chore: add comments back to Challenge struct.

See #1284
and https://github.com/TecharoHQ/anubis/pull/1284#issuecomment-3784096905

.github/actions/spelling/allow.txt

@@ -18,3 +18,9 @@ clampip
 pseudoprofound
 reimagining
 iocaine
+admins
+fout
+iplist
+NArg
+blocklists
+rififi

.github/actions/spelling/excludes.txt

@@ -87,10 +87,14 @@
 ^docs/docs/user/known-instances.md$
 ^docs/manifest/.*$
 ^docs/static/\.nojekyll$
-^lib/policy/config/testdata/bad/unparseable\.json$
 ^internal/glob/glob_test.go$
+^internal/honeypot/naive/affirmations\.txt$
+^internal/honeypot/naive/spintext\.txt$
+^internal/honeypot/naive/titles\.txt$
+^lib/config/testdata/bad/unparseable\.json$
+^lib/localization/.*_test.go$
+^lib/localization/locales/.*\.json$
+^lib/policy/config/testdata/bad/unparseable\.json$
+^test/.*$
 ignore$
 robots.txt
-^lib/localization/locales/.*\.json$
-^lib/localization/.*_test.go$
-^test/.*$

.github/actions/spelling/expect.txt

@@ -1,409 +1,406 @@
-acs
-Actorified
-actorifiedstore
-actorify
-Aibrew
-alibaba
-alrest
-amazonbot
-anthro
-anubis
-anubistest
-apnic
-APNICRANDNETAU
-Applebot
-archlinux
-arpa
-asnc
-asnchecker
-asns
-aspirational
-atuin
-azuretools
-badregexes
-bbolt
-bdba
-berr
-bezier
-bingbot
-Bitcoin
-bitrate
-Bluesky
-blueskybot
-boi
-Bokm
-botnet
-botstopper
-BPort
-Brightbot
-broked
-buildah
-byteslice
-Bytespider
-cachebuster
-cachediptoasn
-Caddyfile
-caninetools
-Cardyb
-celchecker
-celphase
-cerr
-certresolver
-cespare
-CGNAT
-cgr
-chainguard
-chall
-challengemozilla
-challengetest
-checkpath
-checkresult
-chibi
-cidranger
-ckie
-cloudflare
-Codespaces
-confd
-connnection
-containerbuild
-containerregistry
-coreutils
-Cotoyogi
-Cromite
-crt
-Cscript
-daemonizing
-dayjob
-DDOS
-Debian
-debrpm
-decaymap
-devcontainers
-Diffbot
-discordapp
-discordbot
-distros
-dnf
-dnsbl
-dnserr
-DNSTTL
-domainhere
-dracula
-dronebl
-droneblresponse
-dropin
-dsilence
-duckduckbot
-eerror
-ellenjoe
-emacs
-enbyware
-etld
-everyones
-evilbot
-evilsite
-expressionorlist
-externalagent
-externalfetcher
-extldflags
-facebookgo
-Factset
-fahedouch
-fastcgi
-FCr
-fcrdns
-fediverse
-ffprobe
-financials
-finfos
-Firecrawl
-flagenv
-Fordola
-forgejo
-forwardauth
-fsys
-fullchain
-gaissmai
-Galvus
-geoip
-geoipchecker
-gha
-GHSA
-Ghz
-gipc
-gitea
-godotenv
-goland
-gomod
-goodbot
-googlebot
-gopsutil
-govulncheck
-goyaml
-GPG
-GPT
-gptbot
-Graphene
-grpcprom
-grw
-gzw
-Hashcash
-hashrate
-headermap
-healthcheck
-healthz
-hec
-helpdesk
-Hetzner
-hmc
-homelab
-hostable
-htmlc
-htmx
-httpdebug
-huawei
-hypertext
-iaskspider
-iaso
-iat
-ifm
-Imagesift
-imgproxy
-impressum
-inbox
-ingressed
-inp
-internets
-IPTo
-iptoasn
-isp
-iss
-isset
-ivh
-Jenomis
-JGit
-jhjj
-joho
-journalctl
-jshelter
-JWTs
-kagi
-kagibot
-Keyfunc
-keypair
-KHTML
-kinda
-KUBECONFIG
-lcj
-ldflags
-letsencrypt
-Lexentale
-lfc
-lgbt
-licend
-licstart
-lightpanda
-limsa
-Linting
-listor
-LLU
-loadbalancer
-lol
-lominsa
-maintainership
-malware
-mcr
-memes
-metarefresh
-metrix
-mimi
-Minfilia
-mistralai
-mnt
-Mojeek
-mojeekbot
-mozilla
-myclient
-mymaster
-mypass
-myuser
-nbf
-nepeat
-netsurf
-nginx
-nicksnyder
-nobots
-NONINFRINGEMENT
-nosleep
-nullglob
-oci
-OCOB
-ogtag
-oklch
-omgili
-omgilibot
-openai
-opendns
-opengraph
-openrc
-oswald
-pag
-palemoon
-Pangu
-parseable
-passthrough
-Patreon
-pgrep
-phrik
-pidfile
-pids
-pipefail
-pki
-podkova
-podman
-Postgre
-poststart
-prebaked
-privkey
-promauto
-promhttp
-proofofwork
-publicsuffix
-purejs
-pwcmd
-pwuser
-qualys
-qwant
-qwantbot
-rac
-rawler
-rcvar
-redhat
-redir
-redirectscheme
-refactors
-remoteip
-reputational
-risc
-ruleset
-runlevels
-RUnlock
-runtimedir
-runtimedirectory
-Ryzen
-sas
-sasl
-screenshots
-searchbot
-searx
-sebest
-secretplans
-Semrush
-Seo
-setsebool
-shellcheck
-shirou
-shopt
-Sidetrade
-simprint
-sitemap
-sls
-sni
-snipster
-Spambot
-sparkline
-spyderbot
-srv
-stackoverflow
-startprecmd
-stoppostcmd
-storetest
-subgrid
-subr
-subrequest
-SVCNAME
-tagline
-tarballs
-tarrif
-taviso
-tbn
-tbr
-techaro
-techarohq
-telegrambot
-templ
-templruntime
-testarea
-Thancred
-thoth
-thothmock
-Tik
-Timpibot
-TLog
-traefik
-trunc
-uberspace
-Unbreak
-unbreakdocker
-unifiedjs
-unmarshal
-unparseable
-uvx
-UXP
-valkey
-Varis
-Velen
-vendored
-verify
-vhosts
-vkbot
-VKE
-vnd
-VPS
-Vultr
-weblate
-webmaster
-webpage
-websecure
-websites
-Webzio
-whois
-wildbase
-withthothmock
-wolfbeast
-wordpress
-workaround
-workdir
-wpbot
-XCircle
-xeiaso
-xeserv
-xesite
-xess
-xff
-XForwarded
-XNG
-XOB
-XOriginal
-XReal
-yae
-YAMLTo
-Yda
-yeet
-yeetfile
-yourdomain
-yyz
-Zenos
-zizmor
-zombocom
-zos
-GLM
-iocaine
-nikandfor
-pagegen
-pseudoprofound
-reimagining
-Rhul
-shoneypot
-spammer
-Y'shtola
+acs
+Actorified
+actorifiedstore
+actorify
+Aibrew
+alibaba
+alrest
+amazonbot
+anthro
+anubis
+anubistest
+apnic
+APNICRANDNETAU
+Applebot
+archlinux
+arpa
+asnc
+asnchecker
+asns
+aspirational
+atuin
+azuretools
+badregexes
+bbolt
+bdba
+berr
+bezier
+bingbot
+Bitcoin
+bitrate
+Bluesky
+blueskybot
+boi
+Bokm
+botnet
+botstopper
+BPort
+Brightbot
+broked
+buildah
+byteslice
+Bytespider
+cachebuster
+cachediptoasn
+Caddyfile
+caninetools
+Cardyb
+celchecker
+celphase
+cerr
+certresolver
+cespare
+CGNAT
+cgr
+chainguard
+chall
+challengemozilla
+challengetest
+checkpath
+checkresult
+chibi
+cidranger
+ckie
+cloudflare
+Codespaces
+confd
+connnection
+containerbuild
+containerregistry
+coreutils
+Cotoyogi
+Cromite
+crt
+Cscript
+daemonizing
+databento
+dayjob
+DDOS
+Debian
+debrpm
+decaymap
+devcontainers
+Diffbot
+discordapp
+discordbot
+distros
+dnf
+dnsbl
+dnserr
+DNSTTL
+domainhere
+dracula
+dronebl
+droneblresponse
+dropin
+dsilence
+duckduckbot
+eerror
+ellenjoe
+emacs
+enbyware
+etld
+everyones
+evilbot
+evilsite
+expressionorlist
+externalagent
+externalfetcher
+extldflags
+facebookgo
+Factset
+fahedouch
+fastcgi
+FCr
+fcrdns
+fediverse
+ffprobe
+financials
+finfos
+Firecrawl
+flagenv
+Fordola
+forgejo
+forwardauth
+fsys
+fullchain
+gaissmai
+Galvus
+geoip
+geoipchecker
+gha
+GHSA
+Ghz
+gipc
+gitea
+GLM
+godotenv
+goland
+gomod
+goodbot
+googlebot
+gopsutil
+govulncheck
+goyaml
+GPG
+GPT
+gptbot
+Graphene
+grpcprom
+grw
+gzw
+Hashcash
+hashrate
+headermap
+healthcheck
+healthz
+hec
+helpdesk
+Hetzner
+hmc
+homelab
+hostable
+htmlc
+htmx
+httpdebug
+huawei
+hypertext
+iaskspider
+iaso
+iat
+ifm
+Imagesift
+imgproxy
+impressum
+inbox
+ingressed
+inp
+internets
+IPTo
+iptoasn
+isp
+iss
+isset
+ivh
+Jenomis
+JGit
+jhjj
+joho
+journalctl
+jshelter
+JWTs
+kagi
+kagibot
+Keyfunc
+keypair
+KHTML
+kinda
+KUBECONFIG
+lcj
+ldflags
+letsencrypt
+Lexentale
+lfc
+lgbt
+licend
+licstart
+lightpanda
+limsa
+Linting
+listor
+LLU
+loadbalancer
+lol
+lominsa
+maintainership
+malware
+mcr
+memes
+metarefresh
+metrix
+mimi
+Minfilia
+mistralai
+mnt
+Mojeek
+mojeekbot
+mozilla
+myclient
+mymaster
+mypass
+myuser
+nbf
+nepeat
+netsurf
+nginx
+nicksnyder
+nikandfor
+nobots
+NONINFRINGEMENT
+nosleep
+nullglob
+oci
+OCOB
+ogtag
+oklch
+omgili
+omgilibot
+openai
+opendns
+opengraph
+openrc
+oswald
+pag
+pagegen
+palemoon
+Pangu
+parseable
+passthrough
+Patreon
+pgrep
+phrik
+pidfile
+pids
+pipefail
+pki
+podkova
+podman
+Postgre
+poststart
+prebaked
+privkey
+promauto
+promhttp
+proofofwork
+publicsuffix
+purejs
+pwcmd
+pwuser
+qualys
+qwant
+qwantbot
+rac
+rawler
+rcvar
+redhat
+redir
+redirectscheme
+refactors
+remoteip
+reputational
+Rhul
+risc
+ruleset
+runlevels
+RUnlock
+runtimedir
+runtimedirectory
+Ryzen
+sas
+sasl
+screenshots
+searchbot
+searx
+sebest
+secretplans
+Semrush
+Seo
+setsebool
+shellcheck
+shirou
+shoneypot
+shopt
+Sidetrade
+simprint
+sitemap
+sls
+sni
+snipster
+Spambot
+spammer
+sparkline
+spyderbot
+srv
+stackoverflow
+startprecmd
+stoppostcmd
+storetest
+subgrid
+subr
+subrequest
+SVCNAME
+tagline
+tarballs
+tarrif
+taviso
+tbn
+tbr
+techaro
+techarohq
+telegrambot
+templ
+templruntime
+testarea
+Thancred
+thoth
+thothmock
+Tik
+Timpibot
+TLog
+traefik
+trunc
+uberspace
+Unbreak
+unbreakdocker
+unifiedjs
+unmarshal
+unparseable
+uvx
+UXP
+valkey
+Varis
+Velen
+vendored
+vhosts
+vkbot
+VKE
+vnd
+VPS
+Vultr
+weblate
+webmaster
+webpage
+websecure
+websites
+Webzio
+whois
+wildbase
+withthothmock
+wolfbeast
+wordpress
+workaround
+workdir
+wpbot
+XCircle
+xeiaso
+xeserv
+xesite
+xess
+xff
+XForwarded
+XNG
+XOB
+XOriginal
+XReal
+Y'shtola
+yae
+YAMLTo
+Yda
+yeet
+yeetfile
+yourdomain
+yyz
+Zenos
+zizmor
+zombocom
+zos

