fix(web): address review feedback on PoW challenge component

- Guard j() helper against null/empty textContent before JSON.parse
- Use <button> instead of clickable <div> for "finished reading" control
  to support keyboard navigation and screen readers
- Make currentLang a local const inside initTranslations since it is
  not read elsewhere

Assisted-by: Claude Opus 4.6 via Claude Code
Signed-off-by: Xe Iaso <me@xeiaso.net>

.github/actions/spelling/allow.txt

@@ -31,16 +31,3 @@ Stargate
 FFXIV
 uvensys
 de
-resourced
-envoyproxy
-unipromos
-Samsung
-wenet
-qwertiko
-setuplistener
-mba
-xfu
-xou
-AWOO
-firewalls
-bindhosts

.github/actions/spelling/expect.txt

@@ -47,7 +47,6 @@ cachediptoasn
 Caddyfile
 caninetools
 Cardyb
-CAs
 celchecker
 celphase
 cerr
@@ -81,7 +80,6 @@ databento
 dayjob
 dco
 DDOS
-ddwrt
 Debian
 debrpm
 decaymap
@@ -104,7 +102,6 @@ duckduckbot
 eerror
 ellenjoe
 emacs
-embe
 enbyware
 etld
 everyones
@@ -120,9 +117,9 @@ fahedouch
 fastcgi
 FCr
 fcrdns
-fcvg
 fediverse
 ffprobe
+FFXIV
 fhdr
 financials
 finfos
@@ -205,10 +202,8 @@ kagi
 kagibot
 Keyfunc
 keypair
-keypairreloader
 KHTML
 kinda
-kpr
 KUBECONFIG
 lcj
 ldflags
@@ -226,6 +221,7 @@ LLU
 loadbalancer
 lol
 lominsa
+maintainership
 malware
 mcr
 memes
@@ -233,18 +229,17 @@ metarefresh
 metrix
 mimi
 Minfilia
-minica
 mistralai
 mnt
 Mojeek
 mojeekbot
 mozilla
-mqvh
 myclient
 mymaster
 mypass
 myuser
 nbf
+Necron
 nepeat
 netsurf
 nginx
@@ -319,7 +314,6 @@ searchbot
 searx
 sebest
 secretplans
-selfsigned
 Semrush
 Seo
 setsebool
@@ -340,6 +334,7 @@ spyderbot
 srcip
 srv
 stackoverflow
+Stargate
 startprecmd
 stoppostcmd
 storetest
@@ -389,7 +384,6 @@ vnd
 VPS
 Vultr
 WAIFU
-wcg
 weblate
 webmaster
 webpage

.github/workflows/asset-verification.yml

@@ -25,7 +25,7 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.25.7"
 

.github/workflows/docker-pr.yml

@@ -29,7 +29,7 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 

.github/workflows/docker.yml

@@ -39,14 +39,14 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Log into registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/docs-deploy.yml

@@ -25,7 +25,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Log into registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: techarohq
@@ -53,14 +53,14 @@ jobs:
           push: true
 
       - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
+        uses: actions-hub/kubectl@5ada4e2c02eacc03978c2437e95c8b0f979a9619 # v1.35.2
         env:
           KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
         with:
           args: apply -k docs/manifest
 
       - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
+        uses: actions-hub/kubectl@5ada4e2c02eacc03978c2437e95c8b0f979a9619 # v1.35.2
         env:
           KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
         with:

.github/workflows/go-mod-tidy-check.yml

@@ -17,7 +17,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 

.github/workflows/go.yml

@@ -27,12 +27,12 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 
       - name: Cache playwright binaries
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         id: playwright-cache
         with:
           path: |

.github/workflows/package-builds-stable.yml

@@ -28,7 +28,7 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 

.github/workflows/package-builds-unstable.yml

@@ -29,7 +29,7 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 

.github/workflows/smoke-tests.yml

@@ -27,7 +27,6 @@ jobs:
           - palemoon/amd64
           #- palemoon/i386
           - robots_txt
-          - traefik
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -38,7 +37,7 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 

.github/workflows/spelling.yml

@@ -89,7 +89,7 @@ jobs:
     steps:
       - name: check-spelling
         id: spelling
-        uses: check-spelling/check-spelling@cfb6f7e75bbfc89c71eaa30366d0c166f1bd9c8c # v0.0.26
+        uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
         with:
           suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
           checkout: true

.github/workflows/ssh-ci-runner-cron.yml

@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - name: Log into registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/ssh-ci.yml

@@ -30,13 +30,13 @@ jobs:
           persist-credentials: false
 
       - name: Install CI target SSH key
-        uses: shimataro/ssh-key-action@87a8f067114a8ce263df83e9ed5c849953548bc3 # v2.8.1
+        uses: shimataro/ssh-key-action@6b84f2e793b32fa0b03a379cadadec75cc539391 # v2.8.0
         with:
           key: ${{ secrets.CI_SSH_KEY }}
           name: id_rsa
           known_hosts: ${{ secrets.CI_SSH_KNOWN_HOSTS }}
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "stable"
 

.github/workflows/zizmor.yml

@@ -21,7 +21,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
 
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
@@ -29,7 +29,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: results.sarif
           category: zizmor

README.md

@@ -73,15 +73,6 @@ Anubis is brought to you by sponsors and donors like:
 <a href="https://www.anexia.com/">
   <img src="./docs/static/img/sponsors/anexia-cloudsolutions-logo.webp" alt="ANEXIA Cloud Solutions" height="64">
 </a>
-<a href="https://dd-wrt.com/">
-  <img src="./docs/static/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64">
-</a>
-<a href="https://www.qwertiko.de?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/qwertiko-logo.webp" alt="Qwertiko" height="64">
-</a>
-<a href="https://wenet.pl/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/wenet-logo.webp" alt="Wenet" height="64">
-</a>
 
 ## Overview
 

cmd/anubis/main.go

@@ -21,6 +21,7 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@@ -31,12 +32,12 @@ import (
 	"github.com/TecharoHQ/anubis/internal"
 	libanubis "github.com/TecharoHQ/anubis/lib"
 	"github.com/TecharoHQ/anubis/lib/config"
-	"github.com/TecharoHQ/anubis/lib/metrics"
 	botPolicy "github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/facebookgo/flagenv"
 	_ "github.com/joho/godotenv/autoload"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
 	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
 )
 
@@ -117,6 +118,33 @@ func doHealthCheck() error {
 	return nil
 }
 
+// parseBindNetFromAddr determine bind network and address based on the given network and address.
+func parseBindNetFromAddr(address string) (string, string) {
+	defaultScheme := "http://"
+	if !strings.Contains(address, "://") {
+		if strings.HasPrefix(address, ":") {
+			address = defaultScheme + "localhost" + address
+		} else {
+			address = defaultScheme + address
+		}
+	}
+
+	bindUri, err := url.Parse(address)
+	if err != nil {
+		log.Fatal(fmt.Errorf("failed to parse bind URL: %w", err))
+	}
+
+	switch bindUri.Scheme {
+	case "unix":
+		return "unix", bindUri.Path
+	case "tcp", "http", "https":
+		return "tcp", bindUri.Host
+	default:
+		log.Fatal(fmt.Errorf("unsupported network scheme %s in address %s", bindUri.Scheme, address))
+	}
+	return "", address
+}
+
 func parseSameSite(s string) http.SameSite {
 	switch strings.ToLower(s) {
 	case "none":
@@ -133,6 +161,53 @@ func parseSameSite(s string) http.SameSite {
 	return http.SameSiteDefaultMode
 }
 
+func setupListener(network string, address string) (net.Listener, string) {
+	formattedAddress := ""
+
+	if network == "" {
+		// keep compatibility
+		network, address = parseBindNetFromAddr(address)
+	}
+
+	switch network {
+	case "unix":
+		formattedAddress = "unix:" + address
+	case "tcp":
+		if strings.HasPrefix(address, ":") { // assume it's just a port e.g. :4259
+			formattedAddress = "http://localhost" + address
+		} else {
+			formattedAddress = "http://" + address
+		}
+	default:
+		formattedAddress = fmt.Sprintf(`(%s) %s`, network, address)
+	}
+
+	listener, err := net.Listen(network, address)
+	if err != nil {
+		log.Fatal(fmt.Errorf("failed to bind to %s: %w", formattedAddress, err))
+	}
+
+	// additional permission handling for unix sockets
+	if network == "unix" {
+		mode, err := strconv.ParseUint(*socketMode, 8, 0)
+		if err != nil {
+			listener.Close()
+			log.Fatal(fmt.Errorf("could not parse socket mode %s: %w", *socketMode, err))
+		}
+
+		err = os.Chmod(address, os.FileMode(mode))
+		if err != nil {
+			err := listener.Close()
+			if err != nil {
+				log.Printf("failed to close listener: %v", err)
+			}
+			log.Fatal(fmt.Errorf("could not change socket mode: %w", err))
+		}
+	}
+
+	return listener, formattedAddress
+}
+
 func makeReverseProxy(target string, targetSNI string, targetHost string, insecureSkipVerify bool, targetDisableKeepAlive bool) (http.Handler, error) {
 	targetUri, err := url.Parse(target)
 	if err != nil {
@@ -228,6 +303,11 @@ func main() {
 
 	wg := new(sync.WaitGroup)
 
+	if *metricsBind != "" {
+		wg.Add(1)
+		go metricsServer(ctx, *lg.With("subsystem", "metrics"), wg.Done)
+	}
+
 	var rp http.Handler
 	// when using anubis via Systemd and environment variables, then it is not possible to set targe to an empty string but only to space
 	if strings.TrimSpace(*target) != "" {
@@ -259,7 +339,7 @@ func main() {
 	}
 
 	lg.Info("loading policy file", "fname", *policyFname)
-	policy, err := libanubis.LoadPoliciesOrDefault(ctx, *policyFname, *challengeDifficulty, *slogLevel, strings.TrimSpace(*target) == "")
+	policy, err := libanubis.LoadPoliciesOrDefault(ctx, *policyFname, *challengeDifficulty, *slogLevel)
 	if err != nil {
 		log.Fatalf("can't parse policy file: %v", err)
 	}
@@ -267,26 +347,6 @@ func main() {
 	lg.Debug("swapped to new logger")
 	slog.SetDefault(lg)
 
-	if *metricsBind != "" || policy.Metrics != nil {
-		wg.Add(1)
-
-		ms := &metrics.Server{
-			Config: policy.Metrics,
-			Log:    lg,
-		}
-
-		if policy.Metrics == nil {
-			lg.Debug("migrating flags to metrics config", "bind", *metricsBind, "network", *metricsBindNetwork, "socket-mode", *socketMode)
-			ms.Config = &config.Metrics{
-				Bind:       *metricsBind,
-				Network:    *metricsBindNetwork,
-				SocketMode: *socketMode,
-			}
-		}
-
-		go ms.Run(ctx, wg.Done)
-	}
-
 	// Warn if persistent storage is used without a configured signing key
 	if policy.Store.IsPersistent() {
 		if *hs512Secret == "" && *ed25519PrivateKeyHex == "" && *ed25519PrivateKeyHexFile == "" {
@@ -367,7 +427,7 @@ func main() {
 			redirectDomainsList = append(redirectDomainsList, strings.TrimSpace(domain))
 		}
 	} else {
-		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will redirect to any domain, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
+		lg.Warn("REDIRECT_DOMAINS is not set, Anubis will only redirect to the same domain a request is coming from, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
 	}
 
 	anubis.CookieName = *cookiePrefix + "-auth"
@@ -423,11 +483,7 @@ func main() {
 	h = internal.JA4H(h)
 
 	srv := http.Server{Handler: h, ErrorLog: internal.GetFilteredHTTPLogger()}
-	listener, listenerUrl, err := internal.SetupListener(*bindNetwork, *bind, *socketMode)
+	listener, listenerUrl := setupListener(*bindNetwork, *bind)
-	if err != nil {
-		log.Fatalf("SetupListener(%q, %q, %q): %v", *bindNetwork, *bind, *socketMode, err)
-	}
-
 	lg.Info(
 		"listening",
 		"url", listenerUrl,
@@ -462,6 +518,48 @@ func main() {
 	wg.Wait()
 }
 
+func metricsServer(ctx context.Context, lg slog.Logger, done func()) {
+	defer done()
+
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", promhttp.Handler())
+	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
+		st, ok := internal.GetHealth("anubis")
+		if !ok {
+			slog.Error("health service anubis does not exist, file a bug")
+		}
+
+		switch st {
+		case healthv1.HealthCheckResponse_NOT_SERVING:
+			http.Error(w, "NOT OK", http.StatusInternalServerError)
+			return
+		case healthv1.HealthCheckResponse_SERVING:
+			fmt.Fprintln(w, "OK")
+			return
+		default:
+			http.Error(w, "UNKNOWN", http.StatusFailedDependency)
+			return
+		}
+	})
+
+	srv := http.Server{Handler: mux, ErrorLog: internal.GetFilteredHTTPLogger()}
+	listener, metricsUrl := setupListener(*metricsBindNetwork, *metricsBind)
+	lg.Debug("listening for metrics", "url", metricsUrl)
+
+	go func() {
+		<-ctx.Done()
+		c, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		if err := srv.Shutdown(c); err != nil {
+			log.Printf("cannot shut down: %v", err)
+		}
+	}()
+
+	if err := srv.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
+		log.Fatal(err)
+	}
+}
+
 func extractEmbedFS(fsys embed.FS, root string, destDir string) error {
 	return fs.WalkDir(fsys, root, func(path string, d fs.DirEntry, err error) error {
 		if err != nil {

data/botPolicies.yaml

@@ -166,36 +166,6 @@ status_codes:
   CHALLENGE: 200
   DENY: 200
 
-# # Configuration for the metrics server. See the docs for more information:
-# #
-# # https://anubis.techaro.lol/docs/admin/policies#metrics-server
-# #
-# # This is commented out by default so that command line flags take precedence.
-# metrics:
-#   bind: ":9090"
-#   network: "tcp"
-#
-# # To protect your metrics server with basic auth, set credentials below:
-# #
-# # https://anubis.techaro.lol/docs/admin/policies#http-basic-authentication
-#   basicAuth:
-#     username: ""
-#     password: ""
-#
-# # To serve metrics over TLS, set the path to the right TLS certificate and key
-# # here. When the files change on disk, they will automatically be reloaded.
-# #
-# # https://anubis.techaro.lol/docs/admin/policies#tls
-#   tls:
-#     certificate: /path/to/tls.crt
-#     key: /path/to/tls.key
-#
-#     # If you want to secure your metrics endpoint using mutual TLS (mTLS), set
-#     # the path to a certificate authority public certificate here.
-#     #
-#     # https://anubis.techaro.lol/docs/admin/policies#mtls
-#     ca: /path/to/ca.crt
-
 # Anubis can store temporary data in one of a few backends. See the storage
 # backends section of the docs for more information:
 #

data/crawlers/_allow-good.yaml

@@ -8,5 +8,4 @@
 - import: (data)/crawlers/marginalia.yaml
 - import: (data)/crawlers/mojeekbot.yaml
 - import: (data)/crawlers/commoncrawl.yaml
-- import: (data)/crawlers/wikimedia-citoid.yaml
 - import: (data)/crawlers/yandexbot.yaml

