docs(admin/policy): document ReadWritePaths for logging to files

The default Anubis systemd configuration is very restrictive in order to prevent any possible compromise of Anubis to be useful by threat actors. As such, it assumes all logs will be pushed to the system journal. Some administrators do not want Anubis' logs to be pushed to the system journal and want Anubis to log to a file instead. This change documents how to set up ReadWritePaths in the Anubis systemd configuration such that Anubis can lot to a file as administrators expect. Closes: #1468 Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-05-08 16:12:52 +00:00 · 2026-02-19 12:18:00 +00:00
10 changed files with 31 additions and 144 deletions
@@ -11,8 +11,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

- fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
-
 <!-- This changes the project to: -->

 ## v1.25.0: Necron
@@ -393,6 +393,32 @@ logging:

 When files are rotated out, the old files will be named after the rotation timestamp in [RFC 3339 format](https://www.rfc-editor.org/rfc/rfc3339).

+:::note
+
+If you are running Anubis in systemd via a native package, the default systemd unit settings are very restrictive and will forbid writing to folders in `/var/log`. In order to fix this, please make a [drop-in unit](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/) like the following:
+
+```text
+# /etc/systemd/anubis@instance-name.service.d/50-var-log-readwrite.conf
+[Service]
+ReadWritePaths=/run /var/log/anubis
+```
+
+Once you write this to the correct place, reload the systemd configuration:
+
+```text
+sudo systemctl daemon-reload
+```
+
+And then restart Anubis:
+
+```text
+sudo systemctl restart anubis@instance-name
+```
+
+You may be required to make drop-ins for each Anubis instance depending on the facts and circumstances of your deployment.
+
+:::
+
 ### `stdio` sink

 By default, Anubis logs everything to the standard error stream of its process. This requires no configuration:
@@ -106,13 +106,6 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 		//return nil, errors.New("[unexpected] this codepath should be impossible, asked to issue a challenge for a non-challenge rule")
 	}

-	if rule.Challenge == nil {
-		rule.Challenge = &config.ChallengeRules{
-			Difficulty: s.policy.DefaultDifficulty,
-			Algorithm:  config.DefaultAlgorithm,
-		}
-	}
-
 	id, err := uuid.NewV7()
 	if err != nil {
 		return nil, err
@@ -498,11 +491,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 	chall, err := s.getChallenge(r)
 	if err != nil {
 		lg.Error("getChallenge failed", "err", err)
-		algorithm := "unknown"
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}

@@ -649,16 +638,8 @@ func (s *Server) check(r *http.Request, lg *slog.Logger) (policy.CheckResult, *p
 		}

 		if matches {
-			challRules := t.Challenge
-			if challRules == nil {
-				// Non-CHALLENGE thresholds (ALLOW/DENY) don't have challenge config.
-				// Use an empty struct so hydrateChallengeRule can fill from stored
-				// challenge data during validation, rather than baking in defaults
-				// that could mismatch the difficulty the client actually solved for.
-				challRules = &config.ChallengeRules{}
-			}
 			return cr("threshold/"+t.Name, t.Action, weight), &policy.Bot{
-				Challenge: challRules,
+				Challenge: t.Challenge,
 				Rules:     &checker.List{},
 			}, nil
 		}
@@ -10,7 +10,6 @@ var (
 	ErrFailed        = errors.New("challenge: user failed challenge")
 	ErrMissingField  = errors.New("challenge: missing field")
 	ErrInvalidFormat = errors.New("challenge: field has invalid format")
-	ErrInvalidInput  = errors.New("challenge: input is nil or missing required fields")
 )

 func NewError(verb, publicReason string, privateReason error) *Error {
@@ -1,7 +1,6 @@
 package challenge

 import (
-	"fmt"
 	"log/slog"
 	"net/http"
 	"sort"
@@ -51,44 +50,12 @@ type IssueInput struct {
 	Store     store.Interface
 }

-func (in *IssueInput) Valid() error {
-	if in == nil {
-		return fmt.Errorf("%w: IssueInput is nil", ErrInvalidInput)
-	}
-	if in.Rule == nil {
-		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
-	}
-	if in.Rule.Challenge == nil {
-		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
-	}
-	if in.Challenge == nil {
-		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
-	}
-	return nil
-}
-
 type ValidateInput struct {
 	Rule      *policy.Bot
 	Challenge *Challenge
 	Store     store.Interface
 }