.github/workflows/docker.yml

@@ -68,7 +68,7 @@ jobs:
           SLOG_LEVEL: debug
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         with:
           subject-name: ${{ env.IMAGE }}
           subject-digest: ${{ steps.build.outputs.digest }}

.github/workflows/docs-deploy.yml

@@ -22,7 +22,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log into registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0

.github/workflows/docs-test.yml

@@ -18,7 +18,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Docker meta
         id: meta

.github/workflows/smoke-tests.yml

@@ -23,6 +23,7 @@ jobs:
           - healthcheck
           - i18n
           - log-file
+          - nginx
           - palemoon/amd64
           #- palemoon/i386
           - robots_txt
@@ -35,10 +36,10 @@ jobs:
 
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
-          node-version: '24.11.0'
+          node-version: "24.11.0"
       - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
         with:
-          go-version: '1.25.4'
+          go-version: "1.25.4"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 

.github/workflows/ssh-ci-runner-cron.yml

@@ -30,7 +30,7 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
       - name: Build and push
         run: |
           cd ./test/ssh-ci

.github/workflows/zizmor.yml

@@ -29,7 +29,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: results.sarif
           category: zizmor

README.md

@@ -20,6 +20,9 @@ Anubis is brought to you by sponsors and donors like:
 <a href="https://www.raptorcs.com/content/base/products.html">
   <img src="./docs/static/img/sponsors/raptor-computing-logo.webp" alt="Raptor Computing Systems" height=64 />
 </a>
+<a href="https://databento.com/?utm_source=anubis&utm_medium=sponsor&utm_campaign=anubis">
+  <img src="./docs/static/img/sponsors/databento-logo.webp" alt="Databento" height="64" />
+</a>
 
 ### Gold Tier
 

data/apps/qualys-ssl-labs.yml

@@ -3,5 +3,6 @@
 - name: qualys-ssl-labs
   action: ALLOW
   remote_addresses:
-  - 64.41.200.0/24
-  - 2600:C02:1020:4202::/64
+  - 69.67.183.0/24
+  - 2600:C02:1020:4202::/64
+  - 2602:fdaa:c6:2::/64

data/clients/ai.yaml

@@ -4,5 +4,5 @@
 #  - Claude-User: No published IP allowlist
 - name: "ai-clients"
   user_agent_regex: >-
-    ChatGPT-User|Claude-User|MistralAI-User
+    ChatGPT-User|Claude-User|MistralAI-User|Perplexity-User
   action: DENY

data/clients/perplexity-user.yaml

@@ -0,0 +1,12 @@
+# Acts on behalf of user requests
+# https://docs.perplexity.ai/guides/bots
+- name: perplexity-user
+  user_agent_regex: Perplexity-User/.+; \+https\://perplexity\.ai/perplexity-user
+  action: ALLOW
+  # https://www.perplexity.com/perplexity-user.json
+  remote_addresses: [
+    "44.208.221.197/32",
+    "34.193.163.52/32",
+    "18.97.21.0/30",
+    "18.97.43.80/29",
+  ]

data/common/acts-like-browser.yaml

@@ -0,0 +1,55 @@
+# Assert behaviour that only genuine browsers display. This ensures that modern Chrome
+# or Firefox versions will get through without a challenge.
+#
+# These rules have been known to be bypassed by some of the worst automated scrapers.
+# Use at your own risk.
+
+- name: realistic-browser-catchall
+  expression:
+    all:
+      - '"User-Agent" in headers'
+      - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
+      - '"Accept" in headers'
+      - '"Sec-Fetch-Dest" in headers'
+      - '"Sec-Fetch-Mode" in headers'
+      - '"Sec-Fetch-Site" in headers'
+      - '"Accept-Encoding" in headers'
+      - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
+      - '"Accept-Language" in headers'
+  action: WEIGH
+  weight:
+    adjust: -10
+
+# The Upgrade-Insecure-Requests header is typically sent by browsers, but not always
+- name: upgrade-insecure-requests
+  expression: '"Upgrade-Insecure-Requests" in headers'
+  action: WEIGH
+  weight:
+    adjust: -2
+
+# Chrome should behave like Chrome
+- name: chrome-is-proper
+  expression:
+    all:
+      - userAgent.contains("Chrome")
+      - '"Sec-Ch-Ua" in headers'
+      - 'headers["Sec-Ch-Ua"].contains("Chromium")'
+      - '"Sec-Ch-Ua-Mobile" in headers'
+      - '"Sec-Ch-Ua-Platform" in headers'
+  action: WEIGH
+  weight:
+    adjust: -5
+
+- name: should-have-accept
+  expression: '!("Accept" in headers)'
+  action: WEIGH
+  weight:
+    adjust: 5
+
+# Generic catchall rule
+- name: generic-browser
+  user_agent_regex: >-
+    Mozilla|Opera
+  action: WEIGH
+  weight:
+    adjust: 10

data/crawlers/ai-search.yaml

@@ -4,5 +4,5 @@
 #  - Claude-SearchBot: No published IP allowlist
 - name: "ai-crawlers-search"
   user_agent_regex: >-
-    OAI-SearchBot|Claude-SearchBot
+    OAI-SearchBot|Claude-SearchBot|PerplexityBot
   action: DENY

data/crawlers/perplexitybot.yaml

@@ -0,0 +1,16 @@
+# Indexing for search, does not collect training data
+# https://docs.perplexity.ai/guides/bots
+- name: perplexitybot
+  user_agent_regex: PerplexityBot/.+; \+https\://perplexity\.ai/perplexitybot
+  action: ALLOW
+  # https://www.perplexity.com/perplexitybot.json
+  remote_addresses: [
+    "107.20.236.150/32",
+    "3.224.62.45/32",
+    "18.210.92.235/32",
+    "3.222.232.239/32",
+    "3.211.124.183/32",
+    "3.231.139.107/32",
+    "18.97.1.228/30",
+    "18.97.9.96/29",
+  ]

data/meta/ai-block-moderate.yaml

@@ -3,5 +3,7 @@
 - import: (data)/bots/ai-catchall.yaml
 - import: (data)/crawlers/ai-training.yaml
 - import: (data)/crawlers/openai-searchbot.yaml
+- import: (data)/crawlers/perplexitybot.yaml
 - import: (data)/clients/openai-chatgpt-user.yaml
-- import: (data)/clients/mistral-mistralai-user.yaml
+- import: (data)/clients/mistral-mistralai-user.yaml
+- import: (data)/clients/perplexity-user.yaml

data/meta/ai-block-permissive.yaml

@@ -2,5 +2,7 @@
 - import: (data)/bots/ai-catchall.yaml
 - import: (data)/crawlers/openai-searchbot.yaml
 - import: (data)/crawlers/openai-gptbot.yaml
+- import: (data)/crawlers/perplexitybot.yaml
 - import: (data)/clients/openai-chatgpt-user.yaml
-- import: (data)/clients/mistral-mistralai-user.yaml
+- import: (data)/clients/mistral-mistralai-user.yaml
+- import: (data)/clients/perplexity-user.yaml

docs/blog/2025-06-27-release-1.20.0/index.mdx

@@ -226,7 +226,7 @@ So far Anubis supports the following languages:
 
 - English (Simplified and Traditional)
 - French
-- Portugese (Brazil)
+- Portuguese (Brazil)
 - Spanish
 
 If you want to contribute translations, please [file an issue](https://github.com/TecharoHQ/anubis/issues/new) with your language of choice or submit a pull request to [the `lib/localization/locales` folder](https://github.com/TecharoHQ/anubis/tree/main/lib/localization/locales). We are about to introduce features to the translation stack, so you may want to hold off a hot minute, but we welcome any and all contributions to making Anubis useful to a global audience.

docs/blog/2025-07-22-release-1.21.1/index.mdx

@@ -69,7 +69,7 @@ I am waiting to hear back from NLNet on if Anubis was selected for funding or no
 
 Anubis now supports localized responses. Locales can be added in [lib/localization/locales/](https://github.com/TecharoHQ/anubis/tree/main/lib/localization/locales). This release includes support for the following languages:
 
-- [Brazilian Portugese](https://github.com/TecharoHQ/anubis/pull/726)
+- [Brazilian Portuguese](https://github.com/TecharoHQ/anubis/pull/726)
 - [Chinese (Simplified)](https://github.com/TecharoHQ/anubis/pull/774)
 - [Chinese (Traditional)](https://github.com/TecharoHQ/anubis/pull/759)
 - [Czech](https://github.com/TecharoHQ/anubis/pull/849)

docs/docs/CHANGELOG.md

@@ -11,7 +11,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- Add iplist2rule tool that lets admins turn an IP address blocklist into an Anubis ruleset.
 - Add Polish locale ([#1292](https://github.com/TecharoHQ/anubis/pull/1309))
+- Fix honeypot and imprint links missing `BASE_PREFIX` when deployed behind a path prefix ([#1402](https://github.com/TecharoHQ/anubis/issues/1402))
 
 <!-- This changes the project to: -->
 

docs/docs/admin/botstopper.mdx

@@ -51,9 +51,8 @@ If you are using Kubernetes, you will need to create an image pull secret:
 kubectl create secret docker-registry \
   techarohq-botstopper \
   --docker-server ghcr.io \
-  --docker-username your-username \
-  --docker-password your-access-token \
-  --docker-email your@email.address
+  --docker-username any-username \
+  --docker-password <your-access-token> \
 ```
 
 Then attach it to your Deployment:
@@ -85,7 +84,7 @@ Follow [the upstream Docker compose directions](https://anubis.techaro.lol/docs/
        OG_EXPIRY_TIME: "24h"
 
 +      # botstopper config here
-+      CHALLENGE_TITLE: "Doing math for your connnection!"
++      CHALLENGE_TITLE: "Doing math for your connection!"
 +      ERROR_TITLE: "Something went wrong!"
 +      OVERLAY_FOLDER: /assets
 +    volumes:

docs/docs/admin/configuration/import.mdx

@@ -13,6 +13,8 @@ bots:
   - # This correlates to data/bots/ai-catchall.yaml in the source tree
     import: (data)/bots/ai-catchall.yaml
   - import: (data)/bots/cloudflare-workers.yaml
+  # Import all the rules in the default configuration
+  - import: (data)/meta/default-config.yaml
 ```
 
 Of note, a bot rule can either have inline bot configuration or import a bot config snippet. You cannot do both in a single bot rule.
@@ -35,6 +37,33 @@ config.BotOrImport: rule definition is invalid, you must set either bot rules or
 
 Paths can either be prefixed with `(data)` to import from the [the data folder in the Anubis source tree](https://github.com/TecharoHQ/anubis/tree/main/data) or anywhere on the filesystem. If you don't have access to the Anubis source tree, check /usr/share/docs/anubis/data or in the tarball you extracted Anubis from.
 