data/crawlers/ai-search.yaml

@@ -4,5 +4,5 @@
 #  - Claude-SearchBot: No published IP allowlist
 - name: "ai-crawlers-search"
   user_agent_regex: >-
-    OAI-SearchBot|Claude-SearchBot|PerplexityBot|meta-webindexer
+    OAI-SearchBot|Claude-SearchBot|PerplexityBot
   action: DENY

data/crawlers/wikimedia-citoid.yaml

@@ -1,18 +0,0 @@
-# Wikimedia Foundation citation services
-# https://www.mediawiki.org/wiki/Citoid
-
-- name: wikimedia-citoid
-  user_agent_regex: "Citoid/WMF"
-  action: ALLOW
-  remote_addresses: [
-    "208.80.152.0/22",
-    "2620:0:860::/46",
-  ]
-
-- name: wikimedia-zotero-translation-server
-  user_agent_regex: "ZoteroTranslationServer/WMF"
-  action: ALLOW
-  remote_addresses: [
-    "208.80.152.0/22",
-    "2620:0:860::/46",
-  ]

docs/docs/CHANGELOG.md

@@ -11,34 +11,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-<!-- This changes the project to: -->
-
-- Patch [GHSA-6wcg-mqvh-fcvg](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-6wcg-mqvh-fcvg) by containing subrequest logic to Anubis instances in subrequest mode.
-- Implement robot9001 style delays on the honeypot feature so that the first hit takes 1 millisecond, the second takes 2, etc.
-- Move metrics server configuration to [the policy file](./admin/policies.mdx#metrics-server).
-- Expose [pprof endpoints](https://pkg.go.dev/net/http/pprof) on the metrics listener to enable profiling Anubis in production.
 - fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
 - Instruct reverse proxies to not cache error pages.
 - Fixed mixed tab/space indentation in Caddy documentation code block
-- Improve error messages and fix broken REDIRECT_DOMAINS link in docs ([#1193](https://github.com/TecharoHQ/anubis/issues/1193))
+- Rewrite main proof of work challenge to use Preact instead of Vanilla.js ([#1149](https://github.com/TecharoHQ/anubis/issues/1149))
-- Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394))
+
-- Fixed case-sensitivity mismatch in geoipchecker.go
+<!-- This changes the project to: -->
-- Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).
-- Enable [metrics serving via TLS](./admin/policies.mdx#tls), including [mutual TLS (mTLS)](./admin/policies.mdx#mtls).
-- Enable [HTTP basic auth](./admin/policies.mdx#http-basic-authentication) for the metrics server.
-- Fix a bug in the dataset poisoning maze that could allow denial of service [#1580](https://github.com/TecharoHQ/anubis/issues/1580).
-- Add config option to add ASN to logs/metrics.
-- Log weight when issuing challenge.
-- Gate pprof endpoints behind `metrics.debug` in the policy file.
-- Limit naive honeypot r9k delay to one second.
-- Fix an obscure case where adding query values to a subrequest match could cause an invalid rule match when using path based matching for protected resources.
-- Fix an edge case where load average expression values could nil pointer dereference when Anubis just started up.
-- Fix an obscure case where Anubis in subrequest mode could allow redirects to invalid domains with strange instructions.
-- Fix `path_regex` and CEL `path` rules not matching when using Traefik `forwardAuth` middleware. Anubis now checks `X-Forwarded-Uri` (Traefik) in addition to `X-Original-URI` (nginx) when resolving the request path in subrequest mode ([#1628](https://github.com/TecharoHQ/anubis/issues/1628)).
-- Validate bounds in the CEL `randInt` helper so non-positive or platform-overflowing arguments surface a typed CEL error instead of an evaluator panic.
-- Fix a race in the bbolt store where the asynchronous cleanup scheduled by an expired read could delete a value that had just been refreshed; the delete now only fires when the key still carries the same expired generation it observed.
-- Marginally increase the performances of requests processing
-- Marginally improve the performances of PoW validation
 
 ## v1.25.0: Necron
 

docs/docs/admin/installation.mdx

@@ -87,15 +87,15 @@ Anubis uses these environment variables for configuration:
 | `ED25519_PRIVATE_KEY_HEX_FILE` | unset                   | Path to a file containing the hex-encoded ed25519 private key. Only one of this or its sister option may be set. **Required when using persistent storage backends** (like bbolt) to ensure challenges survive service restarts. When running multiple instances on the same base domain, the key must be the same across all instances.                                                                                                                                                                                                       |
 | `ERROR_TITLE`                  | unset                   | <EO /> If set, override the translation stack to show a custom title for error pages such as "Something went wrong!". See [Customizing messages](./botstopper.mdx#customizing-messages) for more details.                                                                                                                                                                                                                                                                                                                                      |
 | `JWT_RESTRICTION_HEADER`       | `X-Real-IP`             | If set, the JWT is only valid if the current value of this header matches the value when the JWT was created. You can use it e.g. to restrict a JWT to the source IP of the user using `X-Real-IP`.                                                                                                                                                                                                                                                                                                                                            |
-| `METRICS_BIND`                 | `:9090`                 | The legacy configuration value for the network address that Anubis serves Prometheus metrics on. Please migrate this to [the policy file](./policies.mdx#metrics-server) as soon as possible.                                                                                                                                                                                                                                                                                                                                                  |
+| `METRICS_BIND`                 | `:9090`                 | The network address that Anubis serves Prometheus metrics on. See `BIND` for more information.                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| `METRICS_BIND_NETWORK`         | `tcp`                   | The legacy configuration value for the address family that Anubis serves Prometheus metrics on. Please migrate this to [the policy file](./policies.mdx#metrics-server) as soon as possible.                                                                                                                                                                                                                                                                                                                                                   |
+| `METRICS_BIND_NETWORK`         | `tcp`                   | The address family that the Anubis metrics server listens on. See `BIND_NETWORK` for more information.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | `OG_EXPIRY_TIME`               | `24h`                   | The expiration time for the Open Graph tag cache. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                                                        |
 | `OG_PASSTHROUGH`               | `false`                 | If set to `true`, Anubis will enable Open Graph tag passthrough. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                                         |
 | `OG_CACHE_CONSIDER_HOST`       | `false`                 | If set to `true`, Anubis will consider the host in the Open Graph tag cache key. Prefer using [the policy file](./configuration/open-graph.mdx) to configure the Open Graph subsystem.                                                                                                                                                                                                                                                                                                                                                         |
 | `OVERLAY_FOLDER`               | unset                   | <EO /> If set, treat the given path as an [overlay folder](./botstopper.mdx#custom-images-and-css), allowing you to customize CSS, fonts, images, and add other assets to BotStopper deployments.                                                                                                                                                                                                                                                                                                                                              |
 | `POLICY_FNAME`                 | unset                   | The file containing [bot policy configuration](./policies.mdx). See the bot policy documentation for more details. If unset, the default bot policy configuration is used.                                                                                                                                                                                                                                                                                                                                                                     |
 | `PUBLIC_URL`                   | unset                   | The externally accessible URL for this Anubis instance, used for constructing redirect URLs (e.g., for Traefik forwardAuth). Leave it unset when Anubis terminates traffic directly (sidecar/standalone deployments) or redirect building will fail with `redir=null`.                                                                                                                                                                                                                                                                         |
-| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains.mdx) for more details.                                                                                                                                                                                                                                                                                                                                               |
+| `REDIRECT_DOMAINS`             | unset                   | Comma-separated list of domain names that Anubis should allow redirects to when passing a challenge. See [Redirect Domain Configuration](./configuration/redirect-domains) for more details.                                                                                                                                                                                                                                                                                                                                                   |
 | `SERVE_ROBOTS_TXT`             | `false`                 | If set `true`, Anubis will serve a default `robots.txt` file that disallows all known AI scrapers by name and then additionally disallows every scraper. This is useful if facts and circumstances make it difficult to change the underlying service to serve such a `robots.txt` file.                                                                                                                                                                                                                                                       |
 | `SLOG_LEVEL`                   | `INFO`                  | The log level for structured logging. Valid values are `DEBUG`, `INFO`, `WARN`, and `ERROR`. Set to `DEBUG` to see all requests, evaluations, and detailed diagnostic information.                                                                                                                                                                                                                                                                                                                                                             |
 | `SOCKET_MODE`                  | `0770`                  | _Only used when at least one of the `*_BIND_NETWORK` variables are set to `unix`._ The socket mode (permissions) for Unix domain sockets.                                                                                                                                                                                                                                                                                                                                                                                                      |

