "metarefresh",
+		RandomData: "apple cider",
+		IssuedAt:   time.Now().Add(-5 * time.Second),
+		Difficulty: 1,
+	}
+
+	j := store.JSON[challenge.Challenge]{Underlying: srv.store}
+	if err := j.Set(context.Background(), "challenge:"+chall.ID, chall, time.Minute); err != nil {
+		t.Fatalf("can't insert challenge into store: %v", err)
+	}
+
+	req := httptest.NewRequest(http.MethodGet, "https://example.com"+anubis.APIPrefix+"pass-challenge", nil)
+	q := req.URL.Query()
+	q.Set("redir", "/")
+	q.Set("id", chall.ID)
+	q.Set("challenge", chall.RandomData)
+	req.URL.RawQuery = q.Encode()
+	req.Header.Set("X-Real-Ip", "203.0.113.4")
+	req.Header.Set("User-Agent", "NilChallengeTester/1.0")
+	req.AddCookie(&http.Cookie{Name: anubis.TestCookieName, Value: chall.ID})
+
+	rr := httptest.NewRecorder()
+
+	srv.PassChallenge(rr, req)
+
+	if rr.Code != http.StatusFound {
+		t.Fatalf("expected redirect when validating challenge, got %d", rr.Code)
+	}
+}
+
 func TestXForwardedForNoDoubleComma(t *testing.T) {
 	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))

lib/challenge/challenge.go

@@ -4,10 +4,12 @@ import "time"
 
 // Challenge is the metadata about a single challenge issuance.
 type Challenge struct {
-	ID         string            `json:"id"`         // UUID identifying the challenge
-	Method     string            `json:"method"`     // Challenge method
-	RandomData string            `json:"randomData"` // The random data the client processes
-	IssuedAt   time.Time         `json:"issuedAt"`   // When the challenge was issued
-	Metadata   map[string]string `json:"metadata"`   // Challenge metadata such as IP address and user agent
-	Spent      bool              `json:"spent"`      // Has the challenge already been solved?
+	ID             string            `json:"id"`                       // UUID identifying the challenge
+	Method         string            `json:"method"`                   // Challenge method
+	RandomData     string            `json:"randomData"`               // The random data the client processes
+	IssuedAt       time.Time         `json:"issuedAt"`                 // When the challenge was issued
+	Metadata       map[string]string `json:"metadata"`                 // Challenge metadata such as IP address and user agent
+	Spent          bool              `json:"spent"`                    // Has the challenge already been solved?
+	Difficulty     int               `json:"difficulty,omitempty"`     // Difficulty that was in effect when issued
+	PolicyRuleHash string            `json:"policyRuleHash,omitempty"` // Hash of the policy rule that issued this challenge
 }

lib/challenge/challengetest/challengetest.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/google/uuid"
@@ -19,5 +20,6 @@ func New(t *testing.T) *challenge.Challenge {
 		ID:         id.String(),
 		RandomData: randomData,
 		IssuedAt:   time.Now(),
+		Difficulty: anubis.DefaultDifficulty,
 	}
 }

lib/challenge/metarefresh/metarefresh_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.924
+// templ: version: v0.3.960
 package metarefresh
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

lib/challenge/preact/preact_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.924
+// templ: version: v0.3.960
 package preact
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

lib/challenge/proofofwork/proofofwork_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.924
+// templ: version: v0.3.960
 package proofofwork
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.

