Merge branch 'main' into Xe/less-paranoid

Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>
docs: update CHANGELOG
2026-04-27 10:32:42 +00:00 · 2025-10-09 16:45:02 -04:00 · 2025-10-09 14:50:59 +00:00 · 2025-10-09 14:49:20 +00:00 · 2025-10-09 14:49:00 +00:00 · 2025-10-09 14:48:33 +00:00
3 changed files with 68 additions and 19 deletions
@@ -93,6 +93,44 @@ bots:
  #   weight:
  #     adjust: -10
  # Assert behaviour that only genuine browsers display. This ensures that Chrome
  # or Firefox versions
  - name: realistic-browser-catchall
    expression:
      all:
        - '"User-Agent" in headers'
        - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'
        - '"Accept" in headers'
        - '"Sec-Fetch-Dest" in headers'
        - '"Sec-Fetch-Mode" in headers'
        - '"Sec-Fetch-Site" in headers'
        - '"Upgrade-Insecure-Requests" in headers'
        - '"Accept-Encoding" in headers'
        - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'
        - '"Accept-Language" in headers'
    action: WEIGH
    weight:
      adjust: -10
  # Chrome should behave like Chrome
  - name: chrome-is-proper
    expression:
      all:
        - userAgent.contains("Chrome")
        - '"Sec-Ch-Ua" in headers'
        - 'headers["Sec-Ch-Ua"].contains("Chromium")'
        - '"Sec-Ch-Ua-Mobile" in headers'
        - '"Sec-Ch-Ua-Platform" in headers'
    action: WEIGH
    weight:
      adjust: -5
  - name: should-have-accept
    expression: '!("Accept" in headers)'
    action: WEIGH
    weight:
      adjust: 5
  # Generic catchall rule
  - name: generic-browser
    user_agent_regex: >-
@@ -212,10 +250,14 @@ thresholds:
        - weight < 20
    action: CHALLENGE
    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
+      # https://anubis.techaro.lol/docs/admin/configuration/challenges/preact
-      algorithm: fast
+      #
-      difficulty: 2 # two leading zeros, very fast for most clients
+      # This challenge proves the client can run a webapp written with Preact.
-      report_as: 2
+      # The preact webapp simply loads, calculates the SHA-256 checksum of the
      # challenge data, and forwards that to the client.
      algorithm: preact
      difficulty: 1
      report_as: 1
  - name: mild-proof-of-work
    expression:
      all:
@@ -225,8 +267,8 @@ thresholds:
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
      algorithm: fast
-      difficulty: 4
+      difficulty: 2 # two leading zeros, very fast for most clients
-      report_as: 4
+      report_as: 2
  # For clients that are browser like and have gained many points from custom rules
  - name: extreme-suspicion
    expression: weight >= 30
@@ -234,5 +276,5 @@ thresholds:
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
      algorithm: fast
-      difficulty: 6
+      difficulty: 4
-      report_as: 6
+      report_as: 4
@@ -10,5 +10,11 @@
          userAgent.startsWith("JGit/") ||
          userAgent.startsWith("JGit-")
        )
-    - '"Git-Protocol" in headers'
+      - '"Accept" in headers'
-    - headers["Git-Protocol"] == "version=2"
+      - headers["Accept"] == "*/*"
      - '"Cache-Control" in headers'
      - headers["Cache-Control"] == "no-cache"
      - '"Pragma" in headers'
      - headers["Pragma"] == "no-cache"
      - '"Accept-Encoding" in headers'
      - headers["Accept-Encoding"].contains("gzip")
@@ -29,9 +29,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fixes concurrency problems with very old browsers ([#1082](https://github.com/TecharoHQ/anubis/issues/1082)).
 - Randomly use the Refresh header instead of the meta refresh tag in the metarefresh challenge.
 - Update OpenRC service to truncate the runtime directory before starting Anubis.
 - Make the git client profile more strictly match how the git client behaves.
 - Make the default configuration reward users using normal browsers.
 - Allow multiple consecutive slashes in a row in application paths ([#754](https://github.com/TecharoHQ/anubis/issues/754)).
 - Add option to set `targetSNI` to special keyword 'auto' to indicate that it should be automatically set to the request Host name ([424](https://github.com/TecharoHQ/anubis/issues/424)).
 - The Preact challenge has been removed from the default configuration. It will be deprecated in the future.
 ### Bug Fixes
Author	SHA1	Message	Date
Xe Iaso	b6887850b0	Merge branch 'main' into Xe/less-paranoid Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>	2025-10-09 16:45:02 -04:00
Xe Iaso	74b8f6065d	docs: update CHANGELOG Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-10-09 14:50:59 +00:00
Xe Iaso	206007a364	fix(default-config): make the default config far less paranoid This uses a variety of heuristics to make sure that clients that claim to be browsers are more likely to behave like browsers. Most of these are based on the results of a lot of reverse engineering and data collection from honeypot servers. Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-10-09 14:49:20 +00:00
Xe Iaso	40ab7da7ed	fix(data/clients/git): more strictly match the git client Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-10-09 14:49:00 +00:00
Xe Iaso	9599cb8ea9	test: add httpdebug tool Signed-off-by: Xe Iaso <me@xeiaso.net>	2025-10-09 14:48:33 +00:00