+## Importing the default configuration
+
+If you want to base your configuration off of the default configuration, import `(data)/meta/default-config.yaml`:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  # Write your rules here
+```
+
+This will keep your configuration up to date as Anubis adapts to emerging threats.
+
+## How do I exempt most modern browsers from Anubis challenges?
+
+If you want to exempt most modern browsers from Anubis challenges, import `(data)/common/acts-like-browser.yaml`:
+
+```yaml
+bots:
+  - import: (data)/meta/default-config.yaml
+  - import: (data)/common/acts-like-browser.yaml
+  # Write your rules here
+```
+
+These rules will allow traffic that "looks like" it's from a modern copy of Edge, Safari, Chrome, or Firefox. These rules used to be enabled by default, however user reports have suggested that AI scraper bots have adapted to conform to these rules to scrape without regard for the infrastructure they are attacking.
+
+Use these rules at your own risk.
+
 ## Importing from imports
 
 You can also import from an imported file in case you want to import an entire folder of rules at once.

docs/docs/admin/environments/nginx.mdx

@@ -1,5 +1,7 @@
 # Nginx
 
+import CodeBlock from "@theme/CodeBlock";
+
 Anubis is intended to be a filter proxy. The way to integrate this with nginx is to break your configuration up into two parts: TLS termination and then HTTP routing. Consider this diagram:
 
 ```mermaid
@@ -36,110 +38,26 @@ These examples assume that you are using a setup where your nginx configuration
 
 Assuming that we are protecting `anubistest.techaro.lol`, here's what the server configuration file would look like:
 
-```nginx
-# /etc/nginx/conf.d/server-anubistest-techaro-lol.conf
+import anubisTest from "!!raw-loader!./nginx/server-anubistest-techaro-lol.conf";
 
-# HTTP - Redirect all HTTP traffic to HTTPS
-server {
-  listen 80;
-  listen [::]:80;
-
-  server_name anubistest.techaro.lol;
-
-  location / {
-    return 301 https://$host$request_uri;
-  }
-}
-
-# TLS termination server, this will listen over TLS (https) and then
-# proxy all traffic to the target via Anubis.
-server {
-  # Listen on TCP port 443 with TLS (https) and HTTP/2
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  http2 on;
-
-  location / {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Http-Version $server_protocol;
-    proxy_pass http://anubis;
-  }
-
-  server_name anubistest.techaro.lol;
-
-  ssl_certificate     /path/to/your/certs/anubistest.techaro.lol.crt;
-  ssl_certificate_key /path/to/your/certs/anubistest.techaro.lol.key;
-}
-
-# Backend server, this is where your webapp should actually live.
-server {
-  listen unix:/run/nginx/nginx.sock;
-
-  server_name anubistest.techaro.lol;
-  root "/srv/http/anubistest.techaro.lol";
-  index index.html;
-
-  # Get the visiting IP from the TLS termination server
-  set_real_ip_from unix:;
-  real_ip_header   X-Real-IP;
-  
-  # Your normal configuration can go here
-  # location .php { fastcgi...} etc.
-}
-```
+<CodeBlock language="nginx">{anubisTest}</CodeBlock>
 
 :::tip
 
 You can copy the `location /` block into a separate file named something like `conf-anubis.inc` and then include it inline to other `server` blocks:
 
-```nginx
-# /etc/nginx/conf.d/conf-anubis.inc
+import anubisInclude from "!!raw-loader!./nginx/conf-anubis.inc";
 
-# Forward to anubis
-location / {
-  proxy_set_header Host $host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_pass http://anubis;
-}
-```
+<CodeBlock language="nginx">{anubisInclude}</CodeBlock>
 
 Then in a server block:
 
 <details>
 <summary>Full nginx config</summary>
 
-```nginx
-# /etc/nginx/conf.d/server-mimi-techaro-lol.conf
+import mimiTecharoLol from "!!raw-loader!./nginx/server-mimi-techaro-lol.conf";
 
-server {
-  # Listen on 443 with SSL
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  http2 on;
-
-  # Slipstream via Anubis
-  include "conf-anubis.inc";
-
-  server_name mimi.techaro.lol;
-
-  ssl_certificate     /path/to/your/certs/mimi.techaro.lol.crt;
-  ssl_certificate_key /path/to/your/certs/mimi.techaro.lol.key;
-}
-
-server {
-  listen unix:/run/nginx/nginx.sock;
-
-  server_name mimi.techaro.lol;
-  
-  port_in_redirect off;
-  root "/srv/http/mimi.techaro.lol";
-  index index.html;
-
-  # Your normal configuration can go here
-  # location .php { fastcgi...} etc.
-}
-```
+<CodeBlock language="nginx">{mimiTecharoLol}</CodeBlock>
 
 </details>
 
@@ -147,24 +65,9 @@ server {
 
 Create an upstream for Anubis.
 
-```nginx
-# /etc/nginx/conf.d/upstream-anubis.conf
+import anubisUpstream from "!!raw-loader!./nginx/upstream-anubis.conf";
 
-upstream anubis {
-  # Make sure this matches the values you set for `BIND` and `BIND_NETWORK`.
-  # If this does not match, your services will not be protected by Anubis.
-
-  # Try anubis first over a UNIX socket
-  server unix:/run/anubis/nginx.sock;
-  #server 127.0.0.1:8923;
-
-  # Optional: fall back to serving the websites directly. This allows your
-  # websites to be resilient against Anubis failing, at the risk of exposing
-  # them to the raw internet without protection. This is a tradeoff and can
-  # be worth it in some edge cases.
-  #server unix:/run/nginx.sock backup;
-}
-```
+<CodeBlock language="nginx">{anubisUpstream}</CodeBlock>
 
 This can be repeated for multiple sites. Anubis does not care about the HTTP `Host` header and will happily cope with multiple websites via the same instance.
 

docs/docs/admin/environments/nginx/conf-anubis.inc

@@ -0,0 +1,8 @@
+# /etc/nginx/conf-anubis.inc
+
+# Forward to anubis
+location / {
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_pass http://anubis;
+}

docs/docs/admin/environments/nginx/server-anubistest-techaro-lol.conf

@@ -0,0 +1,50 @@
+# /etc/nginx/conf.d/server-anubistest-techaro-lol.conf
+
+# HTTP - Redirect all HTTP traffic to HTTPS
+server {
+  listen 80;
+  listen [::]:80;
+
+  server_name anubistest.techaro.lol;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
+
+# TLS termination server, this will listen over TLS (https) and then
+# proxy all traffic to the target via Anubis.
+server {
+  # Listen on TCP port 443 with TLS (https) and HTTP/2
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  http2 on;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Http-Version $server_protocol;
+    proxy_pass http://anubis;
+  }
+
+  server_name anubistest.techaro.lol;
+
+  ssl_certificate /path/to/your/certs/anubistest.techaro.lol.crt;
+  ssl_certificate_key /path/to/your/certs/anubistest.techaro.lol.key;
+}
+
+# Backend server, this is where your webapp should actually live.
+server {
+  listen unix:/run/nginx/nginx.sock;
+
+  server_name anubistest.techaro.lol;
+  root "/srv/http/anubistest.techaro.lol";
+  index index.html;
+
+  # Get the visiting IP from the TLS termination server
+  set_real_ip_from unix:;
+  real_ip_header X-Real-IP;
+
+  # Your normal configuration can go here
+  # location .php { fastcgi...} etc.
+}

docs/docs/admin/environments/nginx/server-mimi-techaro-lol.conf

@@ -0,0 +1,29 @@
+# /etc/nginx/conf.d/server-mimi-techaro-lol.conf
+
+server {
+  # Listen on 443 with SSL
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  http2 on;
+
+  # Slipstream via Anubis
+  include "conf-anubis.inc";
+
+  server_name mimi.techaro.lol;
+
+  ssl_certificate /path/to/your/certs/mimi.techaro.lol.crt;
+  ssl_certificate_key /path/to/your/certs/mimi.techaro.lol.key;
+}
+
+server {
+  listen unix:/run/nginx/nginx.sock;
+
+  server_name mimi.techaro.lol;
+
+  port_in_redirect off;
+  root "/srv/http/mimi.techaro.lol";
+  index index.html;
+
+  # Your normal configuration can go here
+  # location .php { fastcgi...} etc.
+}

docs/docs/admin/environments/nginx/upstream-anubis.conf

@@ -0,0 +1,16 @@
+# /etc/nginx/conf.d/upstream-anubis.conf
+
+upstream anubis {
+  # Make sure this matches the values you set for `BIND` and `BIND_NETWORK`.
+  # If this does not match, your services will not be protected by Anubis.
+
+  # Try anubis first over a UNIX socket
+  server unix:/run/anubis/nginx.sock;
+  #server 127.0.0.1:8923;
+
+  # Optional: fall back to serving the websites directly. This allows your
+  # websites to be resilient against Anubis failing, at the risk of exposing
+  # them to the raw internet without protection. This is a tradeoff and can
+  # be worth it in some edge cases.
+  #server unix:/run/nginx.sock backup;
+}

docs/docs/admin/iplist2rule.mdx

@@ -0,0 +1,50 @@
+---
+title: iplist2rule CLI tool
+---
+
+The `iplist2rule` tool converts IP blocklists into Anubis challenge policies. It reads common IP block list formats and generates the appropriate Anubis policy file for IP address filtering.
+
+## Installation
+
+Install directly with Go
+
+```bash
+go install github.com/TecharoHQ/anubis/utils/cmd/iplist2rule@latest
+```
+
+## Usage
+
+Basic conversion from URL:
+
+```bash
+iplist2rule https://raw.githubusercontent.com/7c/torfilter/refs/heads/main/lists/txt/torfilter-1m-flat.txt filter-tor.yaml
+```
+
+Explicitly allow every IP address on a list:
+
+```bash
+iplist2rule --action ALLOW https://raw.githubusercontent.com/7c/torfilter/refs/heads/main/lists/txt/torfilter-1m-flat.txt filter-tor.yaml
+```
+
+Add weight to requests matching IP addresses on a list:
+
+```bash
+iplist2rule --action WEIGH --weight 20 https://raw.githubusercontent.com/7c/torfilter/refs/heads/main/lists/txt/torfilter-1m-flat.txt filter-tor.yaml
+```
+
+## Options
+
+| Flag          | Description                                                                                      | Default                           |
+| :------------ | :----------------------------------------------------------------------------------------------- | :-------------------------------- |
+| `--action`    | The Anubis action to take for the IP address in question, must be in ALL CAPS.                   | `DENY` (forbids traffic)          |
+| `--rule-name` | The name for the generated Anubis rule, should be in kebab-case.                                 | (not set, inferred from filename) |
+| `--weight`    | When `--action=WEIGH`, how many weight points should be added or removed from matching requests? | 0 (not set)                       |
+
+## Using the Generated Policy
+
+Save the output and import it in your main policy file:
+
+```yaml
+bots:
+  - import: "./filter-tor.yaml"
+```

docs/docs/admin/robots2policy.mdx

@@ -12,6 +12,7 @@ Install directly with Go:
 ```bash
 go install github.com/TecharoHQ/anubis/cmd/robots2policy@latest
 ```
+
 ## Usage
 
 Basic conversion from URL:
@@ -35,8 +36,8 @@ robots2policy -input robots.txt -action DENY -format json
 ## Options
 
 | Flag                  | Description                                                        | Default             |
-|-----------------------|--------------------------------------------------------------------|---------------------|
-| `-input`              | robots.txt file path or URL (use `-` for stdin)                    | *required*          |
+| --------------------- | ------------------------------------------------------------------ | ------------------- |
+| `-input`              | robots.txt file path or URL (use `-` for stdin)                    | _required_          |
 | `-output`             | Output file (use `-` for stdout)                                   | stdout              |
 | `-format`             | Output format: `yaml` or `json`                                    | `yaml`              |
 | `-action`             | Action for disallowed paths: `ALLOW`, `DENY`, `CHALLENGE`, `WEIGH` | `CHALLENGE`         |
@@ -47,6 +48,7 @@ robots2policy -input robots.txt -action DENY -format json
 ## Example
 
 Input robots.txt:
+
 ```txt
 User-agent: *
 Disallow: /admin/
@@ -57,6 +59,7 @@ Disallow: /
 ```
 
 Generated policy:
+
 ```yaml
 - name: robots-txt-policy-disallow-1
   action: CHALLENGE
@@ -77,8 +80,8 @@ Generated policy:
 Save the output and import it in your main policy file:
 
 ```yaml
-import:
-  - path: "./robots-policy.yaml"
+bots:
+  - import: "./robots-policy.yaml"
 ```
 