lib/localization/locales/is.json

@@ -8,7 +8,7 @@
   "ai_companies_explanation": "Þú ert að sjá þetta vegna þess að kerfisstjóri þessa vefsvæðis hefur sett upp Anubis til að vernda vefþjóninn fyrir holskeflu beiðna frá svokölluðum gervigreindarfyrirtækjum sem samviskulaust eru að skrapa upplýsingar af vefsvæðum annarra. Þetta getur valdið og veldur töfum og truflunum á þessum vefsvæðum, sem aftur veldur því að efni þeirra verður öllum óaðgengilegt.",
   "anubis_compromise": "Anubis er millivegur. Anubis notar sönnun-á-vinnu (Proof-of-Work) skema í líkingu við Hashcash, sem er viðlíka skema til að minnka ruslpóst. Hugmyndin er að fyrir almennar heimsóknir verði viðbótarálagið vegna þessa ásættanlegt og valdi litlum truflunum, en við massaskröpun verði samlegðaráhrifin veruleg og geri slíka skröpun upplýsinga of dýra hvað varðar afköst og reiknigetu.",
   "hack_purpose": "Að lokum er þetta staðgengilslausn svo hægt sé að eyða meiri tíma í fingraför og auðkenningu höfuðlausra vafra (t.d. með því hvernig þeir birta leturgerðir) svo að áskorunarprófunarsíðan þurfi ekki að birtast notendum sem eru mun líklegri til að vera lögmætir.",
-  "jshelter_note": "Athugaðu að Anubis krefst notkunar á ýmsum nútímalegum eiginleikum JavaScript sem viðbætur á borð við JShelter munu gera ávirka. Endilega gerðu JShelter eða álíka viðbætur óvirkar fyrir þetta lén.",
+  "jshelter_note": "Athugaðu að Anubis krefst notkunar á ýmsum nútímalegum eiginleikum JavaScript sem viðbætur á borð við JShelter munu gera óvirka. Endilega gerðu JShelter eða álíka viðbætur óvirkar fyrir þetta lén.",
   "version_info": "Þetta vefsvæði er að keyra Anubis útgáfu",
   "try_again": "Prófaðu aftur",
   "go_home": "Farðu aftur heim til þín",
@@ -62,5 +62,5 @@
   "js_calculation_error": "Reiknivilla!",
   "js_calculation_error_msg": "Mistókst að reikna áskorun:",
   "missing_required_forwarded_headers": "Vantar nauðsynleg X-Forwarded-* hausar",
-  "simplified_explanation": "Þetta er ráðstöfun gegn vélmennum og illgjarnum beiðnum svipað og CAPTCHA. Hins vegar, í stað þess að þurfa að vinna sjálfur, fær vafrinn þinn útreikningsverkefni sem hann þarf að leysa til að tryggja að hann sé gildur biðlari. Þetta hugtak er kallað <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Sönnun-á-vinnu</a>. Verkefnið er reiknað á nokkrum sekúndum og þú færð aðgang að vefsíðunni. Takk fyrir skilninginn og þolinmæðina."
+  "simplified_explanation": "Þetta er ráðstöfun gegn vélmennum og illa meinandi beiðnum, sem virkar svipað og CAPTCHA-mennskupróf. Hins vegar; í stað þess að þurfa að vinna sjálfur, fær vafrinn þinn útreikningsverkefni sem hann þarf að leysa til að tryggja að hann sé gildur biðlari. Þetta hugtak er kallað <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Sönnun-á-vinnu</a>. Verkefnið er reiknað á nokkrum sekúndum og þú færð aðgang að vefsíðunni. Takk fyrir skilninginn og þolinmæðina."
 }

lib/localization/locales/manifest.json

@@ -18,6 +18,7 @@
     "pt-BR",
     "ru",
     "tr",
+    "uk",
     "vi",
     "zh-CN",
     "zh-TW",