docs/docs/admin/policies.mdx

@@ -117,96 +117,6 @@ remote_addresses:
   - 100.64.0.0/10
 ```
 
-## Metrics server
-
-Anubis includes support for [Prometheus-style metrics](https://prometheus.io/docs/introduction/overview/), allowing systems administrators to monitor Anubis' performance and effectiveness. This is a separate HTTP server with metrics, health checking, and debug routes.
-
-Anubis' metrics server is configured with the `metrics` block in the configuration file:
-
-```yaml
-metrics:
-  bind: ":9090"
-  network: "tcp"
-```
-
-If you want to bind metrics to a Unix socket, make sure to set the network to `unix` and add a socket mode:
-
-```yaml
-metrics:
-  bind: "/tmp/anubis_metrics.sock"
-  network: unix
-  socketMode: "0700" # must be a string
-```
-
-### Debug routes
-
-Anubis' metrics server supports [pprof](https://pkg.go.dev/runtime/pprof), the Go standard library tool for profiling Go applications. This is very useful for debugging how Anubis works in the wild with regards to CPU, multicore, and RAM usage. pprof is very powerful and can expose command line arguments as part of the debugging setup (inside Google, everything is done with command line flags).
-
-Prior versions of Anubis exposed pprof endpoints on all TCP bindhosts by default. This means that machines with incorrectly configured firewalls can expose command line arguments to the public internet in the right conditions.
-
-In order to enable pprof profiling endpoints on the Metrics server, set the `debug` flag under the `metrics` block:
-
-```yaml
-metrics:
-  bind: ":9090"
-  network: "tcp"
-
-  debug: true
-```
-
-To err on the side of caution, this defaults to disabled. If this defaults migration breaks your configuration, please let us know in a ticket.
-
-### TLS
-
-If you want to serve the metrics server over TLS, use the `tls` block:
-
-```yaml
-metrics:
-  bind: ":9090"
-  network: "tcp"
-
-  tls:
-    certificate: /path/to/tls.crt
-    key: /path/to/tls.key
-```
-
-The certificate and key will automatically be reloaded when the respective files change.
-
-### mTLS
-
-If you want to validate requests to ensure that they use a client certificate signed by a certificate authority (mutual TLS or mTLS), set the `ca` value in the `tls` block:
-
-```yaml
-metrics:
-  bind: ":9090"
-  network: "tcp"
-
-  tls:
-    certificate: /path/to/tls.crt
-    key: /path/to/tls.key
-    ca: /path/to/ca.crt
-```
-
-As it is not expected for certificate authority certificates to change often, the CA certificate will NOT be automatically reloaded when the respective file changes.
-
-### HTTP basic authentication
-
-Anubis' metrics server also supports setting HTTP basic auth as a lightweight protection against unauthorized users viewing metrics data. As the basic auth credentials are hardcoded in the configuration file, administrators SHOULD use randomly generated credentials, such as type-4 UUIDs or other high entropy strings. These credentials MUST NOT be sensitive or used to protect other high value systems.
-
-Configure it with the `basicAuth` block under `metrics`:
-
-```yaml
-metrics:
-  bind: ":9090"
-  network: "tcp"
-
-  basicAuth:
-    username: azurediamond
-    password: hunter2
-```
-
-If you have Python installed, you can generate a high entropy password with `python -c 'import secrets; print(secrets.token_urlsafe(32))'`.
-
 ## Imprint / Impressum support
 
 Anubis has support for showing imprint / impressum information. This is defined in the `impressum` block of your configuration. See [Imprint / Impressum configuration](./configuration/impressum.mdx) for more information.
@@ -429,7 +339,6 @@ Anubis exposes the following logging settings in the policy file:
 | `level`      | [log level](#log-levels) | `info`          | The logging level threshold. Any logs that are at or above this threshold will be drained to the sink. Any other logs will be discarded. |
 | `sink`       | string                   | `stdio`, `file` | The sink where the logs drain to as they are being recorded in Anubis.                                                                   |
 | `parameters` | object                   |                 | Parameters for the given logging sink. This will vary based on the logging sink of choice. See below for more information.               |
-| `asn`        | bool                     | `true`, `false` | Add ASN information to logs/metrics. (Requires a Thoth client configured)                                                                |
 
 Anubis supports the following logging sinks:
 

docs/docs/index.mdx

@@ -87,15 +87,6 @@ Anubis is brought to you by sponsors and donors like:
     height="64"
   />
 </a>
-<a href="https://dd-wrt.com/">
-  <img src="/img/sponsors/ddwrt-logo.webp" alt="embeDD GmbH" height="64" />
-</a>
-<a href="https://www.qwertiko.de?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="/img/sponsors/qwertiko-logo.webp" alt="Qwertiko" height="64" />
-</a>
-<a href="https://wenet.pl/?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="/img/sponsors/wenet-logo.webp" alt="Wenet" height="64" />
-</a>
 
 ## Overview
 

docs/docs/user/frequently-asked-questions.mdx

@@ -22,24 +22,3 @@ If you use a browser extension such as [JShelter](https://jshelter.org/), you wi
 ## Does Anubis mine Bitcoin?
 
 No. Anubis does not mine Bitcoin or any other cryptocurrency.
-
-## I disabled Just-in-time compilation in my browser. Why is Anubis slow?
-
-Anubis proof-of-work checks run an open source JavaScript program in your browser. These checks do a lot of complicated math and aim to be done quickly, so the execution speed depends on [Just-in-time (JIT) compilation](https://en.wikipedia.org/wiki/Just-in-time_compilation). JIT compiles JavaScript from the Internet into native machine code at runtime. The code produced by the JIT engine is almost as good as if it was written in a native programming language and compiled for your computer in particular. Without JIT, all JavaScript programs on every website you visit run through a slow interpreter.
-
-This interpreter is much slower than native code because it has to translate each low level JavaScript operation into many dozens of calls to execute. This means that using the interpreter incurs a massive performance hit by its very nature; it takes longer to add numbers than if the CPU just added the numbers directly.
-
-Some users choose to disable JIT as a hardening measure against theoretical browser exploits. This is a reasonable choice if you face targeted attacks from well-resourced adversaries (such as nation-state actors), but it comes with real performance costs.
-
-If you've disabled JIT and find Anubis checks slow, re-enabling JIT is the fix. There is no way for Anubis to work around this on our end.
-
-## What versions of browsers does Anubis support?
-
-Anubis is written mainly by a single person in a basement in Canada. As such it is impossible for Anubis to support every version of every browser on the planet. As such, here's a few rules of thumb for the browsers that Anubis focuses on supporting:
-
-- At least the two (2) most recent LTS releases of Firefox and Chrome.
-- At least the version of Chromium as used by the Samsung Browser on Android.
-- At least the last version of Chromium and Firefox that are known to run on Windows 7.
-- At least the version of Safari that runs on the second-to-oldest iPhone model currently on the market.
-
-We cannot give more cohesive version bounds than this. If you run into problems, please file an issue. Sometimes you may just need to upgrade hardware though.

go.mod

@@ -106,7 +106,7 @@ require (
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-git/go-git/v5 v5.16.2 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.5 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect

go.sum

@@ -189,8 +189,8 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
 github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
-github.com/go-jose/go-jose/v3 v3.0.5 h1:BLLJWbC4nMZOfuPVxoZIxeYsn6Nl2r1fITaJ78UQlVQ=
+github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
-github.com/go-jose/go-jose/v3 v3.0.5/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=

internal/basicauth.go

@@ -1,52 +0,0 @@
-package internal
-
-import (
-	"crypto/sha256"
-	"crypto/subtle"
-	"fmt"
-	"log/slog"
-	"net/http"
-)
-
-// BasicAuth wraps next in HTTP Basic authentication using the provided
-// credentials. If either username or password is empty, next is returned
-// unchanged and a debug log line is emitted.
-//
-// Credentials are compared in constant time to avoid leaking information
-// through timing side channels.
-func BasicAuth(realm, username, password string, next http.Handler) http.Handler {
-	if username == "" || password == "" {
-		slog.Debug("skipping middleware, basic auth credentials are empty")
-		return next
-	}
-
-	expectedUser := sha256.Sum256([]byte(username))
-	expectedPass := sha256.Sum256([]byte(password))
-	challenge := fmt.Sprintf("Basic realm=%q, charset=\"UTF-8\"", realm)
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		user, pass, ok := r.BasicAuth()
-		if !ok {
-			unauthorized(w, challenge)
-			return
-		}
-
-		gotUser := sha256.Sum256([]byte(user))
-		gotPass := sha256.Sum256([]byte(pass))
-
-		userMatch := subtle.ConstantTimeCompare(gotUser[:], expectedUser[:])
-		passMatch := subtle.ConstantTimeCompare(gotPass[:], expectedPass[:])
-
-		if userMatch&passMatch != 1 {
-			unauthorized(w, challenge)
-			return
-		}
-
-		next.ServeHTTP(w, r)
-	})
-}
-
-func unauthorized(w http.ResponseWriter, challenge string) {
-	w.Header().Set("WWW-Authenticate", challenge)
-	http.Error(w, "Unauthorized", http.StatusUnauthorized)
-}

internal/basicauth_test.go

@@ -1,138 +0,0 @@
-package internal
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"strings"
-	"testing"
-)
-
-func okHandler() http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-		_, _ = w.Write([]byte("ok"))
-	})
-}
-
-func TestBasicAuth(t *testing.T) {
-	t.Parallel()
-
-	const (
-		realm    = "test-realm"
-		username = "admin"
-		password = "hunter2"
-	)
-
-	for _, tt := range []struct {
-		name       string
-		setAuth    bool
-		user       string
-		pass       string
-		wantStatus int
-		wantBody   string
-		wantChall  bool
-	}{
-		{
-			name:       "valid credentials",
-			setAuth:    true,
-			user:       username,
-			pass:       password,
-			wantStatus: http.StatusOK,
-			wantBody:   "ok",
-		},
-		{
-			name:       "missing credentials",
-			setAuth:    false,
-			wantStatus: http.StatusUnauthorized,
-			wantChall:  true,
-		},
-		{
-			name:       "wrong username",
-			setAuth:    true,
-			user:       "nobody",
-			pass:       password,
-			wantStatus: http.StatusUnauthorized,
-			wantChall:  true,
-		},
-		{
-			name:       "wrong password",
-			setAuth:    true,
-			user:       username,
-			pass:       "wrong",
-			wantStatus: http.StatusUnauthorized,
-			wantChall:  true,
-		},
-		{
-			name:       "empty supplied credentials",
-			setAuth:    true,
-			user:       "",
-			pass:       "",
-			wantStatus: http.StatusUnauthorized,
-			wantChall:  true,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			h := BasicAuth(realm, username, password, okHandler())
-
-			req := httptest.NewRequest(http.MethodGet, "/", nil)
-			if tt.setAuth {
-				req.SetBasicAuth(tt.user, tt.pass)
-			}
-			rec := httptest.NewRecorder()
-			h.ServeHTTP(rec, req)
-
-			if rec.Code != tt.wantStatus {
-				t.Errorf("status = %d, want %d", rec.Code, tt.wantStatus)
-			}
-
-			if tt.wantBody != "" && rec.Body.String() != tt.wantBody {
-				t.Errorf("body = %q, want %q", rec.Body.String(), tt.wantBody)
-			}
-
-			chall := rec.Header().Get("WWW-Authenticate")
-			if tt.wantChall {
-				if chall == "" {
-					t.Error("WWW-Authenticate header missing on 401")
-				}
-				if !strings.Contains(chall, realm) {
-					t.Errorf("WWW-Authenticate = %q, want realm %q", chall, realm)
-				}
-			} else if chall != "" {
-				t.Errorf("unexpected WWW-Authenticate header: %q", chall)
-			}
-		})
-	}
-}
-
-func TestBasicAuthPassthrough(t *testing.T) {
-	t.Parallel()
-
-	for _, tt := range []struct {
-		name     string
-		username string
-		password string
-	}{
-		{name: "empty username", username: "", password: "hunter2"},
-		{name: "empty password", username: "admin", password: ""},
-		{name: "both empty", username: "", password: ""},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
-			h := BasicAuth("realm", tt.username, tt.password, okHandler())
-
-			req := httptest.NewRequest(http.MethodGet, "/", nil)
-			rec := httptest.NewRecorder()
-			h.ServeHTTP(rec, req)
-
-			if rec.Code != http.StatusOK {
-				t.Errorf("status = %d, want %d (passthrough expected)", rec.Code, http.StatusOK)
-			}
-			if rec.Body.String() != "ok" {
-				t.Errorf("body = %q, want %q", rec.Body.String(), "ok")
-			}
-		})
-	}
-}

internal/hash.go

@@ -11,8 +11,9 @@ import (
 // SHA256sum computes a cryptographic hash. Still used for proof-of-work challenges
 // where we need the security properties of a cryptographic hash function.
 func SHA256sum(text string) string {
-	sum := sha256.Sum256([]byte(text))
+	hash := sha256.New()
-	return hex.EncodeToString(sum[:])
+	hash.Write([]byte(text))
+	return hex.EncodeToString(hash.Sum(nil))
 }
 
 // FastHash is a high-performance non-cryptographic hash function suitable for

internal/honeypot/naive/naive.go

@@ -5,7 +5,6 @@ import (
 	_ "embed"
 	"fmt"
 	"log/slog"
-	"math"
 	"math/rand/v2"
 	"net/http"
 	"net/netip"
@@ -77,6 +76,13 @@ type Impl struct {
 	affirmation, body, title spintax.Spintax
 }
 
+func (i *Impl) incrementUA(ctx context.Context, userAgent string) int {
+	result, _ := i.uaWeight.Get(ctx, internal.SHA256sum(userAgent))
+	result++
+	i.uaWeight.Set(ctx, internal.SHA256sum(userAgent), result, time.Hour)
+	return result
+}
+
 func (i *Impl) incrementNetwork(ctx context.Context, network string) int {
 	result, _ := i.networkWeight.Get(ctx, internal.SHA256sum(network))
 	result++
@@ -84,19 +90,20 @@ func (i *Impl) incrementNetwork(ctx context.Context, network string) int {
 	return result
 }
 
+func (i *Impl) CheckUA() checker.Impl {
+	return checker.Func(func(r *http.Request) (bool, error) {
+		result, _ := i.uaWeight.Get(r.Context(), internal.SHA256sum(r.UserAgent()))
+		if result >= 25 {
+			return true, nil
+		}
+
+		return false, nil
+	})
+}
+
 func (i *Impl) CheckNetwork() checker.Impl {
 	return checker.Func(func(r *http.Request) (bool, error) {
-		realIP, _ := internal.RealIP(r)
+		result, _ := i.uaWeight.Get(r.Context(), internal.SHA256sum(r.UserAgent()))
-		if !realIP.IsValid() {
-			realIP = netip.MustParseAddr(r.Header.Get("X-Real-Ip"))
-		}
-
-		network, ok := internal.ClampIP(realIP)
-		if !ok {
-			return false, nil
-		}
-
-		result, _ := i.networkWeight.Get(r.Context(), internal.SHA256sum(network.String()))
 		if result >= 25 {
 			return true, nil
 		}
@@ -157,6 +164,7 @@ func (i *Impl) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	networkCount := i.incrementNetwork(r.Context(), network.String())