 The tool handles wildcard patterns, user-agent specific rules, and blacklisted bots automatically.

docs/docs/index.mdx

@@ -29,6 +29,9 @@ Anubis is brought to you by sponsors and donors like:
     height="64"
   />
 </a>
+<a href="https://databento.com/?utm_source=anubis&utm_medium=sponsor&utm_campaign=anubis">
+  <img src="/img/sponsors/databento-logo.webp" alt="Databento" height="64" />
+</a>
 
 ### Gold Tier
 

docs/manifest/cfg/anubis/botPolicies.yaml

@@ -160,7 +160,7 @@ impressum:
 
       <h2>How the Information is used</h2>
 
-      <p>The information is used to enhance the vistor's experience when using the website to display personalised content and possibly advertising.</p>
+      <p>The information is used to enhance the visitor's experience when using the website to display personalised content and possibly advertising.</p>
 
       <p>E-mail addresses will not be sold, rented or leased to 3rd parties.</p>
 

docs/package-lock.json

@@ -14,6 +14,7 @@
         "@mdx-js/react": "^3.0.0",
         "clsx": "^2.0.0",
         "prism-react-renderer": "^2.3.0",
+        "raw-loader": "^4.0.2",
         "react": "^19.0.0",
         "react-dom": "^19.0.0"
       },
@@ -161,6 +162,7 @@
       "resolved": "https://registry.npmjs.org/@algolia/client-search/-/client-search-5.29.0.tgz",
       "integrity": "sha512-cZ0Iq3OzFUPpgszzDr1G1aJV5UMIZ4VygJ2Az252q4Rdf5cQMhYEIKArWY/oUjMhQmosM8ygOovNq7gvA9CdCg==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@algolia/client-common": "5.29.0",
         "@algolia/requester-browser-xhr": "5.29.0",
@@ -308,6 +310,7 @@
       "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.28.4.tgz",
       "integrity": "sha512-2BCOP7TN8M+gVDj7/ht3hsaO/B/n5oDbiAyyvnRlNOs+u1o+JWNYTQrmpuNp1/Wq2gcFrI01JAW+paEKDMx/CA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/code-frame": "^7.27.1",
         "@babel/generator": "^7.28.3",
@@ -2145,6 +2148,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=18"
       },
@@ -2167,6 +2171,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=18"
       }
@@ -2247,6 +2252,7 @@
       "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz",
       "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "cssesc": "^3.0.0",
         "util-deprecate": "^1.0.2"
@@ -2610,6 +2616,7 @@
       "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz",
       "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "cssesc": "^3.0.0",
         "util-deprecate": "^1.0.2"
@@ -3523,6 +3530,7 @@
       "resolved": "https://registry.npmjs.org/@docusaurus/plugin-content-docs/-/plugin-content-docs-3.8.1.tgz",
       "integrity": "sha512-oByRkSZzeGNQByCMaX+kif5Nl2vmtj2IHQI2fWjCfCootsdKZDPFLonhIp5s3IGJO7PLUfe0POyw0Xh/RrGXJA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@docusaurus/core": "3.8.1",
         "@docusaurus/logger": "3.8.1",
@@ -4246,6 +4254,7 @@
       "resolved": "https://registry.npmjs.org/@mdx-js/react/-/react-3.1.0.tgz",
       "integrity": "sha512-QjHtSaoameoalGnKDT3FoIl4+9RwyTmo9ZJGBdLOks/YOiWHoRDI3PUwEzOE7kEmGcV3AFcp9K6dYu9rEuKLAQ==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@types/mdx": "^2.0.0"
       },
@@ -4558,6 +4567,7 @@
       "resolved": "https://registry.npmjs.org/@svgr/core/-/core-8.1.0.tgz",
       "integrity": "sha512-8QqtOQT5ACVlmsvKOJNEaWmRPmcojMOzCz4Hs2BGG/toAp/K38LcsMRyLp349glq5AzJbCEeimEoxaX6v/fLrA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/core": "^7.21.3",
         "@svgr/babel-preset": "8.1.0",
@@ -5200,6 +5210,7 @@
       "resolved": "https://registry.npmjs.org/@types/react/-/react-19.0.12.tgz",
       "integrity": "sha512-V6Ar115dBDrjbtXSrS+/Oruobc+qVbbUxDFC1RSbRqLt5SYvxxyIDrSC85RWml54g+jfNeEMZhEj7wW07ONQhA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "csstype": "^3.0.2"
       }
@@ -5539,6 +5550,7 @@
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz",
       "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
       "license": "MIT",
+      "peer": true,
       "bin": {
         "acorn": "bin/acorn"
       },
@@ -5594,6 +5606,7 @@
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
       "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
         "fast-uri": "^3.0.1",
@@ -5639,6 +5652,7 @@
       "resolved": "https://registry.npmjs.org/algoliasearch/-/algoliasearch-5.29.0.tgz",
       "integrity": "sha512-E2l6AlTWGznM2e7vEE6T6hzObvEyXukxMOlBmVlMyixZyK1umuO/CiVc6sDBbzVH0oEviCE5IfVY1oZBmccYPQ==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@algolia/client-abtesting": "5.29.0",
         "@algolia/client-analytics": "5.29.0",
@@ -6092,6 +6106,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001737",
         "electron-to-chromium": "^1.5.211",
@@ -6375,6 +6390,7 @@
       "resolved": "https://registry.npmjs.org/chevrotain/-/chevrotain-11.0.3.tgz",
       "integrity": "sha512-ci2iJH6LeIkvP9eJW6gpueU8cnZhv85ELY8w8WiFtNjMHA5ad6pQLaJo9mEly/9qUyCpvqX8/POVUTf18/HFdw==",
       "license": "Apache-2.0",
+      "peer": true,
       "dependencies": {
         "@chevrotain/cst-dts-gen": "11.0.3",
         "@chevrotain/gast": "11.0.3",
@@ -7079,6 +7095,7 @@
       "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz",
       "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "cssesc": "^3.0.0",
         "util-deprecate": "^1.0.2"
@@ -7398,6 +7415,7 @@
       "resolved": "https://registry.npmjs.org/cytoscape/-/cytoscape-3.32.0.tgz",
       "integrity": "sha512-5JHBC9n75kz5851jeklCPmZWcg3hUe6sjqJvyk3+hVqFaKcHwHgxsjeN1yLmggoUc6STbtm9/NQyabQehfjvWQ==",
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=0.10"
       }
@@ -7819,6 +7837,7 @@
       "resolved": "https://registry.npmjs.org/d3-selection/-/d3-selection-3.0.0.tgz",
       "integrity": "sha512-fmTRWbNMmsmWq6xJV8D19U/gw/bwrHfNXxrIN+HfZgnzqTHp9jOmKMhsTUjXOJnZOdZY9Q28y4yebKzqDKlxlQ==",
       "license": "ISC",
+      "peer": true,
       "engines": {
         "node": ">=12"
       }
@@ -8977,6 +8996,7 @@
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
       "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "fast-deep-equal": "^3.1.1",
         "fast-json-stable-stringify": "^2.0.0",
@@ -13596,6 +13616,7 @@
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
       "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "fast-deep-equal": "^3.1.1",
         "fast-json-stable-stringify": "^2.0.0",
@@ -14170,6 +14191,7 @@
         }
       ],
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "nanoid": "^3.3.11",
         "picocolors": "^1.1.1",
@@ -15073,6 +15095,7 @@
       "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-7.1.0.tgz",
       "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "cssesc": "^3.0.0",
         "util-deprecate": "^1.0.2"
@@ -15845,6 +15868,76 @@
         "node": ">= 0.8"
       }
     },
+    "node_modules/raw-loader": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/raw-loader/-/raw-loader-4.0.2.tgz",
+      "integrity": "sha512-ZnScIV3ag9A4wPX/ZayxL/jZH+euYb6FcUinPcgiQW0+UBtEv0O6Q3lGd3cqJ+GHH+rksEv3Pj99oxJ3u3VIKA==",
+      "license": "MIT",
+      "dependencies": {
+        "loader-utils": "^2.0.0",
+        "schema-utils": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 10.13.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/webpack"
+      },
+      "peerDependencies": {
+        "webpack": "^4.0.0 || ^5.0.0"
+      }
+    },
+    "node_modules/raw-loader/node_modules/ajv": {
+      "version": "6.12.6",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
+      "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
+      "license": "MIT",
+      "peer": true,
+      "dependencies": {
+        "fast-deep-equal": "^3.1.1",
+        "fast-json-stable-stringify": "^2.0.0",
+        "json-schema-traverse": "^0.4.1",
+        "uri-js": "^4.2.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/raw-loader/node_modules/ajv-keywords": {
+      "version": "3.5.2",
+      "resolved": "https://registry.npmjs.org/ajv-keywords/-/ajv-keywords-3.5.2.tgz",
+      "integrity": "sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==",
+      "license": "MIT",
+      "peerDependencies": {
+        "ajv": "^6.9.1"
+      }
+    },
+    "node_modules/raw-loader/node_modules/json-schema-traverse": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz",
+      "integrity": "sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==",
+      "license": "MIT"
+    },
+    "node_modules/raw-loader/node_modules/schema-utils": {
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/schema-utils/-/schema-utils-3.3.0.tgz",
+      "integrity": "sha512-pN/yOAvcC+5rQ5nERGuwrjLlYvLTbCibnZ1I7B1LaiAz9BRBlE9GMgE/eqV30P7aJQUf7Ddimy/RsbYO/GrVGg==",
+      "license": "MIT",
+      "dependencies": {
+        "@types/json-schema": "^7.0.8",
+        "ajv": "^6.12.5",
+        "ajv-keywords": "^3.5.2"
+      },
+      "engines": {
+        "node": ">= 10.13.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/webpack"
+      }
+    },
     "node_modules/rc": {
       "version": "1.2.8",
       "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
@@ -15874,6 +15967,7 @@
       "resolved": "https://registry.npmjs.org/react/-/react-19.0.0.tgz",
       "integrity": "sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ==",
       "license": "MIT",
+      "peer": true,
       "engines": {
         "node": ">=0.10.0"
       }
@@ -15883,6 +15977,7 @@
       "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.0.0.tgz",
       "integrity": "sha512-4GV5sHFG0e/0AD4X+ySy6UJd3jVl1iNsNHdpad0qhABJ11twS3TTBnseqsKurKcsNqCEFeGL3uLpVChpIO3QfQ==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "scheduler": "^0.25.0"
       },
@@ -15938,6 +16033,7 @@
       "resolved": "https://registry.npmjs.org/@docusaurus/react-loadable/-/react-loadable-6.0.0.tgz",
       "integrity": "sha512-YMMxTUQV/QFSnbgrP3tjDzLHRg7vsbMn8e9HAa8o/1iXoiomo48b7sk/kkmWEuWNDPJVlKSJRB6Y2fHqdJk+SQ==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@types/react": "*"
       },
@@ -15966,6 +16062,7 @@
       "resolved": "https://registry.npmjs.org/react-router/-/react-router-5.3.4.tgz",
       "integrity": "sha512-Ys9K+ppnJah3QuaRiLxk+jDWOR1MekYQrlytiXxC1RyfbdsZkS5pvKAzCCr031xHixZwpnsYNT5xysdFHQaYsA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@babel/runtime": "^7.12.13",
         "history": "^4.9.0",
@@ -17804,6 +17901,7 @@
       "integrity": "sha512-hjcS1mhfuyi4WW8IWtjP7brDrG2cuDZukyrYrSauoXGNgx0S7zceP07adYkJycEr56BOUTNPzbInooiN3fn1qw==",
       "devOptional": true,
       "license": "Apache-2.0",
+      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -18151,6 +18249,7 @@
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
       "integrity": "sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "fast-deep-equal": "^3.1.1",
         "fast-json-stable-stringify": "^2.0.0",
@@ -18398,6 +18497,7 @@
       "resolved": "https://registry.npmjs.org/webpack/-/webpack-5.98.0.tgz",
       "integrity": "sha512-UFynvx+gM44Gv9qFgj0acCQK2VE1CtdfwFdimkapco3hlPCJ/zeq73n2yVKimVbtm+TnApIugGhLJnkU6gjYXA==",
       "license": "MIT",
+      "peer": true,
       "dependencies": {
         "@types/eslint-scope": "^3.7.7",
         "@types/estree": "^1.0.6",