lib/localization/locales/th.json

@@ -0,0 +1,64 @@
+{
+  "loading": "กำลังโหลด...",
+  "why_am_i_seeing": "ทำไมถึงเห็นสิ่งนี้?",
+  "protected_by": "ปกป้องโดย",
+  "protected_from": "จาก",
+  "made_with": "สร้างด้วย ❤️ ใน 🇨🇦",
+  "mascot_design": "ออกแบบมาสค็อตโดย",
+  "ai_companies_explanation": "คุณเห็นสิ่งนี้เพราะผู้ดูแลเว็บไซต์ได้ตั้งค่า Anubis เพื่อป้องกันเซิร์ฟเวอร์จากบริษัท AI ที่ทำการขูดข้อมูลเว็บไซต์อย่างก้าวร้าว ซึ่งสามารถทำให้เว็บไซต์ล่ม และทำให้ทรัพยากรของเว็บไซต์ไม่สามารถเข้าถึงได้สำหรับทุกคน",
+  "anubis_compromise": "Anubis คือการประนีประนอม โดยใช้ระบบ Proof-of-Work คล้ายกับ Hashcash ซึ่งเป็นแนวคิดสำหรับลดสแปมอีเมล แนวคิดคือ การโหลดเพิ่มเติมในระดับผู้ใช้รายบุคคลสามารถละเลยได้ แต่ในระดับการขูดข้อมูลจำนวนมาก มันจะสะสมและทำให้การขูดแพงขึ้น",
+  "hack_purpose": "ท้ายที่สุดแล้ว นี่คือการแฮ็กที่มีวัตถุประสงค์หลักเพื่อเป็นโซลูชันชั่วคราวที่ 'เพียงพอ' เพื่อให้มีเวลาในการสร้างการตรวจจับตัวตนของเบราว์เซอร์แบบไม่มีกล่องข้อความ (เช่น ผ่านการเรนเดอร์ฟอนต์) เพื่อไม่ต้องแสดงหน้า Proof-of-Work แก่ผู้ใช้ที่มีแนวโน้มว่าจะเป็นผู้ใช้จริง",
+  "jshelter_note": "โปรดทราบว่า Anubis ต้องการใช้คุณสมบัติ JavaScript สมัยใหม่ที่ปลั๊กอินอย่าง JShelter จะปิดใช้งาน กรุณาปิด JShelter หรือปลั๊กอินลักษณะคล้ายกันสำหรับโดเมนนี้",
+  "version_info": "เว็บไซต์นี้กำลังใช้ Anubis เวอร์ชัน",
+  "try_again": "ลองอีกครั้ง",
+  "go_home": "กลับหน้าหลัก",
+  "contact_webmaster": "หากคุณเชื่อว่าไม่ควรถูกบล็อก กรุณาติดต่อผู้ดูแลเว็บไซต์ที่",
+  "connection_security": "กรุณารอสักครู่ในขณะที่เราตรวจสอบความปลอดภัยของการเชื่อมต่อของคุณ",
+  "javascript_required": "น่าเสียดายที่คุณต้องเปิดใช้ JavaScript เพื่อผ่านการทดสอบนี้ เนื่องจากบริษัท AI ได้เปลี่ยนข้อตกลงทางสังคมเกี่ยวกับการโฮสต์เว็บไซต์ ทางเลือกแบบ 'ไม่มี JS' กำลังอยู่ระหว่างการพัฒนา",
+  "benchmark_requires_js": "เครื่องมือวัดประสิทธิภาพต้องใช้ JavaScript",
+  "difficulty": "ความยาก:",
+  "algorithm": "อัลกอริธึม:",
+  "compare": "เปรียบเทียบ:",
+  "time": "เวลา",
+  "iters": "จำนวนรอบ",
+  "time_a": "เวลา A",
+  "iters_a": "รอบ A",
+  "time_b": "เวลา B",
+  "iters_b": "รอบ B",
+  "static_check_endpoint": "นี่เป็นเพียง endpoint ตรวจสอบสำหรับ reverse proxy ของคุณ",
+  "authorization_required": "ต้องมีการยืนยันตัวตน",
+  "cookies_disabled": "เบราว์เซอร์ของคุณปิดการใช้งานคุกกี้ Anubis ต้องใช้คุกกี้เพื่อตรวจสอบว่าเป็นผู้ใช้ที่แท้จริง กรุณาเปิดใช้งานคุกกี้สำหรับโดเมนนี้",