+	uaCount := i.incrementUA(r.Context(), r.UserAgent())
 
 	stage := r.PathValue("stage")
 
@@ -164,14 +172,11 @@ func (i *Impl) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		lg.Debug("found new entrance point", "id", id, "stage", stage, "userAgent", r.UserAgent(), "clampedIP", network)
 	} else {
 		switch {
-		case networkCount%256 == 0:
+		case networkCount%256 == 0, uaCount%256 == 0:
-			lg.Warn("found possible crawler", "id", id, "network", network, "userAgent", r.UserAgent())
+			lg.Warn("found possible crawler", "id", id, "network", network)
 		}
 	}
 
-	millisecondAmount := min(math.Pow(float64(networkCount), 2), 1000)
-	time.Sleep(time.Duration(millisecondAmount) * time.Millisecond)
-
 	spins := i.makeSpins()
 	affirmations := i.makeAffirmations()
 	title := i.makeTitle()

internal/setuplistener.go

@@ -1,92 +0,0 @@
-package internal
-
-import (
-	"errors"
-	"fmt"
-	"net"
-	"net/url"
-	"os"
-	"strconv"
-	"strings"
-)
-
-// parseBindNetFromAddr determine bind network and address based on the given network and address.
-func parseBindNetFromAddr(address string) (string, string, error) {
-	defaultScheme := "http://"
-	if !strings.Contains(address, "://") {
-		if strings.HasPrefix(address, ":") {
-			address = defaultScheme + "localhost" + address
-		} else {
-			address = defaultScheme + address
-		}
-	}
-
-	bindUri, err := url.Parse(address)
-	if err != nil {
-		return "", "", fmt.Errorf("failed to parse bind URL: %w", err)
-	}
-
-	switch bindUri.Scheme {
-	case "unix":
-		return "unix", bindUri.Path, nil
-	case "tcp", "http", "https":
-		return "tcp", bindUri.Host, nil
-	default:
-		return "", "", fmt.Errorf("unsupported network scheme %s in address %s", bindUri.Scheme, address)
-	}
-}
-
-// SetupListener sets up a network listener based on the input from configuration
-// envvars. It returns a network listener and the URL to that listener or an error.
-func SetupListener(network, address, socketMode string) (net.Listener, string, error) {
-	formattedAddress := ""
-	var err error
-
-	if network == "" {
-		// keep compatibility
-		network, address, err = parseBindNetFromAddr(address)
-	}
-
-	if err != nil {
-		return nil, "", fmt.Errorf("can't parse bind and network: %w", err)
-	}
-
-	switch network {
-	case "unix":
-		formattedAddress = "unix:" + address
-	case "tcp":
-		if strings.HasPrefix(address, ":") { // assume it's just a port e.g. :4259
-			formattedAddress = "http://localhost" + address
-		} else {
-			formattedAddress = "http://" + address
-		}
-	default:
-		formattedAddress = fmt.Sprintf(`(%s) %s`, network, address)
-	}
-
-	ln, err := net.Listen(network, address)
-	if err != nil {
-		return nil, "", fmt.Errorf("failed to bind to %s: %w", formattedAddress, err)
-	}
-
-	// additional permission handling for unix sockets
-	if network == "unix" {
-		mode, err := strconv.ParseUint(socketMode, 8, 0)
-		if err != nil {
-			ln.Close()
-			return nil, "", fmt.Errorf("could not parse socket mode %s: %w", socketMode, err)
-		}
-
-		err = os.Chmod(address, os.FileMode(mode))
-		if err != nil {
-			err := fmt.Errorf("could not change socket mode: %w", err)
-			clErr := ln.Close()
-			if clErr != nil {
-				return nil, "", errors.Join(err, clErr)
-			}
-			return nil, "", err
-		}
-	}
-
-	return ln, formattedAddress, nil
-}

internal/setuplistener_test.go

@@ -1,180 +0,0 @@
-package internal
-
-import (
-	"io/fs"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"testing"
-)
-
-func TestParseBindNetFromAddr(t *testing.T) {
-	for _, tt := range []struct {
-		name    string
-		address string
-		wantErr bool
-		network string
-		bind    string
-	}{
-		{
-			name:    "simple tcp",
-			address: "localhost:9090",
-			wantErr: false,
-			network: "tcp",
-			bind:    "localhost:9090",
-		},
-		{
-			name:    "simple unix",
-			address: "unix:///tmp/foo.sock",
-			wantErr: false,
-			network: "unix",
-			bind:    "/tmp/foo.sock",
-		},
-		{
-			name:    "invalid network",
-			address: "foo:///tmp/bar.sock",
-			wantErr: true,
-		},
-		{
-			name:    "tcp uri",
-			address: "tcp://[::]:9090",
-			wantErr: false,
-			network: "tcp",
-			bind:    "[::]:9090",
-		},
-		{
-			name:    "http uri",
-			address: "http://[::]:9090",
-			wantErr: false,
-			network: "tcp",
-			bind:    "[::]:9090",
-		},
-		{
-			name:    "https uri",
-			address: "https://[::]:9090",
-			wantErr: false,
-			network: "tcp",
-			bind:    "[::]:9090",
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			network, bind, err := parseBindNetFromAddr(tt.address)
-
-			switch {
-			case tt.wantErr && err == nil:
-				t.Errorf("parseBindNetFromAddr(%q) should have errored but did not", tt.address)
-			case !tt.wantErr && err != nil:
-				t.Errorf("parseBindNetFromAddr(%q) threw an error: %v", tt.address, err)
-			}
-
-			if network != tt.network {
-				t.Errorf("parseBindNetFromAddr(%q) wanted network: %q, got: %q", tt.address, tt.network, network)
-			}
-
-			if bind != tt.bind {
-				t.Errorf("parseBindNetFromAddr(%q) wanted bind: %q, got: %q", tt.address, tt.bind, bind)
-			}
-		})
-	}
-}
-
-func TestSetupListener(t *testing.T) {
-	td := t.TempDir()
-
-	for _, tt := range []struct {
-		name                         string
-		network, address, socketMode string
-		wantErr                      bool
-		socketURLPrefix              string
-	}{
-		{
-			name:            "simple tcp",
-			network:         "",
-			address:         ":0",
-			wantErr:         false,
-			socketURLPrefix: "http://localhost:",
-		},
-		{
-			name:            "simple unix",
-			network:         "",
-			address:         "unix://" + filepath.Join(td, "a"),
-			socketMode:      "0770",
-			wantErr:         false,
-			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
-		},
-		{
-			name:            "tcp",
-			network:         "tcp",
-			address:         ":0",
-			wantErr:         false,
-			socketURLPrefix: "http://localhost:",
-		},
-		{
-			name:            "udp",
-			network:         "udp",
-			address:         ":0",
-			wantErr:         true,
-			socketURLPrefix: "http://localhost:",
-		},
-		{
-			name:            "unix socket",
-			network:         "unix",
-			socketMode:      "0770",
-			address:         filepath.Join(td, "a"),
-			wantErr:         false,
-			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
-		},
-		{
-			name:            "invalid socket mode",
-			network:         "unix",
-			socketMode:      "taco bell",
-			address:         filepath.Join(td, "a"),
-			wantErr:         true,
-			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
-		},
-		{
-			name:            "empty socket mode",
-			network:         "unix",
-			socketMode:      "",
-			address:         filepath.Join(td, "a"),
-			wantErr:         true,
-			socketURLPrefix: "unix:" + filepath.Join(td, "a"),
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			ln, socketURL, err := SetupListener(tt.network, tt.address, tt.socketMode)
-			switch {
-			case tt.wantErr && err == nil:
-				t.Errorf("SetupListener(%q, %q, %q) should have errored but did not", tt.network, tt.address, tt.socketMode)
-			case !tt.wantErr && err != nil:
-				t.Fatalf("SetupListener(%q, %q, %q) threw an error: %v", tt.network, tt.address, tt.socketMode, err)
-			}
-
-			if ln != nil {
-				defer ln.Close()
-			}
-
-			if !tt.wantErr && !strings.HasPrefix(socketURL, tt.socketURLPrefix) {
-				t.Errorf("SetupListener(%q, %q, %q) should have returned a URL with prefix %q but got: %q", tt.network, tt.address, tt.socketMode, tt.socketURLPrefix, socketURL)
-			}
-
-			if tt.socketMode != "" {
-				mode, err := strconv.ParseUint(tt.socketMode, 8, 0)
-				if err != nil {
-					return
-				}
-
-				sockPath := strings.TrimPrefix(socketURL, "unix:")
-				st, err := os.Stat(sockPath)
-				if err != nil {
-					t.Fatalf("can't os.Stat(%q): %v", sockPath, err)
-				}
-
-				if st.Mode().Perm() != fs.FileMode(mode) {
-					t.Errorf("file mode of %q should be %s but is actually %s", sockPath, strconv.FormatUint(mode, 8), strconv.FormatUint(uint64(st.Mode()), 8))
-				}
-			}
-		})
-	}
-}

internal/test/playwright_test.go

@@ -595,7 +595,7 @@ func spawnAnubisWithOptions(t *testing.T, basePrefix string) string {
 		fmt.Fprintf(w, "<html><body><span id=anubis-test>%d</span></body></html>", time.Now().Unix())
 	})
 
-	policy, err := libanubis.LoadPoliciesOrDefault(t.Context(), "", anubis.DefaultDifficulty, "info", false)
+	policy, err := libanubis.LoadPoliciesOrDefault(t.Context(), "", anubis.DefaultDifficulty, "info")
 	if err != nil {
 		t.Fatal(err)
 	}

lib/anubis.go

@@ -11,7 +11,6 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"strconv"
 	"strings"
 	"time"
 
@@ -33,7 +32,6 @@ import (
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/store"
-	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 
 	// challenge implementations
 	_ "github.com/TecharoHQ/anubis/lib/challenge/metarefresh"
@@ -41,52 +39,31 @@ import (
 	_ "github.com/TecharoHQ/anubis/lib/challenge/proofofwork"
 )
 
-type contextKey int
-
-const asnContextKey contextKey = iota
-
-type asnInfo struct {
-	ASN         string
-	Description string
-}
-
-func asnFromContext(ctx context.Context) (string, string) {
-	if v, ok := ctx.Value(asnContextKey).(asnInfo); ok {
-		return v.ASN, v.Description
-	}
-	return "", ""
-}
-
 var (
 	challengesIssued = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "anubis_challenges_issued",
 		Help: "The total number of challenges issued",
-	}, []string{"method", "asn", "asn_description"})
+	}, []string{"method"})
 
 	challengesValidated = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "anubis_challenges_validated",
 		Help: "The total number of challenges validated",
-	}, []string{"method", "asn", "asn_description"})
+	}, []string{"method"})
 
 	droneBLHits = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "anubis_dronebl_hits",
 		Help: "The total number of hits from DroneBL",
-	}, []string{"status", "asn", "asn_description"})
+	}, []string{"status"})
 
 	failedValidations = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "anubis_failed_validations",
 		Help: "The total number of failed validations",
-	}, []string{"method", "asn", "asn_description"})
+	}, []string{"method"})
 
 	requestsProxied = promauto.NewCounterVec(prometheus.CounterOpts{
 		Name: "anubis_proxied_requests_total",
 		Help: "Number of requests proxied through Anubis to upstream targets",
-	}, []string{"host", "asn", "asn_description"})
+	}, []string{"host"})
-
-	requestsByASN = promauto.NewCounterVec(prometheus.CounterOpts{
-		Name: "anubis_requests_by_asn_total",
-		Help: "Number of requests by ASN",
-	}, []string{"asn", "asn_description"})
 )
 
 type Server struct {
@@ -101,28 +78,6 @@ type Server struct {
 	hs512Secret []byte
 }
 
-func (s *Server) getRequestLogger(r *http.Request) (*slog.Logger, *http.Request) {
-	lg := internal.GetRequestLogger(s.logger, r)
-
-	if s.policy.LogASN && s.policy.ThothClient != nil {
-		ctx, cancel := context.WithTimeout(r.Context(), 500*time.Millisecond)
-		defer cancel()
-
-		ip := r.Header.Get("X-Real-Ip")
-		if info, err := s.policy.ThothClient.IPToASN.Lookup(ctx, &iptoasnv1.LookupRequest{IpAddress: ip}); err == nil && info.GetAnnounced() {
-			asn := strconv.FormatUint(uint64(info.GetAsNumber()), 10)
-			lg = lg.With("asn", info.GetAsNumber(), "asn_description", info.GetDescription())
-			requestsByASN.WithLabelValues(asn, info.GetDescription()).Inc()
-			r = r.WithContext(context.WithValue(r.Context(), asnContextKey, asnInfo{
-				ASN:         asn,
-				Description: info.GetDescription(),
-			}))
-		}
-	}
-
-	return lg, r
-}
-
 func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
 	// return ED25519 key if HS512 is not set
 	if len(s.hs512Secret) == 0 {
@@ -186,7 +141,7 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 		return nil, err
 	}
 
-	lg.Info("new challenge issued", "challenge", id.String(), "weight", cr.Weight)
+	lg.Info("new challenge issued", "challenge", id.String(), "method", chall.Method)
 
 	return &chall, err
 }
@@ -238,7 +193,7 @@ func (s *Server) maybeReverseProxyOrPage(w http.ResponseWriter, r *http.Request)
 }
 
 func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpStatusOnly bool) {
-	lg, r := s.getRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 
 	if val, _ := s.store.Get(r.Context(), fmt.Sprintf("ogtags:allow:%s%s", r.Host, r.URL.String())); val != nil {
 		lg.Debug("serving opengraph tag asset")
@@ -263,10 +218,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 	r.Header.Add("X-Anubis-Rule", cr.Name)
 	r.Header.Add("X-Anubis-Action", string(cr.Rule))
 	lg = lg.With("check_result", cr)
-	{
+	policy.Applications.WithLabelValues(cr.Name, string(cr.Rule)).Add(1)
-		asn, asnDesc := asnFromContext(r.Context())
-		policy.Applications.WithLabelValues(cr.Name, string(cr.Rule), asn, asnDesc).Add(1)
-	}
 
 	ip := r.Header.Get("X-Real-Ip")
 
@@ -396,8 +348,7 @@ func (s *Server) handleDNSBL(w http.ResponseWriter, r *http.Request, ip string,
 				lg.Error("can't look up ip in dnsbl", "err", err)
 			}
 			db.Set(r.Context(), ip, resp, 24*time.Hour)
-			asn, asnDesc := asnFromContext(r.Context())
+			droneBLHits.WithLabelValues(resp.String()).Inc()
-			droneBLHits.WithLabelValues(resp.String(), asn, asnDesc).Inc()
 		}
 
 		if resp != dnsbl.AllGood {
@@ -415,7 +366,7 @@ func (s *Server) handleDNSBL(w http.ResponseWriter, r *http.Request, ip string,
 }
 
 func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
-	lg, r := s.getRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 	localizer := localization.GetLocalizer(r)
 
 	redir := r.FormValue("redir")
@@ -484,14 +435,11 @@ func (s *Server) MakeChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	lg.Debug("made challenge", "challenge", chall, "rules", rule.Challenge, "cr", cr)
-	{
+	challengesIssued.WithLabelValues("api").Inc()
-		asn, asnDesc := asnFromContext(r.Context())
-		challengesIssued.WithLabelValues("api", asn, asnDesc).Inc()
-	}
 }
 
 func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
-	lg, r := s.getRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 	localizer := localization.GetLocalizer(r)
 
 	redir := r.FormValue("redir")
@@ -582,8 +530,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := impl.Validate(r, lg, in); err != nil {
-		asn, asnDesc := asnFromContext(r.Context())
+		failedValidations.WithLabelValues(rule.Challenge.Algorithm).Inc()
-		failedValidations.WithLabelValues(rule.Challenge.Algorithm, asn, asnDesc).Inc()
 		var cerr *challenge.Error
 		s.ClearCookie(w, CookieOpts{Path: cookiePath, Host: r.Host})
 		lg.Debug("challenge validate call failed", "err", err)
@@ -643,10 +590,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		lg.Debug("can't update information about challenge", "err", err)
 	}
 
-	{
+	challengesValidated.WithLabelValues(rule.Challenge.Algorithm).Inc()
-		asn, asnDesc := asnFromContext(r.Context())
-		challengesValidated.WithLabelValues(rule.Challenge.Algorithm, asn, asnDesc).Inc()
-	}
 	lg.Debug("challenge passed, redirecting to app")
 	http.Redirect(w, r, redir, http.StatusFound)
 }
