mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-04-05 16:28:17 +00:00
226cf36bf7
* feat(config): add Thresholds to the top level config file Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(config): make String() on ExpressionOrList join the component expressions Signed-off-by: Xe Iaso <me@xeiaso.net> * test(config): ensure unparseable json fails Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(config): if no thresholds are set, use the default thresholds Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(policy): half implement thresholds Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(policy): continue wiring things up Signed-off-by: Xe Iaso <me@xeiaso.net> * feat(lib): wire up thresholds Signed-off-by: Xe Iaso <me@xeiaso.net> * test(lib): handle behavior from legacy configurations Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: document thresholds Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: update CHANGELOG, refer to threshold configuration Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(lib): fix build Signed-off-by: Xe Iaso <me@xeiaso.net> * chore(lib): fix U1000 Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Jason Cameron <git@jasoncameron.dev> Co-authored-by: Jason Cameron <git@jasoncameron.dev>
141 lines
2.9 KiB
Plaintext
141 lines
2.9 KiB
Plaintext
# Weight Threshold Configuration
|
|
|
|
Anubis offers the ability to assign "weight" to requests. This is a custom level of suspicion that rules can add to or remove from. For example, here's how you assign 10 weight points to anything that might be a browser:
|
|
|
|
```yaml
|
|
# botPolicies.yaml
|
|
|
|
bots:
|
|
- name: generic-browser
|
|
user_agent_regex: >-
|
|
Mozilla|Opera
|
|
action: WEIGH
|
|
weight:
|
|
adjust: 10
|
|
```
|
|
|
|
Thresholds let you take this per-request weight value and take actions in response to it. Thresholds are defined alongside your bot configuration in `botPolicies.yaml`.
|
|
|
|
:::note
|
|
|
|
Thresholds DO NOT apply when a request matches a bot rule with the CHALLENGE action. Thresholds only apply when requests don't match any terminal bot rules.
|
|
|
|
:::
|
|
|
|
```yaml
|
|
# botPolicies.yaml
|
|
|
|
bots: ...
|
|
|
|
thresholds:
|
|
- name: minimal-suspicion
|
|
expression: weight < 0
|
|
action: ALLOW
|
|
|
|
- name: mild-suspicion
|
|
expression:
|
|
all:
|
|
- weight >= 0
|
|
- weight < 10
|
|
action: CHALLENGE
|
|
challenge:
|
|
algorithm: metarefresh
|
|
difficulty: 1
|
|
report_as: 1
|
|
|
|
- name: moderate-suspicion
|
|
expression:
|
|
all:
|
|
- weight >= 10
|
|
- weight < 20
|
|
action: CHALLENGE
|
|
challenge:
|
|
algorithm: fast
|
|
difficulty: 2
|
|
report_as: 2
|
|
|
|
- name: extreme-suspicion
|
|
expression: weight >= 20
|
|
action: CHALLENGE
|
|
challenge:
|
|
algorithm: fast
|
|
difficulty: 4
|
|
report_as: 4
|
|
```
|
|
|
|
This defines a suite of 4 thresholds:
|
|
|
|
1. If the request weight is less than zero, allow it through.
|
|
2. If the request weight is greater than or equal to zero, but less than ten: give it [a very lightweight challenge](./challenges/metarefresh.mdx).
|
|
3. If the request weight is greater than or equal to ten, but less than twenty: give it [a slightly heavier challenge](./challenges/proof-of-work.mdx).
|
|
4. Otherwise, give it [the heaviest challenge](./challenges/proof-of-work.mdx).
|
|
|
|
Thresholds can be configured with the following options:
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Description</th>
|
|
<th>Example</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>`name`</td>
|
|
<td>The human-readable name for this threshold.</td>
|
|
<td>
|
|
|
|
```yaml
|
|
name: extreme-suspicion
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>`expression`</td>
|
|
<td>A [CEL](https://cel.dev/) expression taking the request weight and returning true or false</td>
|
|
<td>
|
|
|
|
To check if the request weight is less than zero:
|
|
|
|
```yaml
|
|
expression: weight < 0
|
|
```
|
|
|
|
To check if it's between 0 and 10 (inclusive):
|
|
|
|
```yaml
|
|
expression:
|
|
all:
|
|
- weight >= 0
|
|
- weight < 10
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>`action`</td>
|
|
<td>The Anubis action to apply: `ALLOW`, `CHALLENGE`, or `DENY`</td>
|
|
<td>
|
|
|
|
```yaml
|
|
action: ALLOW
|
|
```
|
|
|
|
If you set the CHALLENGE action, you must set challenge details:
|
|
|
|
```yaml
|
|
action: CHALLENGE
|
|
challenge:
|
|
algorithm: metarefresh
|
|
difficulty: 1
|
|
report_as: 1
|
|
```
|
|
|
|
</td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|