+  "access_denied": "การเข้าถึงถูกปฏิเสธ: รหัสข้อผิดพลาด",
+  "dronebl_entry": "DroneBL รายงานรายการนี้",
+  "see_dronebl_lookup": "ดู",
+  "internal_server_error": "เกิดข้อผิดพลาดในเซิร์ฟเวอร์: ผู้ดูแลระบบได้กำหนดค่า Anubis อย่างไม่ถูกต้อง กรุณาติดต่อผู้ดูแลระบบและให้เขาตรวจสอบบันทึกใกล้กับ",
+  "invalid_redirect": "การเปลี่ยนเส้นทางไม่ถูกต้อง",
+  "redirect_not_parseable": "ไม่สามารถแยกวิเคราะห์ URL สำหรับเปลี่ยนเส้นทาง",
+  "redirect_domain_not_allowed": "ไม่อนุญาตให้เปลี่ยนเส้นทางไปยังโดเมนนี้",
+  "failed_to_sign_jwt": "ไม่สามารถเซ็น JWT ได้",
+  "invalid_invocation": "เรียกใช้ MakeChallenge อย่างไม่ถูกต้อง",
+  "client_error_browser": "ข้อผิดพลาดของไคลเอนต์: กรุณาตรวจสอบว่าเบราว์เซอร์ของคุณเป็นเวอร์ชันล่าสุด และลองใหม่ในภายหลัง",
+  "oh_noes": "โอ้ ไม่!",
+  "benchmarking_anubis": "กำลังวัดประสิทธิภาพ Anubis!",
+  "you_are_not_a_bot": "คุณไม่ใช่บอท!",
+  "making_sure_not_bot": "ตรวจสอบให้แน่ใจว่าคุณไม่ใช่บอท!",
+  "celphase": "CELPHASE",
+  "js_web_crypto_error": "เบราว์เซอร์ของคุณไม่มีฟีเจอร์ web.crypto ที่ใช้งานได้ คุณกำลังดูผ่านบริบทที่ปลอดภัยหรือไม่?",
+  "js_web_workers_error": "เบราว์เซอร์ของคุณไม่รองรับ web workers (Anubis ใช้เพื่อลดการค้างของเบราว์เซอร์) คุณใช้ปลั๊กอินเช่น JShelter หรือไม่?",
+  "js_cookies_error": "เบราว์เซอร์ของคุณไม่เก็บคุกกี้ Anubis ใช้คุกกี้เพื่อเก็บโทเค็นที่เซ็นแล้วสำหรับไคลเอนต์ที่ผ่านการท้าทาย กรุณาเปิดใช้งานการเก็บคุกกี้สำหรับโดเมนนี้ ชื่อคุกกี้อาจเปลี่ยนแปลงได้โดยไม่แจ้งล่วงหน้า",
+  "js_context_not_secure": "บริบทของคุณไม่ปลอดภัย!",
+  "js_context_not_secure_msg": "ลองเชื่อมต่อผ่าน HTTPS หรือแจ้งผู้ดูแลระบบให้ตั้งค่า HTTPS สำหรับข้อมูลเพิ่มเติมดูที่ <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>",
+  "js_calculating": "กำลังคำนวณ...",
+  "js_missing_feature": "ไม่มีคุณลักษณะนี้",
+  "js_challenge_error": "เกิดข้อผิดพลาดในการท้าทาย!",
+  "js_challenge_error_msg": "ไม่สามารถแก้ไขอัลกอริธึมการตรวจสอบ อาจต้องโหลดหน้าใหม่",
+  "js_calculating_difficulty": "กำลังคำนวณ...<br/>ความยาก:",
+  "js_speed": "ความเร็ว:",
+  "js_verification_longer": "การตรวจสอบใช้เวลานานกว่าที่คาดไว้ กรุณาอย่ารีเฟรชหน้านี้",
+  "js_success": "สำเร็จ!",
+  "js_done_took": "เสร็จแล้ว! ใช้เวลา",
+  "js_iterations": "รอบ",
+  "js_finished_reading": "อ่านจบแล้ว ดำเนินการต่อ →",
+  "js_calculation_error": "เกิดข้อผิดพลาดในการคำนวณ!",
+  "js_calculation_error_msg": "ไม่สามารถคำนวณการท้าทายได้:"
+}