@@ -685,8 +629,7 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 				return cr("bot/"+b.Name, b.Action, weight), &b, nil
 			case config.RuleWeigh:
 				lg.Debug("adjusting weight", "name", b.Name, "delta", b.Weight.Adjust)
-				asn, asnDesc := asnFromContext(r.Context())
+				policy.Applications.WithLabelValues("bot/"+b.Name, "WEIGH").Add(1)
-				policy.Applications.WithLabelValues("bot/"+b.Name, "WEIGH", asn, asnDesc).Add(1)
 				weight += b.Weight.Adjust
 			}
 		}

lib/anubis_test.go

@@ -58,7 +58,7 @@ func loadPolicies(t *testing.T, fname string, difficulty int) *policy.ParsedConf
 
 	t.Logf("loading policy file: %s", fname)
 
-	anubisPolicy, err := LoadPoliciesOrDefault(ctx, fname, difficulty, "info", false)
+	anubisPolicy, err := LoadPoliciesOrDefault(ctx, fname, difficulty, "info")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -250,7 +250,7 @@ func TestLoadPolicies(t *testing.T) {
 			}
 			defer fin.Close()
 
-			if _, err := policy.ParseConfig(t.Context(), fin, fname, 4, "info", false); err != nil {
+			if _, err := policy.ParseConfig(t.Context(), fin, fname, 4, "info"); err != nil {
 				t.Fatal(err)
 			}
 		})

lib/challenge/proofofwork/proofofwork.go

@@ -45,7 +45,7 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInpu
 		return chall.NewError("validate", "invalid response", fmt.Errorf("%w nonce", chall.ErrMissingField))
 	}
 
-	_, err := strconv.Atoi(nonceStr)
+	nonce, err := strconv.Atoi(nonceStr)
 	if err != nil {
 		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: nonce: %w", chall.ErrInvalidFormat, err))
 
@@ -66,7 +66,7 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInpu
 		return chall.NewError("validate", "invalid response", fmt.Errorf("%w response", chall.ErrMissingField))
 	}
 
-	calcString := challenge + nonceStr
+	calcString := fmt.Sprintf("%s%d", challenge, nonce)
 	calculated := internal.SHA256sum(calcString)
 
 	if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {

lib/challenge/proofofwork/proofofwork.templ

@@ -7,13 +7,12 @@ import (
 
 templ page(localizer *localization.SimpleLocalizer) {
 	<div class="centered-div">
-		<img id="image" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+		<img style="display:none;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
-		<img style="display:none;" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
+		<div id="app">
-		<p id="status">{ localizer.T("loading") }</p>
+			<img style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
-		<script async type="module" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version }></script>
+			<p id="status">{ localizer.T("loading") }</p>
-		<div id="progress" role="progressbar" aria-labelledby="status">
-			<div class="bar-inner"></div>
 		</div>
+		<script async type="module" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version }></script>
 		<details>
 			if anubis.UseSimplifiedExplanation {
 				<p>

lib/challenge/proofofwork/proofofwork_templ.go

@@ -34,27 +34,27 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			templ_7745c5c3_Var1 = templ.NopComponent
 		}
 		ctx = templ.ClearChildren(ctx)
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 1, "<div class=\"centered-div\"><img id=\"image\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 1, "<div class=\"centered-div\"><img style=\"display:none;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var2 string
-		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 10, Col: 165}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 10, Col: 138}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 2, "\"> <img style=\"display:none;\" style=\"width:100%;max-width:256px;\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 2, "\"><div id=\"app\"><img style=\"width:100%;max-width:256px;\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var3 string
-		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 11, Col: 174}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 12, Col: 155}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
 		if templ_7745c5c3_Err != nil {
@@ -67,26 +67,26 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 		var templ_7745c5c3_Var4 string
 		templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("loading"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 12, Col: 41}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 13, Col: 42}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var4))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 4, "</p><script async type=\"module\" src=\"")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 4, "</p></div><script async type=\"module\" src=\"")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var5 string
 		templ_7745c5c3_Var5, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 13, Col: 136}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 15, Col: 136}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var5))
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 5, "\"></script><div id=\"progress\" role=\"progressbar\" aria-labelledby=\"status\"><div class=\"bar-inner\"></div></div><details>")
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 5, "\"></script><details>")
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -98,7 +98,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var6 string
 			templ_7745c5c3_Var6, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("simplified_explanation"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 20, Col: 44}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 19, Col: 44}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var6))
 			if templ_7745c5c3_Err != nil {
@@ -116,7 +116,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var7 string
 			templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("ai_companies_explanation"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 24, Col: 46}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 23, Col: 46}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7))
 			if templ_7745c5c3_Err != nil {
@@ -129,7 +129,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var8 string
 			templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("anubis_compromise"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 27, Col: 39}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 26, Col: 39}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8))
 			if templ_7745c5c3_Err != nil {
@@ -142,7 +142,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var9 string
 			templ_7745c5c3_Var9, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("hack_purpose"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 30, Col: 34}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 29, Col: 34}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var9))
 			if templ_7745c5c3_Err != nil {
@@ -155,7 +155,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			var templ_7745c5c3_Var10 string
 			templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("jshelter_note"))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 33, Col: 35}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 32, Col: 35}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var10))
 			if templ_7745c5c3_Err != nil {
@@ -173,7 +173,7 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 		var templ_7745c5c3_Var11 string
 		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(localizer.T("javascript_required"))
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 39, Col: 40}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 38, Col: 40}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11))
 		if templ_7745c5c3_Err != nil {

lib/config.go

@@ -55,7 +55,7 @@ type Options struct {
 	DifficultyInJWT          bool
 }
 
-func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int, logLevel string, subrequestMode bool) (*policy.ParsedConfig, error) {
+func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int, logLevel string) (*policy.ParsedConfig, error) {
 	var fin io.ReadCloser
 	var err error
 
@@ -79,7 +79,7 @@ func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty
 		}
 	}(fin)
 
-	anubisPolicy, err := policy.ParseConfig(ctx, fin, fname, defaultDifficulty, logLevel, subrequestMode)
+	anubisPolicy, err := policy.ParseConfig(ctx, fin, fname, defaultDifficulty, logLevel)
 	if err != nil {
 		return nil, fmt.Errorf("can't parse policy file %s: %w", fname, err)
 	}
@@ -190,6 +190,14 @@ func New(opts Options) (*Server, error) {
 				},
 				Name: "honeypot/network",
 			},
+			policy.Bot{
+				Rules:  mazeGen.CheckUA(),
+				Action: config.RuleWeigh,
+				Weight: &config.Weight{
+					Adjust: 30,
+				},
+				Name: "honeypot/user-agent",
+			},
 		)
 	} else {
 		result.logger.Error("can't init honeypot subsystem", "err", err)

lib/config/config.go

@@ -19,7 +19,7 @@ import (
 var (
 	ErrNoBotRulesDefined                 = errors.New("config: must define at least one (1) bot rule")
 	ErrBotMustHaveName                   = errors.New("config.Bot: must set name")
-	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set one of user_agent_regex, path_regex, headers_regex, remote_addresses, expression, or Thoth keyword")
+	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set either user_agent_regex, path_regex, headers_regex, or remote_addresses")
 	ErrBotMustHaveUserAgentOrPathNotBoth = errors.New("config.Bot: must set either user_agent_regex, path_regex, and not both")
 	ErrUnknownAction                     = errors.New("config.Bot: unknown action")
 	ErrInvalidUserAgentRegex             = errors.New("config.Bot: invalid user agent regex")
@@ -334,7 +334,6 @@ type fileConfig struct {
 	DNSBL       bool                `json:"dnsbl"`
 	DNSTTL      DnsTTL              `json:"dns_ttl"`
 	Logging     *Logging            `json:"logging"`
-	Metrics     *Metrics            `json:"metrics,omitempty"`
 }
 
 func (c *fileConfig) Valid() error {
@@ -376,12 +375,6 @@ func (c *fileConfig) Valid() error {
 		}
 	}
 
-	if c.Metrics != nil {
-		if err := c.Metrics.Valid(); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
 	if len(errs) != 0 {
 		return fmt.Errorf("config is not valid:\n%w", errors.Join(errs...))
 	}
@@ -424,7 +417,6 @@ func Load(fin io.Reader, fname string) (*Config, error) {
 		StatusCodes: c.StatusCodes,
 		Store:       c.Store,
 		Logging:     c.Logging,
-		Metrics:     c.Metrics,
 	}
 
 	if c.OpenGraph.TimeToLive != "" {
@@ -516,7 +508,6 @@ type Config struct {
 	Logging     *Logging
 	DNSBL       bool
 	DNSTTL      DnsTTL
-	Metrics     *Metrics
 }
 
 func (c Config) Valid() error {

lib/config/logging.go

@@ -17,7 +17,6 @@ type Logging struct {
 	Sink       string             `json:"sink"`       // Logging sink, either "stdio" or "file"
 	Level      *slog.Level        `json:"level"`      // Log level, if set supersedes the level in flags
 	Parameters *LoggingFileConfig `json:"parameters"` // Logging parameters, to be dynamic in the future
-	LogASN     bool               `json:"asn" yaml:"asn"`
 }
 
 const (

lib/config/metrics.go

@@ -1,167 +0,0 @@
-package config
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"os"
-	"strconv"
-)
-
-var (
-	ErrInvalidMetricsConfig          = errors.New("config: invalid metrics configuration")
-	ErrInvalidMetricsTLSConfig       = errors.New("config: invalid metrics TLS configuration")
-	ErrInvalidMetricsBasicAuthConfig = errors.New("config: invalid metrics basic auth configuration")
-	ErrNoMetricsBind                 = errors.New("config.Metrics: must define bind")
-	ErrNoMetricsNetwork              = errors.New("config.Metrics: must define network")
-	ErrNoMetricsSocketMode           = errors.New("config.Metrics: must define socket mode when using unix sockets")
-	ErrInvalidMetricsSocketMode      = errors.New("config.Metrics: invalid unix socket mode")
-	ErrInvalidMetricsNetwork         = errors.New("config.Metrics: invalid metrics network")
-	ErrNoMetricsTLSCertificate       = errors.New("config.Metrics.TLS: must define certificate file")
-	ErrNoMetricsTLSKey               = errors.New("config.Metrics.TLS: must define key file")
-	ErrInvalidMetricsTLSKeypair      = errors.New("config.Metrics.TLS: keypair is invalid")
-	ErrInvalidMetricsCACertificate   = errors.New("config.Metrics.TLS: invalid CA certificate")
-	ErrCantReadFile                  = errors.New("config: can't read required file")
-	ErrNoMetricsBasicAuthUsername    = errors.New("config.Metrics.BasicAuth: must define username")
-	ErrNoMetricsBasicAuthPassword    = errors.New("config.Metrics.BasicAuth: must define password")
-)
-
-type Metrics struct {
-	Bind       string            `json:"bind" yaml:"bind"`
-	Network    string            `json:"network" yaml:"network"`
-	SocketMode string            `json:"socketMode" yaml:"socketMode"`
-	TLS        *MetricsTLS       `json:"tls" yaml:"tls"`
-	Debug      bool              `json:"debug" yaml:"debug"`
-	BasicAuth  *MetricsBasicAuth `json:"basicAuth" yaml:"basicAuth"`
-}
-
-func (m *Metrics) Valid() error {
-	var errs []error
-
-	if m.Bind == "" {
-		errs = append(errs, ErrNoMetricsBind)
-	}
-
-	if m.Network == "" {
-		errs = append(errs, ErrNoMetricsNetwork)
-	}
-
-	switch m.Network {
-	case "tcp", "tcp4", "tcp6": // https://pkg.go.dev/net#Listen
-	case "unix":
-		if m.SocketMode == "" {
-			errs = append(errs, ErrNoMetricsSocketMode)
-		}
-
-		if _, err := strconv.ParseUint(m.SocketMode, 8, 0); err != nil {
-			errs = append(errs, fmt.Errorf("%w: %w", ErrInvalidMetricsSocketMode, err))
-		}
-	default:
-		errs = append(errs, ErrInvalidMetricsNetwork)
-	}
-
-	if m.TLS != nil {
-		if err := m.TLS.Valid(); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	if m.BasicAuth != nil {
-		if err := m.BasicAuth.Valid(); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(ErrInvalidMetricsConfig, errors.Join(errs...))
-	}
-
-	return nil
-}
-
-type MetricsTLS struct {
-	Certificate string `json:"certificate" yaml:"certificate"`
-	Key         string `json:"key" yaml:"key"`
-	CA          string `json:"ca" yaml:"ca"`
-}
-
-func (mt *MetricsTLS) Valid() error {
-	var errs []error
-
-	if mt.Certificate == "" {
-		errs = append(errs, ErrNoMetricsTLSCertificate)
-	}
-
-	if err := canReadFile(mt.Certificate); err != nil {
-		errs = append(errs, fmt.Errorf("%w %s: %w", ErrCantReadFile, mt.Certificate, err))
-	}
-
-	if mt.Key == "" {
-		errs = append(errs, ErrNoMetricsTLSKey)
-	}
-
-	if err := canReadFile(mt.Key); err != nil {
-		errs = append(errs, fmt.Errorf("%w %s: %w", ErrCantReadFile, mt.Key, err))
-	}
-
-	if _, err := tls.LoadX509KeyPair(mt.Certificate, mt.Key); err != nil {
-		errs = append(errs, fmt.Errorf("%w: %w", ErrInvalidMetricsTLSKeypair, err))
-	}
-
-	if mt.CA != "" {
-		caCert, err := os.ReadFile(mt.CA)
-		if err != nil {
-			errs = append(errs, fmt.Errorf("%w %s: %w", ErrCantReadFile, mt.CA, err))
-		}
-
-		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(caCert) {
-			errs = append(errs, fmt.Errorf("%w %s", ErrInvalidMetricsCACertificate, mt.CA))
-		}
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(ErrInvalidMetricsTLSConfig, errors.Join(errs...))