-func (in *ValidateInput) Valid() error {
-	if in == nil {
-		return fmt.Errorf("%w: ValidateInput is nil", ErrInvalidInput)
-	}
-	if in.Rule == nil {
-		return fmt.Errorf("%w: Rule is nil", ErrInvalidInput)
-	}
-	if in.Rule.Challenge == nil {
-		return fmt.Errorf("%w: Rule.Challenge is nil", ErrInvalidInput)
-	}
-	if in.Challenge == nil {
-		return fmt.Errorf("%w: Challenge is nil", ErrInvalidInput)
-	}
-	return nil
-}
-
 type Impl interface {
 	// Setup registers any additional routes with the Impl for assets or API routes.
 	Setup(mux *http.ServeMux)
@@ -24,10 +24,6 @@ type Impl struct{}
 func (i *Impl) Setup(mux *http.ServeMux) {}

 func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
-	if err := in.Valid(); err != nil {
-		return nil, err
-	}
-
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -53,10 +49,6 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }

 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return challenge.NewError("validate", "invalid input", err)
-	}
-
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 800 * time.Millisecond)

 	if time.Now().Before(wantTime) {
@@ -39,10 +39,6 @@ type impl struct{}
 func (i *impl) Setup(mux *http.ServeMux) {}

 func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *challenge.IssueInput) (templ.Component, error) {
-	if err := in.Valid(); err != nil {
-		return nil, err
-	}
-
 	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
@@ -61,10 +57,6 @@ func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }

 func (i *impl) Validate(r *http.Request, lg *slog.Logger, in *challenge.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return challenge.NewError("validate", "invalid input", err)
-	}
-
 	wantTime := in.Challenge.IssuedAt.Add(time.Duration(in.Rule.Challenge.Difficulty) * 80 * time.Millisecond)

 	if time.Now().Before(wantTime) {
@@ -33,10 +33,6 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 }

 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInput) error {
-	if err := in.Valid(); err != nil {
-		return chall.NewError("validate", "invalid input", err)
-	}
-
 	rule := in.Rule
 	challenge := in.Challenge.RandomData

@@ -30,62 +30,6 @@ func mkRequest(t *testing.T, values map[string]string) *http.Request {
 	return req
 }

-// TestValidateNilRuleChallenge reproduces the panic from
-// https://github.com/TecharoHQ/anubis/issues/1463
-//
-// When a threshold rule matches during PassChallenge, check() can return
-// a policy.Bot with Challenge == nil. After hydrateChallengeRule fails to
-// run (or the error path hits before it), Validate dereferences
-// rule.Challenge.Difficulty and panics.
-func TestValidateNilRuleChallenge(t *testing.T) {
-	i := &Impl{Algorithm: "fast"}
-	lg := slog.With()
-
-	// This is the exact response for SHA256("hunter" + "0") with 0 leading zeros required.
-	const challengeStr = "hunter"
-	const response = "2652bdba8fb4d2ab39ef28d8534d7694c557a4ae146c1e9237bd8d950280500e"
-
-	req := mkRequest(t, map[string]string{
-		"nonce":       "0",
-		"elapsedTime": "69",
-		"response":    response,
-	})
-
-	for _, tc := range []struct {
-		name  string
-		input *challenge.ValidateInput
-	}{
-		{
-			name: "nil-rule-challenge",
-			input: &challenge.ValidateInput{
-				Rule:      &policy.Bot{},
-				Challenge: &challenge.Challenge{RandomData: challengeStr},
-			},
-		},
-		{
-			name: "nil-rule",
-			input: &challenge.ValidateInput{
-				Challenge: &challenge.Challenge{RandomData: challengeStr},
-			},
-		},
-		{
-			name:  "nil-challenge",
-			input: &challenge.ValidateInput{Rule: &policy.Bot{Challenge: &config.ChallengeRules{Algorithm: "fast"}}},
-		},
-		{
-			name:  "nil-input",
-			input: nil,
-		},
-	} {
-		t.Run(tc.name, func(t *testing.T) {
-			err := i.Validate(req, lg, tc.input)
-			if !errors.Is(err, challenge.ErrInvalidInput) {
-				t.Fatalf("expected ErrInvalidInput, got: %v", err)
-			}
-		})
-	}
-}
-
 func TestBasic(t *testing.T) {
 	i := &Impl{Algorithm: "fast"}
 	bot := &policy.Bot{
@@ -222,12 +222,8 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 	chall, err := s.issueChallenge(r.Context(), r, lg, cr, rule)
 	if err != nil {
 		lg.Error("can't get challenge", "err", err)
-		algorithm := "unknown"
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
 		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}

@@ -252,13 +248,9 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C

 	impl, ok := challenge.Get(chall.Method)
 	if !ok {
-		algorithm := "unknown"
-		if rule.Challenge != nil {
-			algorithm = rule.Challenge.Algorithm
-		}
-		lg.Error("check failed", "err", "can't get algorithm", "algorithm", algorithm)
+		lg.Error("check failed", "err", "can't get algorithm", "algorithm", rule.Challenge.Algorithm)
 		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
-		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), algorithm), makeCode(err))
+		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm), makeCode(err))
 		return
 	}