docs/package.json

@@ -21,6 +21,7 @@
     "@mdx-js/react": "^3.0.0",
     "clsx": "^2.0.0",
     "prism-react-renderer": "^2.3.0",
+    "raw-loader": "^4.0.2",
     "react": "^19.0.0",
     "react-dom": "^19.0.0"
   },

lib/challenge/challenge.go

@@ -4,12 +4,12 @@ import "time"
 
 // Challenge is the metadata about a single challenge issuance.
 type Challenge struct {
-	IssuedAt       time.Time         `json:"issuedAt"`
-	Metadata       map[string]string `json:"metadata"`
-	ID             string            `json:"id"`
-	Method         string            `json:"method"`
-	RandomData     string            `json:"randomData"`
-	PolicyRuleHash string            `json:"policyRuleHash,omitempty"`
-	Difficulty     int               `json:"difficulty,omitempty"`
-	Spent          bool              `json:"spent"`
+	IssuedAt       time.Time         `json:"issuedAt"`                 // When the challenge was issued
+	Metadata       map[string]string `json:"metadata"`                 // Challenge metadata such as IP address and user agent
+	ID             string            `json:"id"`                       // UUID identifying the challenge
+	Method         string            `json:"method"`                   // Challenge method
+	RandomData     string            `json:"randomData"`               // The random data the client processes
+	PolicyRuleHash string            `json:"policyRuleHash,omitempty"` // Hash of the policy rule that issued this challenge
+	Difficulty     int               `json:"difficulty,omitempty"`     // Difficulty that was in effect when issued
+	Spent          bool              `json:"spent"`                    // Has the challenge already been solved?
 }

lib/challenge/metarefresh/metarefresh.go

@@ -52,7 +52,7 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.Validate
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 800 * time.Millisecond)
 
 	if time.Now().Before(wantTime) {
-		return challenge.NewError("validate", "insufficent time", fmt.Errorf("%w: wanted user to wait until at least %s", challenge.ErrFailed, wantTime.Format(time.RFC3339)))
+		return challenge.NewError("validate", "insufficient time", fmt.Errorf("%w: wanted user to wait until at least %s", challenge.ErrFailed, wantTime.Format(time.RFC3339)))
 	}
 
 	gotChallenge := r.FormValue("challenge")

lib/challenge/preact/preact.go

@@ -60,7 +60,7 @@ func (i *impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.Validate
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 80 * time.Millisecond)
 
 	if time.Now().Before(wantTime) {
-		return challenge.NewError("validate", "insufficent time", fmt.Errorf("%w: wanted user to wait until at least %s", challenge.ErrFailed, wantTime.Format(time.RFC3339)))
+		return challenge.NewError("validate", "insufficient time", fmt.Errorf("%w: wanted user to wait until at least %s", challenge.ErrFailed, wantTime.Format(time.RFC3339)))
 	}
 
 	got := r.FormValue("result")

lib/config/logging.go

@@ -15,7 +15,7 @@ var (
 
 type Logging struct {
 	Sink       string             `json:"sink"`       // Logging sink, either "stdio" or "file"
-	Level      *slog.Level        `json:"level"`      // Log level, if set supercedes the level in flags
+	Level      *slog.Level        `json:"level"`      // Log level, if set supersedes the level in flags
 	Parameters *LoggingFileConfig `json:"parameters"` // Logging parameters, to be dynamic in the future
 }
 

lib/localization/localization.go

@@ -81,7 +81,28 @@ func (ls *LocalizationService) GetLocalizerFromRequest(r *http.Request) *i18n.Lo
 		return i18n.NewLocalizer(bundle, "en")
 	}
 	acceptLanguage := r.Header.Get("Accept-Language")
-	return i18n.NewLocalizer(ls.bundle, acceptLanguage, "en")
+
+	// Parse Accept-Language header to properly handle quality factors
+	// The language.ParseAcceptLanguage function returns tags sorted by quality
+	tags, _, err := language.ParseAcceptLanguage(acceptLanguage)
+	if err != nil || len(tags) == 0 {
+		return i18n.NewLocalizer(ls.bundle, "en")
+	}
+
+	// Convert parsed tags to strings for the localizer
+	// We include both the full tag and base language to ensure proper matching
+	langs := make([]string, 0, len(tags)*2+1)
+	for _, tag := range tags {
+		langs = append(langs, tag.String())
+		// Also add base language (e.g., "en" for "en-GB") to help matching
+		base, _ := tag.Base()
+		if base.String() != tag.String() {
+			langs = append(langs, base.String())
+		}
+	}
+	langs = append(langs, "en") // Always include English as fallback
+
+	return i18n.NewLocalizer(ls.bundle, langs...)
 }
 
 // SimpleLocalizer wraps i18n.Localizer with a more convenient API

lib/localization/localization_test.go

@@ -3,6 +3,7 @@ package localization
 import (
 	"encoding/json"
 	"fmt"
+	"net/http/httptest"
 	"sort"
 	"testing"
 
@@ -138,3 +139,40 @@ func TestComprehensiveTranslations(t *testing.T) {
 		})
 	}
 }
+
+func TestAcceptLanguageQualityFactors(t *testing.T) {
+	service := NewLocalizationService()
+
+	testCases := []struct {
+		name           string
+		acceptLanguage string
+		expectedLang   string
+	}{
+		{"simple_en", "en", "en"},
+		{"simple_de", "de", "de"},
+		{"en_GB_with_lower_priority_de", "en-GB,de-DE;q=0.5", "en"},
+		{"en_GB_only", "en-GB", "en"},
+		{"de_with_lower_priority_en", "de,en;q=0.5", "de"},
+		{"de_DE_with_lower_priority_en", "de-DE,en;q=0.5", "de"},
+		{"fr_with_lower_priority_de", "fr,de;q=0.5", "fr"},
+		{"zh_CN_regional", "zh-CN", "zh-CN"},
+		{"zh_TW_regional", "zh-TW", "zh-TW"},
+		{"pt_BR_regional", "pt-BR", "pt-BR"},
+		{"complex_header", "fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,de;q=0.5", "fr"},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "/", nil)
+			req.Header.Set("Accept-Language", tc.acceptLanguage)
+
+			localizer := service.GetLocalizerFromRequest(req)
+			sl := &SimpleLocalizer{Localizer: localizer}
+
+			gotLang := sl.GetLang()
+			if gotLang != tc.expectedLang {
+				t.Errorf("Accept-Language %q: expected %s, got %s", tc.acceptLanguage, tc.expectedLang, gotLang)
+			}
+		})
+	}
+}