lib/localization/locales/uk.json

@@ -0,0 +1,66 @@
+{
+  "loading": "Завантаження...",
+  "why_am_i_seeing": "Чому я це бачу?",
+  "protected_by": "Захищено засобами",
+  "protected_from": "за авторством",
+  "made_with": "Зроблено з ❤️ у 🇨🇦",
+  "mascot_design": "Дизайн персонажа від",
+  "ai_companies_explanation": "Ви це бачите, оскільки адміністрація сайту налаштувала Anubis, щоб захистити сервер від тиску ШІ-компаній, які агресивно сканують вебсайти. Їхня діяльність спричиняє перебої в роботі вебсайтів, що робить матеріали недоступними для всіх.",
+  "anubis_compromise": "Anubis — це компроміс. Anubis втілює схему доказу виконаної роботи подібно до Hashcash — засобу боротьби зі спамом. По ідеї, додаткове навантаження не обтяжує справжню людину, котра робить небагато запитів, а от масове сканування таким чином стає суттєво дорожчим.",
+  "hack_purpose": "Це тимчасове рішення, котре дозволяє приділити більше часу розпізнанню й виокремленню автоматизованих браузерів (наприклад, за тим, як вони промальовують шрифти), щоб сторінку перевірки доказу виконаної роботи не доводилося показувати ймовірно справжнім користувачам.",
+  "simplified_explanation": "Це засіб боротьби з ботами й зловмисними запитами, подібний до капчі. Проте замість того, щоб просити вас щось зробити, він пропонує вашому браузеру розв'язати обчислювальне завдання. Ця концепція називається <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">доказом виконаної роботи</a>. Завдання обчислюється кілька секунд, після чого вам надається доступ до сайту. Дякуємо за розуміння й терплячість.",
+  "jshelter_note": "Зауважте, Anubis потребує сучасного JavaScript-функціоналу, котрий може бути недоступним при використанні розширень на зразок JShelter. Будь ласка, вимкніть JShelter чи інші подібні розширення для цього домену.",
+  "version_info": "Цей вебсайт застосовує Anubis версії",
+  "try_again": "Повторіть спробу",
+  "go_home": "Перейдіть на головну сторінку",
+  "contact_webmaster": "або, якщо ви певні в помилковості блокування, сконтактуйте з адміністрацією за адресою",
+  "connection_security": "Зачекайте хвилинку, поки ми перевіримо безпеку вашого з'єднання.",
+  "javascript_required": "На жаль, вам потрібно ввімкнути JavaScript, щоб пройти цю перевірку. Це необхідно, оскільки ШІ-компанії нехтують суспільним договором, завдяки якому можливо утримувати вебсайти. Робота над рішенням без використання JS триває.",
+  "benchmark_requires_js": "Щоб запустити тестування продуктивності, ввімкніть JavaScript.",
+  "difficulty": "Складність:",
+  "algorithm": "Алгоритм:",
+  "compare": "Порівняти:",
+  "time": "Час",
+  "iters": "Ітерації",
+  "time_a": "Час A",
+  "iters_a": "Ітерації A",
+  "time_b": "Час B",
+  "iters_b": "Ітерації B",
+  "static_check_endpoint": "Це просто сторінка перевірки для вашого зворотного проксі.",
+  "authorization_required": "Необхідно авторизуватися",
+  "cookies_disabled": "У вашому браузері вимкнено кукі. Anubis використовує кукі, щоб упевнитись, що ви дійсно людина. Це законний інтерес. Будь ласка, ввімкніть кукі для цього домену",
+  "access_denied": "Доступ заборонено: код помилки",
+  "dronebl_entry": "DroneBL містить пункт",
+  "see_dronebl_lookup": "див.",
+  "internal_server_error": "Внутрішня помилка сервера: адміністрація хибно налаштувала Anubis. Будь ласка, сконтактуйте з адміністрацією й попросіть глянути логи довкола",
+  "invalid_redirect": "Хибне переспрямування",
+  "redirect_not_parseable": "Не вдається розпізнати URL-адресу переспрямування",
+  "redirect_domain_not_allowed": "Заборонений домен переспрямування",
+  "missing_required_forwarded_headers": "Бракує обов'язкових заголовків X-Forwarded-*",
+  "failed_to_sign_jwt": "не вдається підписати JWT",
+  "invalid_invocation": "Хибний виклик MakeChallenge",
+  "client_error_browser": "Помилка клієнта: переконайтесь, що використовуєте браузер актуальної версії, й повторіть спробу.",
+  "oh_noes": "Йой!",
+  "benchmarking_anubis": "Тестування продуктивності Anubis!",
+  "you_are_not_a_bot": "Ви не бот!",
+  "making_sure_not_bot": "Перевірка, чи ви не бот!",
+  "celphase": "CELPHASE",
+  "js_web_crypto_error": "Ваш браузер не надає web.crypto. Ви певні, що дивитесь це через захищений контекст?",
+  "js_web_workers_error": "Ваш браузер не підтримує Web Workers (Anubis використовує їх, щоб ваш браузер не зависав на час перевірки). Можливо, у вас встановлено розширення на зразок JShelter?",
+  "js_cookies_error": "Ваш браузер не зберігає кукі. Anubis записує підписаний токен до кукі, щоб занотувати, що клієнт пройшов перевірку. Будь ласка, ввімкніть збереження кукі для цього домену. Назви кукі, які записує Anubis, можуть змінюватися без попередження. Назви й значення кукі не є частиною публічного API.",
+  "js_context_not_secure": "Ваш контекст незахищений!",
+  "js_context_not_secure_msg": "Спробуйте з'єднатися через HTTPS або попросіть адміністрацію налаштувати HTTPS. Докладніше — в <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_calculating": "Обчислення...",
+  "js_missing_feature": "Бракує функціоналу",
+  "js_challenge_error": "Помилка перевірки!",
+  "js_challenge_error_msg": "Не вдалося визначити алгоритм перевірки. Спробуйте оновити сторінку.",
+  "js_calculating_difficulty": "Обчислення...<br/>Складність:",
+  "js_speed": "Швидкість:",
+  "js_verification_longer": "Перевірка триває довше, ніж очікувалося. Будь ласка, не оновлюйте сторінку.",
+  "js_success": "Успіх!",
+  "js_done_took": "Готово! Знадобилося",
+  "js_iterations": "ітерацій",
+  "js_finished_reading": "Читання завершено, продовжити →",
+  "js_calculation_error": "Помилка обчислення!",
+  "js_calculation_error_msg": "Не вдалося обчислити перевірку:"
+}