-	}
-
-	return nil
-}
-
-func canReadFile(fname string) error {
-	fin, err := os.Open(fname)
-	if err != nil {
-		return err
-	}
-	defer fin.Close()
-
-	data := make([]byte, 64)
-	if _, err := fin.Read(data); err != nil {
-		return fmt.Errorf("can't read %s: %w", fname, err)
-	}
-
-	return nil
-}
-
-type MetricsBasicAuth struct {
-	Username string `json:"username" yaml:"username"`
-	Password string `json:"password" yaml:"password"`
-}
-
-func (mba *MetricsBasicAuth) Valid() error {
-	var errs []error
-
-	if mba.Username == "" {
-		errs = append(errs, ErrNoMetricsBasicAuthUsername)
-	}
-
-	if mba.Password == "" {
-		errs = append(errs, ErrNoMetricsBasicAuthPassword)
-	}
-
-	if len(errs) != 0 {
-		return errors.Join(ErrInvalidMetricsBasicAuthConfig, errors.Join(errs...))
-	}
-
-	return nil
-}

lib/config/metrics_test.go

@@ -1,242 +0,0 @@
-package config
-
-import (
-	"errors"
-	"testing"
-)
-
-func TestMetricsValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input *Metrics
-		err   error
-	}{
-		{
-			name: "basic TCP",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-			},
-		},
-		{
-			name: "basic TCP4",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp4",
-			},
-		},
-		{
-			name: "basic TCP6",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp6",
-			},
-		},
-		{
-			name: "basic unix",
-			input: &Metrics{
-				Bind:       "/tmp/anubis-metrics.sock",
-				Network:    "unix",
-				SocketMode: "0770",
-			},
-		},
-		{
-			name:  "no bind",
-			input: &Metrics{},
-			err:   ErrNoMetricsBind,
-		},
-		{
-			name:  "no network",
-			input: &Metrics{},
-			err:   ErrNoMetricsNetwork,
-		},
-		{
-			name: "no unix socket mode",
-			input: &Metrics{
-				Bind:    "/tmp/anubis-metrics.sock",
-				Network: "unix",
-			},
-			err: ErrNoMetricsSocketMode,
-		},
-		{
-			name: "invalid unix socket mode",
-			input: &Metrics{
-				Bind:       "/tmp/anubis-metrics.sock",
-				Network:    "unix",
-				SocketMode: "taco bell",
-			},
-			err: ErrInvalidMetricsSocketMode,
-		},
-		{
-			name: "invalid network",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "taco",
-			},
-			err: ErrInvalidMetricsNetwork,
-		},
-		{
-			name: "invalid TLS config",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				TLS:     &MetricsTLS{},
-			},
-			err: ErrInvalidMetricsTLSConfig,
-		},
-		{
-			name: "selfsigned TLS cert",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				TLS: &MetricsTLS{
-					Certificate: "./testdata/tls/selfsigned.crt",
-					Key:         "./testdata/tls/selfsigned.key",
-				},
-			},
-		},
-		{
-			name: "wrong path to selfsigned TLS cert",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				TLS: &MetricsTLS{
-					Certificate: "./testdata/tls2/selfsigned.crt",
-					Key:         "./testdata/tls2/selfsigned.key",
-				},
-			},
-			err: ErrCantReadFile,
-		},
-		{
-			name: "unparseable TLS cert",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				TLS: &MetricsTLS{
-					Certificate: "./testdata/tls/invalid.crt",
-					Key:         "./testdata/tls/invalid.key",
-				},
-			},
-			err: ErrInvalidMetricsTLSKeypair,
-		},
-		{
-			name: "mTLS with CA",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				TLS: &MetricsTLS{
-					Certificate: "./testdata/tls/selfsigned.crt",
-					Key:         "./testdata/tls/selfsigned.key",
-					CA:          "./testdata/tls/minica.pem",
-				},
-			},
-		},
-		{
-			name: "mTLS with nonexistent CA",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				TLS: &MetricsTLS{
-					Certificate: "./testdata/tls/selfsigned.crt",
-					Key:         "./testdata/tls/selfsigned.key",
-					CA:          "./testdata/tls/nonexistent.crt",
-				},
-			},
-			err: ErrCantReadFile,
-		},
-		{
-			name: "mTLS with invalid CA",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				TLS: &MetricsTLS{
-					Certificate: "./testdata/tls/selfsigned.crt",
-					Key:         "./testdata/tls/selfsigned.key",
-					CA:          "./testdata/tls/invalid.crt",
-				},
-			},
-			err: ErrInvalidMetricsCACertificate,
-		},
-		{
-			name: "basic auth credentials set",
-			input: &Metrics{
-				Bind:    ":9090",
-				Network: "tcp",
-				BasicAuth: &MetricsBasicAuth{
-					Username: "admin",
-					Password: "hunter2",
-				},
-			},
-		},
-		{
-			name: "invalid basic auth config",
-			input: &Metrics{
-				Bind:      ":9090",
-				Network:   "tcp",
-				BasicAuth: &MetricsBasicAuth{},
-			},
-			err: ErrInvalidMetricsBasicAuthConfig,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("wanted error: %v", tt.err)
-				t.Logf("got error:    %v", err)
-				t.Error("validation failed")
-			}
-		})
-	}
-}
-
-func TestMetricsBasicAuthValid(t *testing.T) {
-	for _, tt := range []struct {
-		name  string
-		input *MetricsBasicAuth
-		err   error
-	}{
-		{
-			name: "both set",
-			input: &MetricsBasicAuth{
-				Username: "admin",
-				Password: "hunter2",
-			},
-		},
-		{
-			name:  "empty username and password",
-			input: &MetricsBasicAuth{},
-			err:   ErrInvalidMetricsBasicAuthConfig,
-		},
-		{
-			name: "missing username",
-			input: &MetricsBasicAuth{
-				Password: "hunter2",
-			},
-			err: ErrNoMetricsBasicAuthUsername,
-		},
-		{
-			name: "missing password",
-			input: &MetricsBasicAuth{
-				Username: "admin",
-			},
-			err: ErrNoMetricsBasicAuthPassword,
-		},
-		{
-			name:  "missing both surfaces wrapper error",
-			input: &MetricsBasicAuth{},
-			err:   ErrNoMetricsBasicAuthUsername,
-		},
-		{
-			name:  "missing both surfaces password error",
-			input: &MetricsBasicAuth{},
-			err:   ErrNoMetricsBasicAuthPassword,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := tt.input.Valid(); !errors.Is(err, tt.err) {
-				t.Logf("wanted error: %v", tt.err)
-				t.Logf("got error:    %v", err)
-				t.Error("validation failed")
-			}
-		})
-	}
-}

lib/config/testdata/bad/metrics-invalid-net.yaml

@@ -1,3 +0,0 @@
-metrics:
-  bind: ":9090"
-  network: taco

lib/config/testdata/good/allow_everyone.json

@@ -5,9 +5,5 @@
       "remote_addresses": ["0.0.0.0/0", "::/0"],
       "action": "ALLOW"
     }
-  ],
+  ]
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/allow_everyone.yaml

@@ -4,7 +4,3 @@ bots:
       - "0.0.0.0/0"
       - "::/0"
     action: ALLOW
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/block_cf_workers.json

@@ -8,9 +8,5 @@
       "action": "DENY"
     }
   ],
-  "dnsbl": false,
+  "dnsbl": false
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/block_cf_workers.yaml

@@ -3,7 +3,3 @@ bots:
     headers_regex:
       CF-Worker: .*
     action: DENY
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/challenge_cloudflare.yaml

@@ -4,7 +4,3 @@ bots:
     asns:
       match:
         - 13335 # Cloudflare
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/challengemozilla.json

@@ -5,9 +5,5 @@
       "user_agent_regex": "Mozilla",
       "action": "CHALLENGE"
     }
-  ],
+  ]
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/challengemozilla.yaml

@@ -2,7 +2,3 @@ bots:
   - name: generic-browser
     user_agent_regex: Mozilla
     action: CHALLENGE
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/dns-ttl-custom.yaml

@@ -6,7 +6,3 @@ bots:
   - name: "test"
     user_agent_regex: ".*"
     action: "DENY"
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/entropy.yaml

@@ -6,7 +6,3 @@ bots:
         - '"Accept" in headers'
         - headers["Accept"].contains("text/html")
         - randInt(1) == 0
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/everything_blocked.json

@@ -6,9 +6,5 @@
       "action": "DENY"
     }
   ],
-  "dnsbl": false,
+  "dnsbl": false
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/everything_blocked.yaml

@@ -2,7 +2,3 @@ bots:
   - name: everything
     user_agent_regex: .*
     action: DENY
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/geoip_us.yaml

@@ -4,7 +4,3 @@ bots:
     geoip:
       countries:
         - US
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/git_client.json

@@ -10,9 +10,5 @@
         ]
       }
     }
-  ],
+  ]
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/git_client.yaml

@@ -6,7 +6,3 @@ bots:
         - userAgent.startsWith("git/") || userAgent.contains("libgit")
         - >
           "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/import_filesystem.json

@@ -3,9 +3,5 @@
     {
       "import": "./testdata/hack-test.json"
     }
-  ],
+  ]
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/import_filesystem.yaml

@@ -1,6 +1,2 @@
 bots:
   - import: ./testdata/hack-test.yaml
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/import_keep_internet_working.json

@@ -3,9 +3,5 @@
     {
       "import": "(data)/common/keep-internet-working.yaml"
     }
-  ],
+  ]
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/import_keep_internet_working.yaml

@@ -1,6 +1,2 @@
 bots:
   - import: (data)/common/keep-internet-working.yaml
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/impressum.yaml

@@ -8,7 +8,3 @@ impressum:
   page:
     title: Test
     body: <p>This is a test</p>
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/logging-file.yaml

@@ -13,7 +13,3 @@ logs:
     oldFileTimeFormat: 2006-01-02T15-04-05 # RFC 3339-ish
     compress: true
     useLocalTime: false # timezone for rotated files is UTC
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/logging-stdio.yaml

@@ -5,7 +5,3 @@ bots:
 
 logging:
   sink: "stdio"
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/no-thresholds.yaml

@@ -6,7 +6,3 @@ bots:
       adjust: 5
 
 thresholds: []
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/old_xesite.json

@@ -75,9 +75,5 @@
       "user_agent_regex": "Mozilla",
       "action": "CHALLENGE"
     }
-  ],
+  ]
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
-  }
 }

lib/config/testdata/good/opengraph_all_good.yaml

@@ -10,7 +10,3 @@ openGraph:
   default:
     "og:title": "Xe's magic land of fun"
     "og:description": "We're no strangers to love, you know the rules and so do I"
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/simple-weight.yaml

@@ -4,7 +4,3 @@ bots:
     user_agent_regex: Mozilla
     weight:
       adjust: 5
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/status-codes-paranoid.json

@@ -9,9 +9,5 @@
   "status_codes": {
     "CHALLENGE": 200,
     "DENY": 200
-  },
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
   }
 }

lib/config/testdata/good/status-codes-paranoid.yaml

@@ -6,7 +6,3 @@ bots:
 status_codes:
   CHALLENGE: 200
   DENY: 200
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/status-codes-rfc.json

@@ -9,9 +9,5 @@
   "status_codes": {
     "CHALLENGE": 403,
     "DENY": 403
-  },
-  "metrics": {
-    "bind": ":9090",
-    "network": "tcp"
   }
 }

lib/config/testdata/good/status-codes-rfc.yaml

@@ -6,7 +6,3 @@ bots:
 status_codes:
   CHALLENGE: 403
   DENY: 403
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/thresholds.yaml

@@ -33,7 +33,3 @@ thresholds:
     challenge:
       algorithm: fast
       difficulty: 4
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/good/weight-no-weight.yaml

@@ -2,7 +2,3 @@ bots:
   - name: weight
     action: WEIGH
     user_agent_regex: Mozilla
-
-metrics:
-  bind: ":9090"
-  network: "tcp"

lib/config/testdata/tls/1.1.1.1/cert.pem

@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB1zCCAVygAwIBAgIIYO0SAFtXlVgwCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV
-bWluaWNhIHJvb3QgY2EgNDE2MmMwMB4XDTI2MDQyMjIzMjUwMVoXDTI4MDUyMjIz
-MjUwMVowEjEQMA4GA1UEAxMHMS4xLjEuMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
-BLsuA2LKGbEBuSA4LTm1KaKc7/QCkUOsipXR4+D5/3sWBZiAH7iWUgHwpx5YZf2q
-kZn6oRda+ks0JLTQ6VhteQedmb7l86bMeDMR8p4Lg2b38l/xEr7S25UfUDKudXrO
-AqNxMG8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
-BQcDAjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFE/7VDxF2+cUs9bu0pJM3xoC
-L1TSMA8GA1UdEQQIMAaHBAEBAQEwCgYIKoZIzj0EAwMDaQAwZgIxAPLXds9MMH4K
-F5FxTf9i0PKPsLQARsABVTgwB94hMR70rqW8Pwbjl7ZGNaYlaeRHUwIxAPMQ8zoF
-nim+YS1xLqQek/LXuJto8jxcfkQQBsboVzcTa5uaNRhNd5YwrpomGl3lKA==
------END CERTIFICATE-----

lib/config/testdata/tls/1.1.1.1/key.pem

@@ -1,6 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDBN8QsHxxHGJpStu8K7
-D/FmaBBNo6c514KGFSIfqGFuREF5aOL3gN/W11yk2OIibdWhZANiAAS7LgNiyhmx
-AbkgOC05tSminO/0ApFDrIqV0ePg+f97FgWYgB+4llIB8KceWGX9qpGZ+qEXWvpL
-NCS00OlYbXkHnZm+5fOmzHgzEfKeC4Nm9/Jf8RK+0tuVH1AyrnV6zgI=
------END PRIVATE KEY-----

lib/config/testdata/tls/minica-key.pem

@@ -1,6 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDDr9QQo7ZaTgUL6d73G
-2BG7+YRTFJHAZa0FogRglfc+jYttL1J4/xTig3RmHoqSgrehZANiAASDhijM9Xe0
-G9Vam6AJMeKC6aWDNSLwrxNVmPxemsY/yJ1urBgnxRd9GFH6YW1ki/B8rS+Xl1UX
-NnhBrukLaXvgAQQq782/5IUYGsvK5jw8+dSscYVMCQJwGfmQuaNeczQ=
------END PRIVATE KEY-----

lib/config/testdata/tls/minica.pem

@@ -1,13 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB+zCCAYKgAwIBAgIIQWLAtv4ijQ0wCgYIKoZIzj0EAwMwIDEeMBwGA1UEAxMV
-bWluaWNhIHJvb3QgY2EgNDE2MmMwMCAXDTI2MDQyMjIzMjUwMVoYDzIxMjYwNDIy
-MjMyNTAxWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA0MTYyYzAwdjAQBgcq
-hkjOPQIBBgUrgQQAIgNiAASDhijM9Xe0G9Vam6AJMeKC6aWDNSLwrxNVmPxemsY/
-yJ1urBgnxRd9GFH6YW1ki/B8rS+Xl1UXNnhBrukLaXvgAQQq782/5IUYGsvK5jw8
-+dSscYVMCQJwGfmQuaNeczSjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQW
-MBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
-DgQWBBRP+1Q8RdvnFLPW7tKSTN8aAi9U0jAfBgNVHSMEGDAWgBRP+1Q8RdvnFLPW
-7tKSTN8aAi9U0jAKBggqhkjOPQQDAwNnADBkAjBfY7vb7cuLTjg7uoe+kl07FMYT
-BGMSnWdhN3yXqMUS3A6XZxD/LntXT6V7yFOlAJYCMH7w8/ATYaTqbk2jBRyQt9/x
-ajN+kZ6ZK+fKttqE8CD62mbHg09xoNxRq+K2I3PVyQ==
------END CERTIFICATE-----

lib/config/testdata/tls/selfsigned.crt

@@ -1,11 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIBnzCCAVGgAwIBAgIUK39B3Ft+kU5o81IuISs79O4u1ncwBQYDK2VwMEUxCzAJ
-BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l
-dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjYwNDIyMTQyNjE4WhcNMjYwNTIyMTQyNjE4
-WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY
-SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMCowBQYDK2VwAyEAfgpAUpp8MIOOdQpH
-fxaw3R7mFKQRMR6Kmxzk1Xn/2VujUzBRMB0GA1UdDgQWBBSmkBmzo0RiZ2iocMR8
-uIIpz9cZyTAfBgNVHSMEGDAWgBSmkBmzo0RiZ2iocMR8uIIpz9cZyTAPBgNVHRMB
-Af8EBTADAQH/MAUGAytlcANBAG37XXZrVUUzGyy3T9qsPIzvJQAGpGhdjJ7bt9O6
-sBhzrliTONPrudYuyUggWsHgFb0JlN2xs4/2HhKU+PY7AAQ=
------END CERTIFICATE-----

lib/config/testdata/tls/selfsigned.key

@@ -1,3 +0,0 @@
------BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIL0HxjjfVlg6zQPB9/zTLq0IBzfp8gEoifEYzQZYIj+T
------END PRIVATE KEY-----

lib/config_test.go

@@ -12,7 +12,7 @@ import (
 )
 
 func TestInvalidChallengeMethod(t *testing.T) {
-	if _, err := LoadPoliciesOrDefault(t.Context(), "testdata/invalid-challenge-method.yaml", 4, "info", false); !errors.Is(err, policy.ErrChallengeRuleHasWrongAlgorithm) {
+	if _, err := LoadPoliciesOrDefault(t.Context(), "testdata/invalid-challenge-method.yaml", 4, "info"); !errors.Is(err, policy.ErrChallengeRuleHasWrongAlgorithm) {
 		t.Fatalf("wanted error %v but got %v", policy.ErrChallengeRuleHasWrongAlgorithm, err)
 	}
 }