package-lock.json

@@ -1,21 +1,21 @@
 {
   "name": "@techaro/anubis",
-  "version": "1.24.0-pre1",
+  "version": "1.24.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@techaro/anubis",
-      "version": "1.24.0-pre1",
+      "version": "1.24.0",
       "license": "ISC",
       "dependencies": {
         "@aws-crypto/sha256-js": "^5.2.0",
-        "preact": "^10.28.0"
+        "preact": "^10.28.1"
       },
       "devDependencies": {
         "cssnano": "^7.1.2",
         "cssnano-preset-advanced": "^7.0.10",
-        "esbuild": "^0.27.1",
+        "esbuild": "^0.27.2",
         "playwright": "^1.52.0",
         "postcss-cli": "^11.0.1",
         "postcss-import": "^16.1.1",
@@ -62,9 +62,9 @@
       }
     },
     "node_modules/@esbuild/aix-ppc64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.1.tgz",
-      "integrity": "sha512-HHB50pdsBX6k47S4u5g/CaLjqS3qwaOVE5ILsq64jyzgMhLuCuZ8rGzM9yhsAjfjkbgUPMzZEPa7DAp7yz6vuA==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.2.tgz",
+      "integrity": "sha512-GZMB+a0mOMZs4MpDbj8RJp4cw+w1WV5NYD6xzgvzUJ5Ek2jerwfO2eADyI6ExDSUED+1X8aMbegahsJi+8mgpw==",
       "cpu": [
         "ppc64"
       ],
@@ -79,9 +79,9 @@
       }
     },
     "node_modules/@esbuild/android-arm": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.1.tgz",
-      "integrity": "sha512-kFqa6/UcaTbGm/NncN9kzVOODjhZW8e+FRdSeypWe6j33gzclHtwlANs26JrupOntlcWmB0u8+8HZo8s7thHvg==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.2.tgz",
+      "integrity": "sha512-DVNI8jlPa7Ujbr1yjU2PfUSRtAUZPG9I1RwW4F4xFB1Imiu2on0ADiI/c3td+KmDtVKNbi+nffGDQMfcIMkwIA==",
       "cpu": [
         "arm"
       ],
@@ -96,9 +96,9 @@
       }
     },
     "node_modules/@esbuild/android-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.1.tgz",
-      "integrity": "sha512-45fuKmAJpxnQWixOGCrS+ro4Uvb4Re9+UTieUY2f8AEc+t7d4AaZ6eUJ3Hva7dtrxAAWHtlEFsXFMAgNnGU9uQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.2.tgz",
+      "integrity": "sha512-pvz8ZZ7ot/RBphf8fv60ljmaoydPU12VuXHImtAs0XhLLw+EXBi2BLe3OYSBslR4rryHvweW5gmkKFwTiFy6KA==",
       "cpu": [
         "arm64"
       ],
@@ -113,9 +113,9 @@
       }
     },
     "node_modules/@esbuild/android-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.1.tgz",
-      "integrity": "sha512-LBEpOz0BsgMEeHgenf5aqmn/lLNTFXVfoWMUox8CtWWYK9X4jmQzWjoGoNb8lmAYml/tQ/Ysvm8q7szu7BoxRQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.2.tgz",
+      "integrity": "sha512-z8Ank4Byh4TJJOh4wpz8g2vDy75zFL0TlZlkUkEwYXuPSgX8yzep596n6mT7905kA9uHZsf/o2OJZubl2l3M7A==",
       "cpu": [
         "x64"
       ],
@@ -130,9 +130,9 @@
       }
     },
     "node_modules/@esbuild/darwin-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.1.tgz",
-      "integrity": "sha512-veg7fL8eMSCVKL7IW4pxb54QERtedFDfY/ASrumK/SbFsXnRazxY4YykN/THYqFnFwJ0aVjiUrVG2PwcdAEqQQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.2.tgz",
+      "integrity": "sha512-davCD2Zc80nzDVRwXTcQP/28fiJbcOwvdolL0sOiOsbwBa72kegmVU0Wrh1MYrbuCL98Omp5dVhQFWRKR2ZAlg==",
       "cpu": [
         "arm64"
       ],
@@ -147,9 +147,9 @@
       }
     },
     "node_modules/@esbuild/darwin-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.1.tgz",
-      "integrity": "sha512-+3ELd+nTzhfWb07Vol7EZ+5PTbJ/u74nC6iv4/lwIU99Ip5uuY6QoIf0Hn4m2HoV0qcnRivN3KSqc+FyCHjoVQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.2.tgz",
+      "integrity": "sha512-ZxtijOmlQCBWGwbVmwOF/UCzuGIbUkqB1faQRf5akQmxRJ1ujusWsb3CVfk/9iZKr2L5SMU5wPBi1UWbvL+VQA==",
       "cpu": [
         "x64"
       ],
@@ -164,9 +164,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.1.tgz",
-      "integrity": "sha512-/8Rfgns4XD9XOSXlzUDepG8PX+AVWHliYlUkFI3K3GB6tqbdjYqdhcb4BKRd7C0BhZSoaCxhv8kTcBrcZWP+xg==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.2.tgz",
+      "integrity": "sha512-lS/9CN+rgqQ9czogxlMcBMGd+l8Q3Nj1MFQwBZJyoEKI50XGxwuzznYdwcav6lpOGv5BqaZXqvBSiB/kJ5op+g==",
       "cpu": [
         "arm64"
       ],
@@ -181,9 +181,9 @@
       }
     },
     "node_modules/@esbuild/freebsd-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.1.tgz",
-      "integrity": "sha512-GITpD8dK9C+r+5yRT/UKVT36h/DQLOHdwGVwwoHidlnA168oD3uxA878XloXebK4Ul3gDBBIvEdL7go9gCUFzQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.2.tgz",
+      "integrity": "sha512-tAfqtNYb4YgPnJlEFu4c212HYjQWSO/w/h/lQaBK7RbwGIkBOuNKQI9tqWzx7Wtp7bTPaGC6MJvWI608P3wXYA==",
       "cpu": [
         "x64"
       ],
@@ -198,9 +198,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.1.tgz",
-      "integrity": "sha512-ieMID0JRZY/ZeCrsFQ3Y3NlHNCqIhTprJfDgSB3/lv5jJZ8FX3hqPyXWhe+gvS5ARMBJ242PM+VNz/ctNj//eA==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.2.tgz",
+      "integrity": "sha512-vWfq4GaIMP9AIe4yj1ZUW18RDhx6EPQKjwe7n8BbIecFtCQG4CfHGaHuh7fdfq+y3LIA2vGS/o9ZBGVxIDi9hw==",
       "cpu": [
         "arm"
       ],
@@ -215,9 +215,9 @@
       }
     },
     "node_modules/@esbuild/linux-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.1.tgz",
-      "integrity": "sha512-W9//kCrh/6in9rWIBdKaMtuTTzNj6jSeG/haWBADqLLa9P8O5YSRDzgD5y9QBok4AYlzS6ARHifAb75V6G670Q==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.2.tgz",
+      "integrity": "sha512-hYxN8pr66NsCCiRFkHUAsxylNOcAQaxSSkHMMjcpx0si13t1LHFphxJZUiGwojB1a/Hd5OiPIqDdXONia6bhTw==",
       "cpu": [
         "arm64"
       ],
@@ -232,9 +232,9 @@
       }
     },
     "node_modules/@esbuild/linux-ia32": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.1.tgz",
-      "integrity": "sha512-VIUV4z8GD8rtSVMfAj1aXFahsi/+tcoXXNYmXgzISL+KB381vbSTNdeZHHHIYqFyXcoEhu9n5cT+05tRv13rlw==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.2.tgz",
+      "integrity": "sha512-MJt5BRRSScPDwG2hLelYhAAKh9imjHK5+NE/tvnRLbIqUWa+0E9N4WNMjmp/kXXPHZGqPLxggwVhz7QP8CTR8w==",
       "cpu": [
         "ia32"
       ],
@@ -249,9 +249,9 @@
       }
     },
     "node_modules/@esbuild/linux-loong64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.1.tgz",
-      "integrity": "sha512-l4rfiiJRN7sTNI//ff65zJ9z8U+k6zcCg0LALU5iEWzY+a1mVZ8iWC1k5EsNKThZ7XCQ6YWtsZ8EWYm7r1UEsg==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.2.tgz",
+      "integrity": "sha512-lugyF1atnAT463aO6KPshVCJK5NgRnU4yb3FUumyVz+cGvZbontBgzeGFO1nF+dPueHD367a2ZXe1NtUkAjOtg==",
       "cpu": [
         "loong64"
       ],
@@ -266,9 +266,9 @@
       }
     },
     "node_modules/@esbuild/linux-mips64el": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.1.tgz",
-      "integrity": "sha512-U0bEuAOLvO/DWFdygTHWY8C067FXz+UbzKgxYhXC0fDieFa0kDIra1FAhsAARRJbvEyso8aAqvPdNxzWuStBnA==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.2.tgz",
+      "integrity": "sha512-nlP2I6ArEBewvJ2gjrrkESEZkB5mIoaTswuqNFRv/WYd+ATtUpe9Y09RnJvgvdag7he0OWgEZWhviS1OTOKixw==",
       "cpu": [
         "mips64el"
       ],
@@ -283,9 +283,9 @@
       }
     },
     "node_modules/@esbuild/linux-ppc64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.1.tgz",
-      "integrity": "sha512-NzdQ/Xwu6vPSf/GkdmRNsOfIeSGnh7muundsWItmBsVpMoNPVpM61qNzAVY3pZ1glzzAxLR40UyYM23eaDDbYQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.2.tgz",
+      "integrity": "sha512-C92gnpey7tUQONqg1n6dKVbx3vphKtTHJaNG2Ok9lGwbZil6DrfyecMsp9CrmXGQJmZ7iiVXvvZH6Ml5hL6XdQ==",
       "cpu": [
         "ppc64"
       ],
@@ -300,9 +300,9 @@
       }
     },
     "node_modules/@esbuild/linux-riscv64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.1.tgz",
-      "integrity": "sha512-7zlw8p3IApcsN7mFw0O1Z1PyEk6PlKMu18roImfl3iQHTnr/yAfYv6s4hXPidbDoI2Q0pW+5xeoM4eTCC0UdrQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.2.tgz",
+      "integrity": "sha512-B5BOmojNtUyN8AXlK0QJyvjEZkWwy/FKvakkTDCziX95AowLZKR6aCDhG7LeF7uMCXEJqwa8Bejz5LTPYm8AvA==",
       "cpu": [
         "riscv64"
       ],
@@ -317,9 +317,9 @@
       }
     },
     "node_modules/@esbuild/linux-s390x": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.1.tgz",
-      "integrity": "sha512-cGj5wli+G+nkVQdZo3+7FDKC25Uh4ZVwOAK6A06Hsvgr8WqBBuOy/1s+PUEd/6Je+vjfm6stX0kmib5b/O2Ykw==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.2.tgz",
+      "integrity": "sha512-p4bm9+wsPwup5Z8f4EpfN63qNagQ47Ua2znaqGH6bqLlmJ4bx97Y9JdqxgGZ6Y8xVTixUnEkoKSHcpRlDnNr5w==",
       "cpu": [
         "s390x"
       ],
@@ -334,9 +334,9 @@
       }
     },
     "node_modules/@esbuild/linux-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.1.tgz",
-      "integrity": "sha512-z3H/HYI9MM0HTv3hQZ81f+AKb+yEoCRlUby1F80vbQ5XdzEMyY/9iNlAmhqiBKw4MJXwfgsh7ERGEOhrM1niMA==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.2.tgz",
+      "integrity": "sha512-uwp2Tip5aPmH+NRUwTcfLb+W32WXjpFejTIOWZFw/v7/KnpCDKG66u4DLcurQpiYTiYwQ9B7KOeMJvLCu/OvbA==",
       "cpu": [
         "x64"
       ],
@@ -351,9 +351,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.1.tgz",
-      "integrity": "sha512-wzC24DxAvk8Em01YmVXyjl96Mr+ecTPyOuADAvjGg+fyBpGmxmcr2E5ttf7Im8D0sXZihpxzO1isus8MdjMCXQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.2.tgz",
+      "integrity": "sha512-Kj6DiBlwXrPsCRDeRvGAUb/LNrBASrfqAIok+xB0LxK8CHqxZ037viF13ugfsIpePH93mX7xfJp97cyDuTZ3cw==",
       "cpu": [
         "arm64"
       ],
@@ -368,9 +368,9 @@
       }
     },
     "node_modules/@esbuild/netbsd-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.1.tgz",
-      "integrity": "sha512-1YQ8ybGi2yIXswu6eNzJsrYIGFpnlzEWRl6iR5gMgmsrR0FcNoV1m9k9sc3PuP5rUBLshOZylc9nqSgymI+TYg==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.2.tgz",
+      "integrity": "sha512-HwGDZ0VLVBY3Y+Nw0JexZy9o/nUAWq9MlV7cahpaXKW6TOzfVno3y3/M8Ga8u8Yr7GldLOov27xiCnqRZf0tCA==",
       "cpu": [
         "x64"
       ],
@@ -385,9 +385,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.1.tgz",
-      "integrity": "sha512-5Z+DzLCrq5wmU7RDaMDe2DVXMRm2tTDvX2KU14JJVBN2CT/qov7XVix85QoJqHltpvAOZUAc3ndU56HSMWrv8g==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.2.tgz",
+      "integrity": "sha512-DNIHH2BPQ5551A7oSHD0CKbwIA/Ox7+78/AWkbS5QoRzaqlev2uFayfSxq68EkonB+IKjiuxBFoV8ESJy8bOHA==",
       "cpu": [
         "arm64"
       ],
@@ -402,9 +402,9 @@
       }
     },
     "node_modules/@esbuild/openbsd-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.1.tgz",
-      "integrity": "sha512-Q73ENzIdPF5jap4wqLtsfh8YbYSZ8Q0wnxplOlZUOyZy7B4ZKW8DXGWgTCZmF8VWD7Tciwv5F4NsRf6vYlZtqg==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.2.tgz",
+      "integrity": "sha512-/it7w9Nb7+0KFIzjalNJVR5bOzA9Vay+yIPLVHfIQYG/j+j9VTH84aNB8ExGKPU4AzfaEvN9/V4HV+F+vo8OEg==",
       "cpu": [
         "x64"
       ],
@@ -419,9 +419,9 @@
       }
     },
     "node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.1.tgz",
-      "integrity": "sha512-ajbHrGM/XiK+sXM0JzEbJAen+0E+JMQZ2l4RR4VFwvV9JEERx+oxtgkpoKv1SevhjavK2z2ReHk32pjzktWbGg==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.2.tgz",
+      "integrity": "sha512-LRBbCmiU51IXfeXk59csuX/aSaToeG7w48nMwA6049Y4J4+VbWALAuXcs+qcD04rHDuSCSRKdmY63sruDS5qag==",
       "cpu": [
         "arm64"
       ],
@@ -436,9 +436,9 @@
       }
     },
     "node_modules/@esbuild/sunos-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.1.tgz",
-      "integrity": "sha512-IPUW+y4VIjuDVn+OMzHc5FV4GubIwPnsz6ubkvN8cuhEqH81NovB53IUlrlBkPMEPxvNnf79MGBoz8rZ2iW8HA==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.2.tgz",
+      "integrity": "sha512-kMtx1yqJHTmqaqHPAzKCAkDaKsffmXkPHThSfRwZGyuqyIeBvf08KSsYXl+abf5HDAPMJIPnbBfXvP2ZC2TfHg==",
       "cpu": [
         "x64"
       ],
@@ -453,9 +453,9 @@
       }
     },
     "node_modules/@esbuild/win32-arm64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.1.tgz",
-      "integrity": "sha512-RIVRWiljWA6CdVu8zkWcRmGP7iRRIIwvhDKem8UMBjPql2TXM5PkDVvvrzMtj1V+WFPB4K7zkIGM7VzRtFkjdg==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.2.tgz",
+      "integrity": "sha512-Yaf78O/B3Kkh+nKABUF++bvJv5Ijoy9AN1ww904rOXZFLWVc5OLOfL56W+C8F9xn5JQZa3UX6m+IktJnIb1Jjg==",
       "cpu": [
         "arm64"
       ],
@@ -470,9 +470,9 @@
       }
     },
     "node_modules/@esbuild/win32-ia32": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.1.tgz",
-      "integrity": "sha512-2BR5M8CPbptC1AK5JbJT1fWrHLvejwZidKx3UMSF0ecHMa+smhi16drIrCEggkgviBwLYd5nwrFLSl5Kho96RQ==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.2.tgz",
+      "integrity": "sha512-Iuws0kxo4yusk7sw70Xa2E2imZU5HoixzxfGCdxwBdhiDgt9vX9VUCBhqcwY7/uh//78A1hMkkROMJq9l27oLQ==",
       "cpu": [
         "ia32"
       ],
@@ -487,9 +487,9 @@
       }
     },
     "node_modules/@esbuild/win32-x64": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.1.tgz",
-      "integrity": "sha512-d5X6RMYv6taIymSk8JBP+nxv8DQAMY6A51GPgusqLdK9wBz5wWIXy1KjTck6HnjE9hqJzJRdk+1p/t5soSbCtw==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.2.tgz",
+      "integrity": "sha512-sRdU18mcKf7F+YgheI/zGf5alZatMUTKj/jNS6l744f9u3WFu4v7twcUI9vu4mknF4Y9aDlblIie0IM+5xxaqQ==",
       "cpu": [
         "x64"
       ],
@@ -1156,9 +1156,9 @@
       }
     },
     "node_modules/esbuild": {
-      "version": "0.27.1",
-      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.1.tgz",
-      "integrity": "sha512-yY35KZckJJuVVPXpvjgxiCuVEJT67F6zDeVTv4rizyPrfGBUpZQsvmxnN+C371c2esD/hNMjj4tpBhuueLN7aA==",
+      "version": "0.27.2",
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.2.tgz",
+      "integrity": "sha512-HyNQImnsOC7X9PMNaCIeAm4ISCQXs5a5YasTXVliKv4uuBo1dKrG0A+uQS8M5eXjVMnLg3WgXaKvprHlFJQffw==",
       "dev": true,
       "hasInstallScript": true,
       "license": "MIT",
@@ -1169,32 +1169,32 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.27.1",
-        "@esbuild/android-arm": "0.27.1",
-        "@esbuild/android-arm64": "0.27.1",
-        "@esbuild/android-x64": "0.27.1",
-        "@esbuild/darwin-arm64": "0.27.1",
-        "@esbuild/darwin-x64": "0.27.1",
-        "@esbuild/freebsd-arm64": "0.27.1",
-        "@esbuild/freebsd-x64": "0.27.1",
-        "@esbuild/linux-arm": "0.27.1",
-        "@esbuild/linux-arm64": "0.27.1",
-        "@esbuild/linux-ia32": "0.27.1",
-        "@esbuild/linux-loong64": "0.27.1",
-        "@esbuild/linux-mips64el": "0.27.1",
-        "@esbuild/linux-ppc64": "0.27.1",
-        "@esbuild/linux-riscv64": "0.27.1",
-        "@esbuild/linux-s390x": "0.27.1",
-        "@esbuild/linux-x64": "0.27.1",
-        "@esbuild/netbsd-arm64": "0.27.1",
-        "@esbuild/netbsd-x64": "0.27.1",
-        "@esbuild/openbsd-arm64": "0.27.1",
-        "@esbuild/openbsd-x64": "0.27.1",
-        "@esbuild/openharmony-arm64": "0.27.1",
-        "@esbuild/sunos-x64": "0.27.1",
-        "@esbuild/win32-arm64": "0.27.1",
-        "@esbuild/win32-ia32": "0.27.1",
-        "@esbuild/win32-x64": "0.27.1"
+        "@esbuild/aix-ppc64": "0.27.2",
+        "@esbuild/android-arm": "0.27.2",
+        "@esbuild/android-arm64": "0.27.2",
+        "@esbuild/android-x64": "0.27.2",
+        "@esbuild/darwin-arm64": "0.27.2",
+        "@esbuild/darwin-x64": "0.27.2",
+        "@esbuild/freebsd-arm64": "0.27.2",
+        "@esbuild/freebsd-x64": "0.27.2",
+        "@esbuild/linux-arm": "0.27.2",
+        "@esbuild/linux-arm64": "0.27.2",
+        "@esbuild/linux-ia32": "0.27.2",
+        "@esbuild/linux-loong64": "0.27.2",
+        "@esbuild/linux-mips64el": "0.27.2",
+        "@esbuild/linux-ppc64": "0.27.2",
+        "@esbuild/linux-riscv64": "0.27.2",
+        "@esbuild/linux-s390x": "0.27.2",
+        "@esbuild/linux-x64": "0.27.2",
+        "@esbuild/netbsd-arm64": "0.27.2",
+        "@esbuild/netbsd-x64": "0.27.2",
+        "@esbuild/openbsd-arm64": "0.27.2",
+        "@esbuild/openbsd-x64": "0.27.2",
+        "@esbuild/openharmony-arm64": "0.27.2",
+        "@esbuild/sunos-x64": "0.27.2",
+        "@esbuild/win32-arm64": "0.27.2",
+        "@esbuild/win32-ia32": "0.27.2",
+        "@esbuild/win32-x64": "0.27.2"
       }
     },
     "node_modules/escalade": {
@@ -2339,9 +2339,9 @@
       }
     },
     "node_modules/preact": {
-      "version": "10.28.0",
-      "resolved": "https://registry.npmjs.org/preact/-/preact-10.28.0.tgz",
-      "integrity": "sha512-rytDAoiXr3+t6OIP3WGlDd0ouCUG1iCWzkcY3++Nreuoi17y6T5i/zRhe6uYfoVcxq6YU+sBtJouuRDsq8vvqA==",
+      "version": "10.28.1",
+      "resolved": "https://registry.npmjs.org/preact/-/preact-10.28.1.tgz",
+      "integrity": "sha512-u1/ixq/lVQI0CakKNvLDEcW5zfCjUQfZdK9qqWuIJtsezuyG6pk9TWj75GMuI/EzRSZB/VAE43sNWWZfiy8psw==",
       "license": "MIT",
       "funding": {
         "type": "opencollective",