lib/localization/localization_test.go

@@ -27,10 +27,11 @@ func TestLocalizationService(t *testing.T) {
 		"pt-BR": "Carregando...",
 		"tr":    "Yükleniyor...",
 		"ru":    "Загрузка...",
+		"uk":    "Завантаження...",
 		"vi":    "Đang nạp...",
 		"zh-CN": "加载中...",
 		"zh-TW": "載入中...",
-		"sv" : "Laddar...",
+		"sv":    "Laddar...",
 	}
 
 	var keys []string

lib/policy/checker.go

@@ -51,6 +51,11 @@ func (rac *RemoteAddrChecker) Check(r *http.Request) (bool, error) {
 		return false, fmt.Errorf("%w: %s is not an IP address: %w", ErrMisconfiguration, host, err)
 	}
 
+	// Convert IPv4-mapped IPv6 addresses to IPv4
+	if addr.Is6() && addr.Is4In6() {
+		addr = addr.Unmap()
+	}
+
 	return rac.prefixTable.Contains(addr), nil
 }
 

lib/policy/checker_test.go

@@ -21,6 +21,20 @@ func TestRemoteAddrChecker(t *testing.T) {
 			ok:    true,
 			err:   nil,
 		},
+		{
+			name:  "match_ipv4_in_ipv6",
+			cidrs: []string{"0.0.0.0/0"},
+			ip:    "::ffff:1.1.1.1",
+			ok:    true,
+			err:   nil,
+		},
+		{
+			name:  "match_ipv4_in_ipv6_hex",
+			cidrs: []string{"0.0.0.0/0"},
+			ip:    "::ffff:101:101",
+			ok:    true,
+			err:   nil,
+		},
 		{
 			name:  "match_ipv6",
 			cidrs: []string{"::/0"},

lib/store/valkey/factory.go

@@ -5,80 +5,98 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"time"
 
 	"github.com/TecharoHQ/anubis/lib/store"
 	valkey "github.com/redis/go-redis/v9"
-)
-
-var (
-	ErrNoURL  = errors.New("valkey.Config: no URL defined")
-	ErrBadURL = errors.New("valkey.Config: URL is invalid")
+	"github.com/redis/go-redis/v9/maintnotifications"
 )
 
 func init() {
 	store.Register("valkey", Factory{})
 }
 
-type Factory struct{}
-
-func (Factory) Build(ctx context.Context, data json.RawMessage) (store.Interface, error) {
-	var config Config
-
-	if err := json.Unmarshal([]byte(data), &config); err != nil {
-		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	if err := config.Valid(); err != nil {
-		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	opts, err := valkey.ParseURL(config.URL)
-	if err != nil {
-		return nil, fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	rdb := valkey.NewClient(opts)
-
-	if _, err := rdb.Ping(ctx).Result(); err != nil {
-		return nil, fmt.Errorf("can't ping valkey instance: %w", err)
-	}
-
-	return &Store{
-		rdb: rdb,
-	}, nil
-}
-
-func (Factory) Valid(data json.RawMessage) error {
-	var config Config
-	if err := json.Unmarshal([]byte(data), &config); err != nil {
-		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	if err := config.Valid(); err != nil {
-		return fmt.Errorf("%w: %w", store.ErrBadConfig, err)
-	}
-
-	return nil
-}
+// Errors kept as-is so other code/tests still pass.
+var (
+	ErrNoURL  = errors.New("valkey.Config: no URL defined")
+	ErrBadURL = errors.New("valkey.Config: URL is invalid")
+)
 
+// Config is what Anubis unmarshals from the "parameters" JSON.
 type Config struct {
-	URL string `json:"url"`
+	URL     string `json:"url"`
+	Cluster bool   `json:"cluster,omitempty"`
 }
 
 func (c Config) Valid() error {
-	var errs []error
-
 	if c.URL == "" {
-		errs = append(errs, ErrNoURL)
+		return ErrNoURL
 	}
 