@@ -25,7 +25,7 @@ func TestBadConfigs(t *testing.T) {
 
 	for _, st := range finfos {
 		t.Run(st.Name(), func(t *testing.T) {
-			if _, err := LoadPoliciesOrDefault(t.Context(), filepath.Join("config", "testdata", "bad", st.Name()), anubis.DefaultDifficulty, "info", false); err == nil {
+			if _, err := LoadPoliciesOrDefault(t.Context(), filepath.Join("config", "testdata", "bad", st.Name()), anubis.DefaultDifficulty, "info"); err == nil {
 				t.Fatal(err)
 			} else {
 				t.Log(err)
@@ -44,13 +44,13 @@ func TestGoodConfigs(t *testing.T) {
 		t.Run(st.Name(), func(t *testing.T) {
 			t.Run("with-thoth", func(t *testing.T) {
 				ctx := thothmock.WithMockThoth(t)
-				if _, err := LoadPoliciesOrDefault(ctx, filepath.Join("config", "testdata", "good", st.Name()), anubis.DefaultDifficulty, "info", false); err != nil {
+				if _, err := LoadPoliciesOrDefault(ctx, filepath.Join("config", "testdata", "good", st.Name()), anubis.DefaultDifficulty, "info"); err != nil {
 					t.Fatal(err)
 				}
 			})
 
 			t.Run("without-thoth", func(t *testing.T) {
-				if _, err := LoadPoliciesOrDefault(t.Context(), filepath.Join("config", "testdata", "good", st.Name()), anubis.DefaultDifficulty, "info", false); err != nil {
+				if _, err := LoadPoliciesOrDefault(t.Context(), filepath.Join("config", "testdata", "good", st.Name()), anubis.DefaultDifficulty, "info"); err != nil {
 					t.Fatal(err)
 				}
 			})

lib/http.go

@@ -207,7 +207,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 		return
 	}
 
-	lg, r := s.getRequestLogger(r)
+	lg := internal.GetRequestLogger(s.logger, r)
 
 	if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") && randomChance(64) {
 		lg.Error("client was given a challenge but does not in fact support gzip compression")
@@ -215,10 +215,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 		return
 	}
 
-	{
+	challengesIssued.WithLabelValues("embedded").Add(1)
-		asn, asnDesc := asnFromContext(r.Context())
-		challengesIssued.WithLabelValues("embedded", asn, asnDesc).Add(1)
-	}
 	chall, err := s.issueChallenge(r.Context(), r, lg, cr, rule)
 	if err != nil {
 		lg.Error("can't get challenge", "err", err)
@@ -309,14 +306,14 @@ func (s *Server) constructRedirectURL(r *http.Request) (string, error) {
 	case "http", "https":
 		// allowed
 	default:
-		lg, _ := s.getRequestLogger(r)
+		lg := internal.GetRequestLogger(s.logger, r)
 		lg.Warn("invalid protocol in X-Forwarded-Proto", "proto", proto)
 		return "", errors.New(localizer.T("invalid_redirect"))
 	}
 
 	// Check if host is allowed in RedirectDomains (supports '*' via glob)
 	if len(s.opts.RedirectDomains) > 0 && !matchRedirectDomain(s.opts.RedirectDomains, host) {
-		lg, _ := s.getRequestLogger(r)
+		lg := internal.GetRequestLogger(s.logger, r)
 		lg.Debug("domain not allowed", "domain", host)
 		return "", errors.New(localizer.T("redirect_domain_not_allowed"))
 	}
@@ -403,15 +400,14 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 		localizer := localization.GetLocalizer(r)
 
 		redir := r.FormValue("redir")
-		urlParsed, err := url.Parse(redir)
+		urlParsed, err := url.ParseRequestURI(redir)
 		if err != nil {
-			s.respondWithStatus(w, r, localizer.T("redirect_not_parseable"), makeCode(err), http.StatusBadRequest)
+			// if ParseRequestURI fails, try as relative URL
-			return
+			urlParsed, err = r.URL.Parse(redir)
-		}
+			if err != nil {
-
+				s.respondWithStatus(w, r, localizer.T("redirect_not_parseable"), makeCode(err), http.StatusBadRequest)
-		if urlParsed.Opaque != "" || (urlParsed.Scheme == "" && strings.HasPrefix(redir, "//")) {
+				return
-			s.respondWithStatus(w, r, localizer.T("invalid_redirect"), "", http.StatusBadRequest)
+			}
-			return
 		}
 
 		// validate URL scheme to prevent javascript:, data:, file:, tel:, etc.
@@ -419,7 +415,7 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 		case "", "http", "https":
 			// allowed: empty scheme means relative URL
 		default:
-			lg, _ := s.getRequestLogger(r)
+			lg := internal.GetRequestLogger(s.logger, r)
 			lg.Warn("XSS attempt blocked, invalid redirect scheme", "scheme", urlParsed.Scheme, "redir", redir)
 			s.respondWithStatus(w, r, localizer.T("invalid_redirect"), "", http.StatusBadRequest)
 			return
@@ -431,7 +427,7 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 		hostMismatch := r.URL.Host != "" && urlParsed.Host != "" && urlParsed.Host != r.URL.Host
 
 		if hostNotAllowed || hostMismatch {
-			lg, _ := s.getRequestLogger(r)
+			lg := internal.GetRequestLogger(s.logger, r)
 			lg.Debug("domain not allowed", "domain", urlParsed.Host)
 			s.respondWithStatus(w, r, localizer.T("redirect_domain_not_allowed"), makeCode(err), http.StatusBadRequest)
 			return
@@ -446,8 +442,7 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 			web.Base(localizer.T("you_are_not_a_bot"), web.StaticHappy(localizer), s.policy.Impressum, localizer),
 		).ServeHTTP(w, r)
 	} else {
-		asn, asnDesc := asnFromContext(r.Context())
+		requestsProxied.WithLabelValues(r.Host).Inc()
-		requestsProxied.WithLabelValues(r.Host, asn, asnDesc).Inc()
 		r = s.stripBasePrefixFromRequest(r)
 		s.next.ServeHTTP(w, r)
 	}

lib/http_test.go

@@ -223,17 +223,3 @@ func TestNoCacheOnError(t *testing.T) {
 		})
 	}
 }
-
-func TestRejectsHostlessRedirect(t *testing.T) {
-	pol := loadPolicies(t, "testdata/useragent.yaml", 0)
-	srv := spawnAnubis(t, Options{Policy: pol, RedirectDomains: []string{"allowed.example"}})
-	req := httptest.NewRequest(http.MethodGet, "https://anubis.example/.within.website/?redir=%2f%2fevil.example%2fphish", nil)
-	rr := httptest.NewRecorder()
-	srv.ServeHTTPNext(rr, req)
-	if rr.Code != http.StatusBadRequest {
-		t.Fatalf("expected hostless redirect to be rejected, got HTTP %d body %q", rr.Code, rr.Body.String())
-	}
-	if got := rr.Header().Get("Location"); got != "" {
-		t.Fatalf("expected no Location header on rejected redirect, got %q", got)
-	}
-}

lib/localization/locales/bg.json

@@ -1,66 +0,0 @@
-{
-  "loading": "Зареждане...",
-  "why_am_i_seeing": "Защо виждам това?",
-  "protected_by": "Защитено от",
-  "protected_from": "От",
-  "made_with": "Направено с ❤️ в 🇨🇦",
-  "mascot_design": "Дизайн на талисмана от",
-  "ai_companies_explanation": "Виждате това, защото администраторът на този уебсайт е kонфигурирал Anubis, за да защити сървъра от агресивното събиране на данни от компании, занимаващи се с изкуствен интелект. Това може и причинява прекъсвания на уебсайтовете, което прави техните ресурси недостъпни за всички.",
-  "anubis_compromise": "Anubis е компромис. Anubis използва схема за ддоказателство-за-работа по подобие на Hashcash, предложена схема за доказателство-за-работа за намаляване на спама в имейлите. Идеята е, че при индивидуални мащаби допълнителното натоварване е пренебрежимо, но при масов ниво на събиране на данни то се натрупва и прави събирането на данни много по-скъпо.",
-  "hack_purpose": "В крайна сметка, това е временно решение, за да се отдели повече време за идентифициране и разпознаване на безглави браузъри (например чрез това как те рендират шрифтовете), така че страницата за доказателство-за-работа да не се налага да се показва на потребители, които е по-вероятно да са легитимни.",
-  "simplified_explanation": "Това е мярка срещу ботове и злонамерени заявки, подобна на CAPTCHA. Вместо да трябва да правите нещо сами, браузърът ви получава задача за изчисление, която трябва да реши, за да се увери, че е валиден клиент. Тази концепция се нарича схема доказателство-за-работа. Задачата се изчислява за няколко секунди и ви се дава достъп до уебсайта. Благодаря ви за разбирането и търпението.",
-  "jshelter_note": "Моля, имайте предвид, че Anubis изисква използването на модерни функции на JavaScript, сред които и като JShelter ще деактивират. Моля, деактивирайте JShelter или други подобни добавки за този домейн.",
-  "version_info": "Този уебсайт използва версия на Anubis",
-  "try_again": "Опитайте отново",
-  "go_home": "Отидете на началната страница",
-  "contact_webmaster": "или ако смятате, че не трябва да бъдете блокирани, моля свържете се с уебмастъра на",
-  "connection_security": "Моля, изчакайте, докато се уверим в сигурността на връзката ви",
-  "javascript_required": "За съжаление, трябва да включите JavaScript, за да минете през това предизвикателство. Това е необходимо, защото компаниите за изкуствен интелект промениха социалния договор около начина на хостинг на уебсайтове. Решение без JavaScript е в процес на разработка.",
-  "benchmark_requires_js": "За да използвате инструмента за тестване, е необходимо да включите JavaScript.",
-  "difficulty": "Трудност:",
-  "algorithm": "Алгоритъм:",
-  "compare": "Сравни:",
-  "time": "Време",
-  "iters": "Итерации",
-  "time_a": "Време А",
-  "iters_a": "Итерации А",
-  "time_b": "Време Б",
-  "iters_b": "Итерации Б",
-  "static_check_endpoint": "Това е просто краен пункт за проверка, който да използва обратният ви прокси.",
-  "authorization_required": "Изисква се авторизация",
-  "cookies_disabled": "Браузърът ви е настроен да деактивира бисквитките. Anubis изисква бисквитки за законния интерес да се увери, че сте валиден клиент. Моля, включете бисквитките за този домейн",
-  "access_denied": "Достъпът е отказан: код на грешка",
-  "dronebl_entry": "DroneBL докладва запис",
-  "see_dronebl_lookup": "вижте",
-  "internal_server_error": "Вътрешна сървърна грешка: администраторът е грешно конфигурирал Anubis. Моля, свържете се с администратора и ги помолете да проверят логовете около",
-  "invalid_redirect": "Невалидно пренасочване",
-  "redirect_not_parseable": "URL адресът за пренасочване не може да бъде разпознат",
-  "redirect_domain_not_allowed": "Домейнът за пренасочване не е позволен",
-  "missing_required_forwarded_headers": "Липсват необходимите X-Forwarded-* заглавни части",
-  "failed_to_sign_jwt": "неуспешно подписване на JWT",
-  "invalid_invocation": "Невалидно извикване на MakeChallenge",
-  "client_error_browser": "Крешка в клиента: Моля, уверете се, че браузърът ви е актуализиран и опитайте отново по-късно.",
-  "oh_noes": "О, не!",
-  "benchmarking_anubis": "Тестване на Anubis!",
-  "you_are_not_a_bot": "Ти не си бот!",
-  "making_sure_not_bot": "Уверяваме се, че не си бот!",
-  "celphase": "CELPHASE",
-  "js_web_crypto_error": "Браузърът ви няма функциониращ web.crypto елемент. Гледате ли това през сигурен контекст?",
-  "js_web_workers_error": "Браузърът ви не поддържа уеб работници (Anubis използва това, за да избегне замръзване на браузъра ви). Имате ли инсталирана добавка като JShelter?",
-  "js_cookies_error": "Браузърът ви не съхранява бисквитки. Anubis използва бисквитки, за да определи които клиенти са преминали задачите, като съхранява подписан токен в бисквитка. Моля, включете съхраняването на бисквитки за този домейн. Имената на бисквитките, съхранени от Anubis, могат да се променят без предварително уведомление. Имената и стойностите на бисквитките не са част от публичния API.",
-  "js_context_not_secure": "Вашият контекст не е сигурен!",
-  "js_context_not_secure_msg": "Опитайте да се свържете чрез HTTPS или уведомете администратора да kонфигурира HTTPS. За повече информация вижте MDN.",
-  "js_calculating": "Изчисляване...",
-  "js_missing_feature": "Липсваща функция",
-  "js_challenge_error": "Грешка при задачата!",
-  "js_challenge_error_msg": "Неуспешно разрешаване на алгоритъма за проверка. Може би искате да презаредите страницата.",
-  "js_calculating_difficulty": "Изчисляване... Трудност:",
-  "js_speed": "Скорост:",
-  "js_verification_longer": "Проверката отнема повече време от очакваното. Моля, не презареждайте страницата.",
-  "js_success": "Успех!",
-  "js_done_took": "Готово! Отне",
-  "js_iterations": "итерации",
-  "js_finished_reading": "Приключих с четенето, продължете →",
-  "js_calculation_error": "Грешка при изчислението!",
-  "js_calculation_error_msg": "Неуспешно изчисление на задачата:"
-}

lib/localization/locales/cs.json

@@ -62,5 +62,6 @@
   "js_finished_reading": "Čtení dokončeno, pokračovat →",
   "js_calculation_error": "Chyba výpočtu!",
   "js_calculation_error_msg": "Nepodařilo se vypočítat výzvu:",
-  "missing_required_forwarded_headers": "Chybějící požadované hlavičky X-Forwarded-*"
+  "missing_required_forwarded_headers": "Chybějící požadované hlavičky X-Forwarded-*",
+  "js_challenge_data_missing": "Data pro ověření chybí. Načtěte prosím stránku znovu."
 }

lib/localization/locales/de.json

@@ -1,38 +1,38 @@
 {
-  "loading": "Wird geladen …",
+  "loading": "Ladevorgang...",
   "why_am_i_seeing": "Warum sehe ich diese Seite?",
   "protected_by": "Geschützt durch",
   "protected_from": "Von",
   "made_with": "Mit ❤️ entwickelt in 🇨🇦",
-  "mascot_design": "Maskottchen entworfen von",
+  "mascot_design": "Maskottchen erstellt von",
-  "ai_companies_explanation": "Diese Seite wird angezeigt, weil der Betreiber dieser Website Anubis eingerichtet hat, um den Server vor aggressivem Scraping durch KI-Unternehmen zu schützen. Dieses Scraping kann Ausfälle verursachen, wodurch die Website für niemanden erreichbar ist.",
+  "ai_companies_explanation": "Diese Seite wird angezeigt, da der Betreiber der Website Anubis eingerichtet hat, um sie vor aggressiven Webcrawlern von KI-Unternehmen zu schützen. Diese können Ausfälle verursachen, wodurch die Website für niemanden erreichbar ist.",
-  "anubis_compromise": "Anubis ist ein Kompromiss. Es verwendet ein Proof-of-Work-Verfahren nach dem Vorbild von Hashcash, das ursprünglich zur Reduzierung von E-Mail-Spam entwickelt wurde. Die Idee dahinter ist, dass die zusätzliche Last für einzelne Nutzer vernachlässigbar ist, sich aber auf der Ebene von Massen-Scrapern summiert und das Scraping deutlich teurer macht.",
+  "anubis_compromise": "Anubis stellt einen Kompromiss dar. Es verwendet eine Proof-of-Work-Methode nach dem Hashcash-Prinzip, das ursprünglich zur Bekämpfung von E-Mail-Spam entwickelt wurde. Die Idee dahinter: Für einen einzelnen Besucher ist die Verzögerung vernachlässigbar, aber massenhaftes Scraping wird dadurch aufwändig und teuer.",
-  "hack_purpose": "Letztlich ist dies eine Übergangslösung, damit mehr Zeit in das Fingerprinting und die Erkennung von Headless-Browsern investiert werden kann (z. B. anhand ihrer Schriftart-Darstellung), sodass die Proof-of-Work-Seite Nutzern, die mit hoher Wahrscheinlichkeit legitim sind, nicht mehr angezeigt werden muss.",
+  "hack_purpose": "Letztendlich ist dies eine Übergangslösung, um mehr Zeit für Browser-Fingerprinting und die Identifizierung von Headless-Browsern (z. B. anhand ihrer Schriftwiedergabe) zu gewinnen. So muss die Proof-of-Work-Seite nicht Nutzern angezeigt werden, die sehr wahrscheinlich legitim sind.",
-  "simplified_explanation": "Dies ist eine Schutzmaßnahme gegen Bots und schädliche Anfragen, ähnlich einem CAPTCHA. Anstatt selbst eine Aufgabe lösen zu müssen, bekommt dein Browser eine Rechenaufgabe, die er lösen muss, um sicherzustellen, dass es sich um einen gültigen Client handelt. Dieses Konzept nennt sich <a href=\"https://de.wikipedia.org/wiki/Proof_of_Work\">Proof of Work</a>. Die Aufgabe wird innerhalb weniger Sekunden berechnet und du erhältst Zugang zur Website. Danke für dein Verständnis und deine Geduld.",