package.json

@@ -20,7 +20,7 @@
   "devDependencies": {
     "cssnano": "^7.1.2",
     "cssnano-preset-advanced": "^7.0.10",
-    "esbuild": "^0.27.1",
+    "esbuild": "^0.27.2",
     "playwright": "^1.52.0",
     "postcss-cli": "^11.0.1",
     "postcss-import": "^16.1.1",
@@ -29,6 +29,6 @@
   },
   "dependencies": {
     "@aws-crypto/sha256-js": "^5.2.0",
-    "preact": "^10.28.0"
+    "preact": "^10.28.1"
   }
 }

test/docker-registry/docker-compose.yaml

@@ -14,7 +14,7 @@ services:
     ports:
       - 3004:3004
     volumes:
-      - ../pki/registry.local.cetacean.club:/etc/techaro/pki/registry.local.cetacean.club
+      - ./pki/registry.local.cetacean.club:/etc/techaro/pki/registry.local.cetacean.club
 
   anubis:
     image: ko.local/anubis

test/lib/lib.sh

@@ -1,53 +1,56 @@
 REPO_ROOT=$(git rev-parse --show-toplevel)
 (cd $REPO_ROOT && go install ./utils/cmd/...)
 
+mkdir -p pki
+echo '*' >>./pki/.gitignore
+
 function cleanup() {
-  set +e
+	set +e
 
-  pkill -P $$
+	pkill -P $$
 
-  if [ -f "docker-compose.yaml" ]; then
-    docker compose down -t 1 || :
-    docker compose rm -f || :
-  fi
+	if [ -f "docker-compose.yaml" ]; then
+		docker compose down -t 1 || :
+		docker compose rm -f || :
+	fi
 }
 
 trap cleanup EXIT SIGINT
 
 function build_anubis_ko() {
-  (
-    cd $REPO_ROOT && npm ci && npm run assets
-  )
-  (
-    cd $REPO_ROOT &&
-      VERSION=devel ko build \
-        --platform=all \
-        --base-import-paths \
-        --tags="latest" \
-        --image-user=1000 \
-        --image-annotation="" \
-        --image-label="" \
-        ./cmd/anubis \
-        --local
-  )
+	(
+		cd $REPO_ROOT && npm ci && npm run assets
+	)
+	(
+		cd $REPO_ROOT &&
+			VERSION=devel ko build \
+				--platform=all \
+				--base-import-paths \
+				--tags="latest" \
+				--image-user=1000 \
+				--image-annotation="" \
+				--image-label="" \
+				./cmd/anubis \
+				--local
+	)
 }
 
 function mint_cert() {
-  if [ "$#" -ne 1 ]; then
-    echo "Usage: mint_cert <domain.name>"
-  fi
+	if [ "$#" -ne 1 ]; then
+		echo "Usage: mint_cert <domain.name>"
+	fi
 
-  domainName="$1"
+	domainName="$1"
 
-  # If the transient local TLS certificate doesn't exist, mint a new one
-  if [ ! -f "${REPO_ROOT}/test/pki/${domainName}/cert.pem" ]; then
-    # Subshell to contain the directory change
-    (
-      cd ${REPO_ROOT}/test/pki &&
-        mkdir -p "${domainName}" &&
-        go tool minica -domains "${domainName}" &&
-        cd "${domainName}" &&
-        chmod 666 *
-    )
-  fi
+	# If the transient local TLS certificate doesn't exist, mint a new one
+	if [ ! -f "./pki/${domainName}/cert.pem" ]; then
+		# Subshell to contain the directory change
+		(
+			cd ./pki &&
+				mkdir -p "${domainName}" &&
+				go tool minica -domains "${domainName}" &&
+				cd "${domainName}" &&
+				chmod 666 *
+		)
+	fi
 }

test/nginx/conf/nginx/conf-anubis.inc

@@ -0,0 +1,8 @@
+# /etc/nginx/conf-anubis.inc
+
+# Forward to anubis
+location / {
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_pass http://anubis;
+}

test/nginx/conf/nginx/conf.d/server-mimi-techaro-lol.conf

@@ -0,0 +1,29 @@
+# /etc/nginx/conf.d/server-mimi-techaro-lol.conf
+
+server {
+  # Listen on 443 with SSL
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  http2 on;
+
+  # Slipstream via Anubis
+  include "conf-anubis.inc";
+
+  server_name mimi.techaro.lol;
+
+  ssl_certificate /techaro/pki/mimi.techaro.lol/cert.pem;
+  ssl_certificate_key /techaro/pki/mimi.techaro.lol/key.pem;
+}
+
+server {
+  listen unix:/tmp/nginx.sock;
+
+  server_name mimi.techaro.lol;
+
+  port_in_redirect off;
+  root "/srv/http/mimi.techaro.lol";
+  index index.html;
+
+  # Your normal configuration can go here
+  # location .php { fastcgi...} etc.
+}