+	// Just validate that it's a valid Redis URL.
 	if _, err := valkey.ParseURL(c.URL); err != nil {
-		errs = append(errs, ErrBadURL)
-	}
-
-	if len(errs) != 0 {
-		return fmt.Errorf("valkey.Config: invalid config: %w", errors.Join(errs...))
+		return fmt.Errorf("%w: %v", ErrBadURL, err)
 	}
 
 	return nil
 }
+
+// redisClient is satisfied by *valkey.Client and *valkey.ClusterClient.
+type redisClient interface {
+	Get(ctx context.Context, key string) *valkey.StringCmd
+	Set(ctx context.Context, key string, value interface{}, expiration time.Duration) *valkey.StatusCmd
+	Del(ctx context.Context, keys ...string) *valkey.IntCmd
+	Ping(ctx context.Context) *valkey.StatusCmd
+}
+
+type Factory struct{}
+
+func (Factory) Valid(data json.RawMessage) error {
+	var cfg Config
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		return err
+	}
+	return cfg.Valid()
+}
+
+func (Factory) Build(ctx context.Context, data json.RawMessage) (store.Interface, error) {
+	var cfg Config
+	if err := json.Unmarshal(data, &cfg); err != nil {
+		return nil, err
+	}
+	if err := cfg.Valid(); err != nil {
+		return nil, err
+	}
+
+	opts, err := valkey.ParseURL(cfg.URL)
+	if err != nil {
+		return nil, fmt.Errorf("valkey.Factory: %w", err)
+	}
+
+	var client redisClient
+
+	if cfg.Cluster {
+		// Cluster mode: use the parsed Addr as the seed node.
+		clusterOpts := &valkey.ClusterOptions{
+			Addrs: []string{opts.Addr},
+			// Explicitly disable maintenance notifications
+			// This prevents the client from sending CLIENT MAINT_NOTIFICATIONS ON
+			MaintNotificationsConfig: &maintnotifications.Config{
+				Mode: maintnotifications.ModeDisabled,
+			},
+		}
+		client = valkey.NewClusterClient(clusterOpts)
+	} else {
+		opts.MaintNotificationsConfig = &maintnotifications.Config{
+			Mode: maintnotifications.ModeDisabled,
+		}
+		client = valkey.NewClient(opts)
+	}
+
+	// Optional but nice: fail fast if the cluster/single node is unreachable.
+	if err := client.Ping(ctx).Err(); err != nil {
+		return nil, fmt.Errorf("valkey.Factory: ping failed: %w", err)
+	}
+
+	return &Store{client: client}, nil
+}

lib/store/valkey/valkey.go

@@ -2,52 +2,46 @@ package valkey
 
 import (
 	"context"
-	"fmt"
 	"time"
 
 	"github.com/TecharoHQ/anubis/lib/store"
 	valkey "github.com/redis/go-redis/v9"
 )
 
+// Store implements store.Interface on top of Redis/Valkey.
 type Store struct {
-	rdb *valkey.Client
+	client redisClient
 }
 
-func (s *Store) Delete(ctx context.Context, key string) error {
-	n, err := s.rdb.Del(ctx, key).Result()
-	if err != nil {
-		return fmt.Errorf("can't delete from valkey: %w", err)
-	}
-
-	switch n {
-	case 0:
-		return fmt.Errorf("%w: %d key(s) deleted", store.ErrNotFound, n)
-	default:
-		return nil
-	}
-}
+var _ store.Interface = (*Store)(nil)
 
 func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
-	result, err := s.rdb.Get(ctx, key).Result()
-	if err != nil {
-		if valkey.HasErrorPrefix(err, "redis: nil") {
-			return nil, fmt.Errorf("%w: %w", store.ErrNotFound, err)
+	cmd := s.client.Get(ctx, key)
+	if err := cmd.Err(); err != nil {
+		if err == valkey.Nil {
+			return nil, store.ErrNotFound
 		}
-
-		return nil, fmt.Errorf("can't fetch from valkey: %w", err)
+		return nil, err
 	}
-
-	return []byte(result), nil
+	return cmd.Bytes()
 }
 
 func (s *Store) Set(ctx context.Context, key string, value []byte, expiry time.Duration) error {
-	if _, err := s.rdb.Set(ctx, key, string(value), expiry).Result(); err != nil {
-		return fmt.Errorf("can't set %q in valkey: %w", key, err)
-	}
+	return s.client.Set(ctx, key, value, expiry).Err()
+}
 