+  "simplified_explanation": "Dies ist eine Maßnahme gegen Bots und bösartige Anfragen, ähnlich einem CAPTCHA. Anstatt jedoch selbst arbeiten zu müssen, erhält dein Browser eine Rechenaufgabe, um sicherzustellen, dass es sich um einen gültigen Client handelt. Dieses Konzept nennt sich <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Die Aufgabe wird in wenigen Sekunden berechnet und du erhältst Zugriff auf die Website. Danke für deine Geduld.",
-  "jshelter_note": "Anubis benötigt moderne JavaScript-Funktionen, die von Plugins wie JShelter deaktiviert werden. Bitte deaktiviere JShelter oder ähnliche Plugins für diese Domain.",
+  "jshelter_note": "Anubis benötigt moderne JavaScript-Features, die von Plugins wie JShelter deaktiviert werden. Bitte deaktiviere JShelter oder ähnliche Plugins für diese Domain.",
-  "version_info": "Diese Website nutzt Anubis Version",
+  "version_info": "Diese Website läuft mit Anubis-Version",
   "try_again": "Erneut versuchen",
   "go_home": "Zur Startseite",
-  "contact_webmaster": "oder kontaktiere den Webmaster unter, falls du glaubst, dass du nicht blockiert werden solltest:",
+  "contact_webmaster": "Falls du glaubst, dass es sich um einen Fehler handelt, kontaktiere bitte den Administrator unter",
-  "connection_security": "Bitte warte einen Moment, während wir die Sicherheit deiner Verbindung überprüfen.",
+  "connection_security": "Bitte warte einen Moment, während wir die Sicherheit deiner Verbindung prüfen.",
-  "javascript_required": "Du musst JavaScript aktivieren, um diese Prüfung zu bestehen. Dies ist notwendig, da KI-Unternehmen den Gesellschaftsvertrag rund um Webhosting verändert haben. Eine Lösung ohne JavaScript ist in Arbeit.",
+  "javascript_required": "Du musst JavaScript aktivieren, um diese Prüfung durchführen zu können. Dies ist notwendig, da KI-Unternehmen die bisherigen Regeln für das Hosting von Websites nicht mehr respektieren. Eine Lösung ohne JavaScript ist in Entwicklung.",
-  "benchmark_requires_js": "Für das Benchmark-Tool muss JavaScript aktiviert sein.",
+  "benchmark_requires_js": "Für die Nutzung des Benchmark-Tools muss JavaScript aktiviert sein.",
   "difficulty": "Schwierigkeit:",
   "algorithm": "Algorithmus:",
-  "compare": "Vergleichen:",
+  "compare": "Vergleich:",
   "time": "Zeit",
   "iters": "Iterationen",
   "time_a": "Zeit A",
   "iters_a": "Iterationen A",
   "time_b": "Zeit B",
   "iters_b": "Iterationen B",
-  "static_check_endpoint": "Dies ist nur ein Prüf-Endpunkt für deinen Reverse-Proxy.",
+  "static_check_endpoint": "Dies ist ein Endpunkt zur Prüfung durch einen Reverse-Proxy.",
   "authorization_required": "Autorisierung erforderlich",
-  "cookies_disabled": "Cookies sind in deinem Browser deaktiviert. Anubis benötigt Cookies im berechtigten Interesse, sicherzustellen, dass es sich um einen gültigen Client handelt. Bitte aktiviere Cookies für diese Domain.",
+  "cookies_disabled": "Cookies sind in deinem Browser deaktiviert. Anubis benötigt Cookies, um sicherzustellen, dass es sich um einen legitimen Zugriff handelt. Bitte aktiviere Cookies für diese Domain.",
-  "access_denied": "Zugriff verweigert: Fehlercode",
+  "access_denied": "Zugriff verweigert – Fehlercode",
-  "dronebl_entry": "DroneBL hat einen Eintrag gemeldet",
+  "dronebl_entry": "Eintrag in DroneBL",
   "see_dronebl_lookup": "anzeigen",
-  "internal_server_error": "Interner Serverfehler: Der Administrator hat Anubis fehlerhaft konfiguriert. Bitte kontaktiere den Administrator und bitte ihn, die Logs im Zeitraum um folgenden Zeitpunkt zu prüfen:",
+  "internal_server_error": "Interner Serverfehler: Der Administrator hat Anubis fehlerhaft konfiguriert. Bitte kontaktiere den Administrator und bitte ihn, die Logs zu prüfen.",
   "invalid_redirect": "Ungültige Weiterleitung",
   "redirect_not_parseable": "Weiterleitungs-URL kann nicht verarbeitet werden",
   "redirect_domain_not_allowed": "Weiterleitungs-Domain nicht erlaubt",
@@ -41,26 +41,27 @@
   "invalid_invocation": "Ungültiger Aufruf von MakeChallenge",
   "client_error_browser": "Client-Fehler: Bitte stelle sicher, dass dein Browser aktuell ist, und versuche es später erneut.",
   "oh_noes": "Oh nein!",
-  "benchmarking_anubis": "Anubis-Benchmark wird durchgeführt!",
+  "benchmarking_anubis": "Benchmark wird durchgeführt!",
   "you_are_not_a_bot": "Du bist kein Bot!",
   "making_sure_not_bot": "Dein Browser wird geprüft!",
   "celphase": "CELPHASE",
-  "js_web_crypto_error": "Dein Browser verfügt nicht über ein funktionierendes web.crypto-Element. Wird diese Seite in einem sicheren Kontext angezeigt?",
+  "js_web_crypto_error": "Dein Browser verfügt nicht über ein funktionierendes web.crypto-Element. Wird eine sichere Verbindung verwendet?",
-  "js_web_workers_error": "Dein Browser unterstützt keine Web Workers (Anubis verwendet diese, damit dein Browser nicht einfriert). Hast du ein Plugin wie JShelter installiert?",
+  "js_web_workers_error": "Dein Browser unterstützt keine Web-Worker (Anubis verwendet diese, damit der Browser nicht einfriert). Ist ein Plugin wie JShelter installiert?",
-  "js_cookies_error": "Dein Browser speichert keine Cookies. Anubis verwendet Cookies, um nach bestandener Prüfung ein signiertes Token abzulegen. Bitte aktiviere Cookies für diese Domain. Die Cookie-Namen von Anubis können sich jederzeit ohne Vorankündigung ändern. Cookie-Namen und -Werte sind nicht Teil der öffentlichen API.",
+  "js_cookies_error": "Dein Browser speichert keine Cookies. Anubis verwendet Cookies, um nach bestandener Prüfung ein signiertes Token abzulegen. Bitte aktiviere Cookies für diese Domain. Die Cookie-Namen von Anubis können sich jederzeit ändern. Cookie-Namen und gespeicherte Werte sind nicht Teil der öffentlichen API.",
   "js_context_not_secure": "Diese Verbindung ist nicht sicher!",
-  "js_context_not_secure_msg": "Versuche, dich über HTTPS zu verbinden, oder informiere den Administrator, HTTPS einzurichten. Weitere Informationen unter <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
+  "js_context_not_secure_msg": "Bitte versuche, dich über HTTPS zu verbinden, oder weise den Administrator darauf hin, HTTPS einzurichten. Mehr Informationen: <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts#when_is_a_context_considered_secure\">MDN</a>.",
-  "js_calculating": "Berechnung läuft …",
+  "js_calculating": "Berechnung läuft...",
   "js_missing_feature": "Fehlendes Feature",
   "js_challenge_error": "Prüfung fehlgeschlagen!",
-  "js_challenge_error_msg": "Der Prüfalgorithmus konnte nicht aufgelöst werden. Bitte lade die Seite neu.",
+  "js_challenge_error_msg": "Der Prüf-Algorithmus konnte nicht geladen werden. Bitte lade die Seite neu.",
-  "js_calculating_difficulty": "Berechnung läuft …<br/>Schwierigkeit:",
+  "js_calculating_difficulty": "Berechnung läuft...<br/>Schwierigkeit:",
   "js_speed": "Geschwindigkeit:",
-  "js_verification_longer": "Die Verifizierung dauert länger als erwartet. Bitte bleibe auf der Seite und lade sie nicht neu.",
+  "js_verification_longer": "Die Prüfung dauert länger als erwartet. Bitte warte und lade die Seite nicht neu.",
-  "js_success": "Geschafft!",
+  "js_success": "Erfolgreich!",
   "js_done_took": "Fertig! Dauer:",
   "js_iterations": "Iterationen",
-  "js_finished_reading": "Fertig gelesen, weiter zur Seite →",
+  "js_finished_reading": "Fertig gelesen – weiter zur Seite →",
   "js_calculation_error": "Berechnungsfehler!",
-  "js_calculation_error_msg": "Fehler bei der Berechnung der Prüfung:"
+  "js_calculation_error_msg": "Fehler bei der Berechnung der Prüfung:",
+  "js_challenge_data_missing": "Die Prüfungsdaten fehlen. Bitte laden Sie die Seite neu."
 }

lib/localization/locales/en.json

@@ -62,5 +62,6 @@
   "js_iterations": "iterations",
   "js_finished_reading": "I've finished reading, continue →",
   "js_calculation_error": "Calculation error!",
-  "js_calculation_error_msg": "Failed to calculate challenge:"
+  "js_calculation_error_msg": "Failed to calculate challenge:",
+  "js_challenge_data_missing": "Challenge data is missing. Please reload the page."
 }

lib/localization/locales/es.json

@@ -62,5 +62,6 @@
   "js_calculation_error": "¡Error de cálculo!",
   "js_calculation_error_msg": "Falló al calcular el desafío:",
   "missing_required_forwarded_headers": "Faltan los encabezados X-Forwarded-* requeridos",
-  "simplified_explanation": "Esta es una medida contra bots y solicitudes maliciosas similar a un CAPTCHA. Sin embargo, en lugar de tener que hacer el trabajo usted mismo, a su navegador se le asigna una tarea de cálculo que debe resolver para garantizar que es un cliente válido. Este concepto se llama <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Prueba de trabajo</a>. La tarea se calcula en unos segundos y se le concede acceso al sitio web. Gracias por su comprensión y paciencia."
+  "simplified_explanation": "Esta es una medida contra bots y solicitudes maliciosas similar a un CAPTCHA. Sin embargo, en lugar de tener que hacer el trabajo usted mismo, a su navegador se le asigna una tarea de cálculo que debe resolver para garantizar que es un cliente válido. Este concepto se llama <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Prueba de trabajo</a>. La tarea se calcula en unos segundos y se le concede acceso al sitio web. Gracias por su comprensión y paciencia.",
+  "js_challenge_data_missing": "Faltan los datos del desafío. Por favor, recargue la página."
 }

lib/localization/locales/et.json

@@ -62,5 +62,6 @@
   "js_calculation_error": "Arvutamise viga!",
   "js_calculation_error_msg": "Ei suutnud kontrolli arvutada:",
   "missing_required_forwarded_headers": "Puuduvad nõutud X-Forwarded-* päised",
-  "simplified_explanation": "See on meede robotite ja pahatahtlike päringute vastu, mis sarnaneb CAPTCHA-le. Kuid selle asemel, et peaksite ise tööd tegema, antakse teie brauserile arvutusülesanne, mille see peab lahendama, et tagada selle kehtivus kliendina. Seda kontseptsiooni nimetatakse <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Töötõendiks</a>. Ülesanne arvutatakse mõne sekundiga ja teile antakse juurdepääs veebisaidile. Täname teid mõistva suhtumise ja kannatlikkuse eest."
+  "simplified_explanation": "See on meede robotite ja pahatahtlike päringute vastu, mis sarnaneb CAPTCHA-le. Kuid selle asemel, et peaksite ise tööd tegema, antakse teie brauserile arvutusülesanne, mille see peab lahendama, et tagada selle kehtivus kliendina. Seda kontseptsiooni nimetatakse <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Töötõendiks</a>. Ülesanne arvutatakse mõne sekundiga ja teile antakse juurdepääs veebisaidile. Täname teid mõistva suhtumise ja kannatlikkuse eest.",
+  "js_challenge_data_missing": "Kontrollülesande andmed puuduvad. Palun laadige leht uuesti."
 }

lib/localization/locales/fi.json

@@ -62,5 +62,6 @@
   "js_calculation_error": "Laskentavirhe!",
   "js_calculation_error_msg": "Haasteen laskenta ei onnistunut:",
   "missing_required_forwarded_headers": "Puuttuvat vaaditut X-Forwarded-* otsikot",
-  "simplified_explanation": "Tämä on toimenpide botteja ja haitallisia pyyntöjä vastaan, joka on samanlainen kuin CAPTCHA. Sen sijaan, että joutuisit tekemään työtä itse, selaimesi saa laskentatehtävän, joka sen on ratkaistava varmistaakseen, että se on kelvollinen asiakas. Tätä käsitettä kutsutaan nimellä <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Työtodistus</a>. Tehtävä lasketaan muutamassa sekunnissa ja saat pääsyn verkkosivustolle. Kiitos ymmärryksestäsi ja kärsivällisyydestäsi."
+  "simplified_explanation": "Tämä on toimenpide botteja ja haitallisia pyyntöjä vastaan, joka on samanlainen kuin CAPTCHA. Sen sijaan, että joutuisit tekemään työtä itse, selaimesi saa laskentatehtävän, joka sen on ratkaistava varmistaakseen, että se on kelvollinen asiakas. Tätä käsitettä kutsutaan nimellä <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Työtodistus</a>. Tehtävä lasketaan muutamassa sekunnissa ja saat pääsyn verkkosivustolle. Kiitos ymmärryksestäsi ja kärsivällisyydestäsi.",
+  "js_challenge_data_missing": "Haastetiedot puuttuvat. Lataa sivu uudelleen."
 }

lib/localization/locales/fil.json

@@ -62,5 +62,6 @@
   "js_calculation_error": "Error sa pagkalkula!",
   "js_calculation_error_msg": "Nabigong ikalkula ang hamon:",
   "missing_required_forwarded_headers": "Nawawala ang kinakailangang X-Forwarded-* na mga header",
-  "simplified_explanation": "Ito ay isang panukala laban sa mga bot at malisyosong mga kahilingan na katulad ng isang CAPTCHA. Gayunpaman, sa halip na ikaw mismo ang gumawa ng trabaho, binibigyan ang iyong browser ng isang gawain sa pagkalkula na kailangan nitong lutasin upang matiyak na ito ay isang wastong kliyente. Ang konseptong ito ay tinatawag na <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Ang gawain ay kinakalkula sa loob ng ilang segundo at binibigyan ka ng access sa website. Salamat sa iyong pag-unawa at pasensya."
+  "simplified_explanation": "Ito ay isang panukala laban sa mga bot at malisyosong mga kahilingan na katulad ng isang CAPTCHA. Gayunpaman, sa halip na ikaw mismo ang gumawa ng trabaho, binibigyan ang iyong browser ng isang gawain sa pagkalkula na kailangan nitong lutasin upang matiyak na ito ay isang wastong kliyente. Ang konseptong ito ay tinatawag na <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Proof of Work</a>. Ang gawain ay kinakalkula sa loob ng ilang segundo at binibigyan ka ng access sa website. Salamat sa iyong pag-unawa at pasensya.",
+  "js_challenge_data_missing": "Nawawala ang data ng hamon. Mangyaring i-reload ang pahina."
 }

lib/localization/locales/fr.json

@@ -62,5 +62,6 @@
   "js_calculation_error": "Erreur de calcul !",
   "js_calculation_error_msg": "Échec du calcul du défi :",
   "missing_required_forwarded_headers": "En-têtes X-Forwarded-* manquants",
-  "simplified_explanation": "Ceci est une mesure contre les robots et les requêtes malveillantes, similaire à un CAPTCHA. Cependant, au lieu d'avoir à faire le travail vous-même, votre navigateur se voit confier une tâche de calcul qu'il doit résoudre pour confirmer qu'il est un client valide. Ce concept est nommé <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Preuve de travail</a>. La tâche s'effectue en quelques secondes, puis vous avez accès au site Web. Merci pour votre compréhension et votre patience."
+  "simplified_explanation": "Ceci est une mesure contre les robots et les requêtes malveillantes, similaire à un CAPTCHA. Cependant, au lieu d'avoir à faire le travail vous-même, votre navigateur se voit confier une tâche de calcul qu'il doit résoudre pour confirmer qu'il est un client valide. Ce concept est nommé <a href=\"https://en.wikipedia.org/wiki/Proof_of_work\">Preuve de travail</a>. La tâche s'effectue en quelques secondes, puis vous avez accès au site Web. Merci pour votre compréhension et votre patience.",
+  "js_challenge_data_missing": "Les données du défi sont manquantes. Veuillez recharger la page."
 }