test/nginx/conf/nginx/conf.d/upstream-anubis.conf

@@ -0,0 +1,17 @@
+# /etc/nginx/conf.d/upstream-anubis.conf
+
+upstream anubis {
+  zone anubis_zone 64k;
+  # Make sure this matches the values you set for `BIND` and `BIND_NETWORK`.
+  # If this does not match, your services will not be protected by Anubis.
+
+  # Try anubis first over a UNIX socket
+  #server unix:/run/anubis/nginx.sock;
+  server anubis:3000 resolve;
+
+  # Optional: fall back to serving the websites directly. This allows your
+  # websites to be resilient against Anubis failing, at the risk of exposing
+  # them to the raw internet without protection. This is a tradeoff and can
+  # be worth it in some edge cases.
+  #server unix:/run/nginx.sock backup;
+}

test/nginx/conf/nginx/mime.types

@@ -0,0 +1,99 @@
+
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/avif                                       avif;
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/wasm                                 wasm;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+}

test/nginx/conf/nginx/nginx.conf

@@ -0,0 +1,32 @@
+worker_processes auto;
+
+error_log /var/log/nginx/error.log notice;
+pid /run/nginx.pid;
+
+
+events {
+    worker_connections 1024;
+}
+
+
+http {
+    resolver 169.254.42.1 valid=300s ipv6=on;
+    resolver_timeout 10s;
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+
+    sendfile on;
+    #tcp_nopush     on;
+
+    keepalive_timeout 65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}

test/nginx/test.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+source ../lib/lib.sh
+
+export KO_DOCKER_REPO=ko.local
+
+set -euo pipefail
+
+mint_cert mimi.techaro.lol
+
+docker run --rm \
+	-v $PWD/conf/nginx:/etc/nginx:ro \
+	-v $PWD/pki:/techaro/pki:ro \
+	nginx \
+	nginx -t
+
+exit 0

test/palemoon/amd64/docker-compose.yml

@@ -26,7 +26,7 @@ services:
       KEY_FNAME: key.pem
       PROXY_TO: http://anubis:3000
     volumes:
-      - ../../pki/relayd:/techaro/pki:ro
+      - ./pki/relayd:/techaro/pki:ro
 
   # novnc:
   #   image: geek1011/easy-novnc
@@ -42,7 +42,7 @@ services:
     environment:
       DISPLAY: display:0
     volumes:
-      - ../../pki:/usr/local/share/ca-certificates/minica:ro
+      - ./pki:/usr/local/share/ca-certificates/minica:ro
       - ../scripts:/hack/scripts:ro
     depends_on:
       - anubis

test/palemoon/i386/docker-compose.yml

@@ -24,7 +24,7 @@ services:
       KEY_FNAME: key.pem
       PROXY_TO: http://anubis:3000
     volumes:
-      - ../../pki/relayd:/techaro/pki:ro
+      - ./pki/relayd:/techaro/pki:ro
 
   # novnc:
   #   image: geek1011/easy-novnc
@@ -40,5 +40,5 @@ services:
     environment:
       DISPLAY: display:0
     volumes:
-      - ../../pki:/usr/local/share/ca-certificates/minica:ro
+      - ./pki:/usr/local/share/ca-certificates/minica:ro
       - ../scripts:/hack/scripts:ro

utils/cmd/iplist2rule/blocklist.go

@@ -0,0 +1,57 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"net/http"
+	"net/netip"
+	"strings"
+)
+
+// FetchBlocklist reads the blocklist over HTTP and returns every non-commented
+// line parsed as an IP address in CIDR notation. IPv4 addresses are returned as
+// /32, IPv6 addresses as /128.
+//
+// This function was generated with GLM 4.7.
+func FetchBlocklist(url string) ([]string, error) {
+	resp, err := http.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("HTTP request failed with status: %s", resp.Status)
+	}
+
+	var lines []string
+	scanner := bufio.NewScanner(resp.Body)
+	for scanner.Scan() {
+		line := scanner.Text()
+		// Skip empty lines and comments (lines starting with #)
+		if line == "" || strings.HasPrefix(line, "#") {
+			continue
+		}
+
+		addr, err := netip.ParseAddr(line)
+		if err != nil {
+			// Skip lines that aren't valid IP addresses
+			continue
+		}
+
+		var cidr string
+		if addr.Is4() {
+			cidr = fmt.Sprintf("%s/32", addr.String())
+		} else {
+			cidr = fmt.Sprintf("%s/128", addr.String())
+		}
+		lines = append(lines, cidr)
+	}
+
+	if err := scanner.Err(); err != nil && err != io.EOF {
+		return nil, err
+	}
+
+	return lines, nil
+}

utils/cmd/iplist2rule/main.go

@@ -0,0 +1,103 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/TecharoHQ/anubis/lib/config"
+	"github.com/facebookgo/flagenv"
+	"sigs.k8s.io/yaml"
+)
+
+type Rule struct {
+	Name       string         `yaml:"name" json:"name"`
+	Action     config.Rule    `yaml:"action" json:"action"`
+	RemoteAddr []string       `json:"remote_addresses,omitempty" yaml:"remote_addresses,omitempty"`
+	Weight     *config.Weight `json:"weight,omitempty" yaml:"weight,omitempty"`
+}
+
+func init() {
+	flag.Usage = func() {
+		fmt.Printf(`Usage of %[1]s:
+
+	%[1]s [flags] <blocklist-url> <filename>
+
+Grabs the contents of the blocklist, converts it to an Anubis ruleset, and writes it to filename.
+
+Flags:
+`, filepath.Base(os.Args[0]))
+
+		flag.PrintDefaults()
+	}
+}
+
+var (
+	action         = flag.String("action", "DENY", "Anubis action to take (ALLOW / DENY / WEIGH)")
+	manualRuleName = flag.String("rule-name", "", "If set, prefer this name over inferring from filename")
+	weight         = flag.Int("weight", 0, "If set to any number, add/subtract this many weight points when --action=WEIGH")
+)
+
+func main() {
+	flagenv.Parse()
+	flag.Parse()
+
+	if flag.NArg() != 2 {
+		flag.Usage()
+		os.Exit(2)
+	}
+
+	blocklistURL := flag.Arg(0)
+	foutName := flag.Arg(1)
+	ruleName := strings.TrimSuffix(foutName, filepath.Ext(foutName))
+
+	if *manualRuleName != "" {
+		ruleName = *manualRuleName
+	}
+
+	ruleAction := config.Rule(*action)
+	if err := ruleAction.Valid(); err != nil {
+		log.Fatalf("--action=%q is invalid: %v", *action, err)
+	}
+
+	result := &Rule{
+		Name:   ruleName,
+		Action: ruleAction,
+	}
+
+	if *weight != 0 {
+		if ruleAction != config.RuleWeigh {
+			log.Fatalf("used --weight=%d but --action=%s", *weight, *action)
+		}
+
+		result.Weight = &config.Weight{
+			Adjust: *weight,
+		}
+	}
+
+	ips, err := FetchBlocklist(blocklistURL)
+	if err != nil {
+		log.Fatalf("can't fetch blocklist %s: %v", blocklistURL, err)
+	}
+
+	result.RemoteAddr = ips
+
+	fout, err := os.Create(foutName)
+	if err != nil {
+		log.Fatalf("can't create output file %q: %v", foutName, err)
+	}
+	defer fout.Close()
+
+	fmt.Fprintf(fout, "# Generated by %s on %s from %s\n\n", filepath.Base(os.Args[0]), time.Now().Format(time.RFC3339), blocklistURL)
+
+	data, err := yaml.Marshal([]*Rule{result})
+	if err != nil {
+		log.Fatalf("can't marshal yaml")
+	}
+
+	fout.Write(data)
+}

web/index.templ

@@ -64,7 +64,7 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
 			@templ.JSONScript("anubis_public_url", anubis.PublicUrl)
 		</head>
 		<body id="top">
-			@honeypotLink(fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString()))
+			@honeypotLink(anubis.BasePrefix + fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString()))
 			<main>
 				<h1 id="title" class="centered-div">{ title }</h1>
 				@body
@@ -79,7 +79,7 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
 						if impressum != nil {
 							<p>
 								@templ.Raw(impressum.Footer)
-								-- <a href={ templ.SafeURL(fmt.Sprintf("%simprint", anubis.APIPrefix)) }>Imprint</a>
+								-- <a href={ templ.SafeURL(anubis.BasePrefix + fmt.Sprintf("%simprint", anubis.APIPrefix)) }>Imprint</a>
 							</p>
 						}
 						<p>{ localizer.T("version_info") } <code>{ anubis.Version }</code>.</p>

web/index_templ.go

@@ -137,7 +137,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = honeypotLink(fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString())).Render(ctx, templ_7745c5c3_Buffer)
+		templ_7745c5c3_Err = honeypotLink(anubis.BasePrefix+fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString())).Render(ctx, templ_7745c5c3_Buffer)
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -245,9 +245,9 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 				return templ_7745c5c3_Err
 			}
 			var templ_7745c5c3_Var13 templ.SafeURL
-			templ_7745c5c3_Var13, templ_7745c5c3_Err = templ.JoinURLErrs(templ.SafeURL(fmt.Sprintf("%simprint", anubis.APIPrefix)))
+			templ_7745c5c3_Var13, templ_7745c5c3_Err = templ.JoinURLErrs(templ.SafeURL(anubis.BasePrefix + fmt.Sprintf("%simprint", anubis.APIPrefix)))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 82, Col: 78}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 82, Col: 98}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var13))
 			if templ_7745c5c3_Err != nil {

web/index_test.go

@@ -0,0 +1,81 @@
+package web
+
+import (
+	"context"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/lib/config"
+	"github.com/TecharoHQ/anubis/lib/localization"
+	"github.com/a-h/templ"
+)
+
+func TestBasePrefixInLinks(t *testing.T) {
+	tests := []struct {
+		name       string
+		basePrefix string
+		wantInLink string
+	}{
+		{
+			name:       "no prefix",
+			basePrefix: "",
+			wantInLink: "/.within.website/x/cmd/anubis/api/",
+		},
+		{
+			name:       "with rififi prefix",
+			basePrefix: "/rififi",
+			wantInLink: "/rififi/.within.website/x/cmd/anubis/api/",
+		},
+		{
+			name:       "with myapp prefix",
+			basePrefix: "/myapp",
+			wantInLink: "/myapp/.within.website/x/cmd/anubis/api/",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Save original BasePrefix and restore after test
+			origPrefix := anubis.BasePrefix
+			defer func() { anubis.BasePrefix = origPrefix }()
+
+			anubis.BasePrefix = tt.basePrefix
+
+			// Create test impressum
+			impressum := &config.Impressum{
+				Footer: "<p>Test footer</p>",
+				Page: config.ImpressumPage{
+					Title: "Test Imprint",
+					Body:  "<p>Test imprint body</p>",
+				},
+			}
+
+			// Create localizer using a dummy request
+			req := httptest.NewRequest("GET", "/", nil)
+			localizer := &localization.SimpleLocalizer{}
+			localizer.Localizer = localization.NewLocalizationService().GetLocalizerFromRequest(req)
+
+			// Render the base template to a buffer
+			var buf strings.Builder
+			component := base(tt.name, templ.NopComponent, impressum, nil, nil, localizer)
+			err := component.Render(context.Background(), &buf)
+			if err != nil {
+				t.Fatalf("failed to render template: %v", err)
+			}
+
+			output := buf.String()
+
+			// Check that honeypot link includes the base prefix
+			if !strings.Contains(output, `href="`+tt.wantInLink+`honeypot/`) {
+				t.Errorf("honeypot link does not contain base prefix %q\noutput: %s", tt.wantInLink, output)
+			}
+
+			// Check that imprint link includes the base prefix
+			if !strings.Contains(output, `href="`+tt.wantInLink+`imprint`) {
+				t.Errorf("imprint link does not contain base prefix %q\noutput: %s", tt.wantInLink, output)
+			}
+		})
+	}
+}