+func (s *Store) Delete(ctx context.Context, key string) error {
+	res := s.client.Del(ctx, key)
+	if err := res.Err(); err != nil {
+		return err
+	}
+	if n, _ := res.Result(); n == 0 {
+		return store.ErrNotFound
+	}
 	return nil
 }
 
+// IsPersistent tells Anubis this backend is “real” storage, not in-memory.
 func (s *Store) IsPersistent() bool {
 	return true
 }

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "@techaro/anubis",
-  "version": "1.23.0",
+  "version": "1.23.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@techaro/anubis",
-      "version": "1.23.0",
+      "version": "1.23.1",
       "license": "ISC",
       "dependencies": {
         "@aws-crypto/sha256-js": "^5.2.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@techaro/anubis",
-  "version": "1.23.0",
+  "version": "1.23.1",
   "description": "",
   "main": "index.js",
   "scripts": {

test/docker-registry/anubis.yaml

@@ -0,0 +1,7 @@
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/clients/docker-client.yaml
+
+status_codes:
+  CHALLENGE: 200
+  DENY: 403

test/docker-registry/docker-compose.yaml

@@ -0,0 +1,30 @@
+services:
+  registry:
+    image: distribution/distribution:edge
+    restart: always
+
+  relayd:
+    image: ghcr.io/xe/x/relayd
+    pull_policy: always
+    environment:
+      CERT_DIR: /etc/techaro/pki/registry.local.cetacean.club
+      CERT_FNAME: cert.pem
+      KEY_FNAME: key.pem
+      PROXY_TO: http://anubis:3000
+    ports:
+      - 3004:3004
+    volumes:
+      - ../pki/registry.local.cetacean.club:/etc/techaro/pki/registry.local.cetacean.club
+
+  anubis:
+    image: ko.local/anubis
+    restart: always
+    environment:
+      BIND: ":3000"
+      TARGET: http://registry:5000
+      POLICY_FNAME: /etc/techaro/anubis.yaml
+      USE_REMOTE_ADDRESS: "true"
+    ports:
+      - 3000
+    volumes:
+      - ./anubis.yaml:/etc/techaro/anubis.yaml

test/docker-registry/test.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+export VERSION=${GITHUB_SHA}-test
+export KO_DOCKER_REPO=ko.local
+
+set -u
+
+source ../lib/lib.sh
+
+build_anubis_ko
+
+function cleanup() {
+	docker compose down
+}
+
+trap cleanup EXIT SIGINT
+
+mint_cert registry.local.cetacean.club
+
+docker compose up -d
+
+backoff-retry skopeo \
+	--insecure-policy \
+	copy \
+	--dest-tls-verify=false \
+	docker://hello-world \
+	docker://registry.local.cetacean.club:3004/hello-world

test/docker-registry/var/.gitignore

@@ -0,0 +1,2 @@
+*
+!.gitignore

test/git-push/test.sh

@@ -2,7 +2,7 @@
 
 set -eo pipefail
 
-export VERSION=$GITHUB_COMMIT-test
+export VERSION=${GITHUB_SHA}-test
 export KO_DOCKER_REPO=ko.local
 
 set -u
@@ -21,16 +21,16 @@ docker compose up -d
 sleep 2
 
 (
-  cd var && \
-  mkdir foo && \
-  cd foo && \
-  git init && \
-  touch README && \
-  git add . && \
-  git config user.name "Anubis CI" && \
-  git config user.email "social+anubis-ci@techaro.lol" && \
-  git commit -sm "initial commit" && \
-  git push -u http://localhost:3000/git/foo.git master
+	cd var &&
+		mkdir foo &&
+		cd foo &&
+		git init &&
+		touch README &&
+		git add . &&
+		git config user.name "Anubis CI" &&
+		git config user.email "social+anubis-ci@techaro.lol" &&
+		git commit -sm "initial commit" &&
+		git push -u http://localhost:3000/git/foo.git master
 )
 
-exit 0
+exit 0

web/index_templ.go

@@ -1,6 +1,6 @@
 // Code generated by templ - DO NOT EDIT.
 
-// templ: version: v0.3.924
+// templ: version: v0.3.960
 package web
 
 //lint:file-ignore SA4006 This context is only used if a nested component is present.