Closed RuiSiang closed 4 years ago
Try changing this line
local remote_addr = ngx.var.remote_addr
To this.
local remote_addr = ngx.var.http_user_agent
I think every request with Tor browser will have a different IP hence why you need to change that to something static that Tor browser will send to identify the individual connecting User-Agent is a good thing to use.
I updated the script and made a wiki to help.
C0nw0nk, thanks. Yep, most tor service connect from localhost to web server. But the user agent method doesn't seem to work, I was sure that the user agent is the same, but still does not work. It may be a problem with other parts of the script, I'm looking into it.
Does tor browser run javascript and does it allow cookies to be set
Cookies are allowed to be set in tor, you can think of it as a sandbox environment. The cookies are automatically deleted when you close the browser or when you click new identity.
As for jsp, you have to activate it manually. It can be enforced such that the site won't load if jsp is not enabled.
I think the best way for a tor site to filter bots is to show a captcha (with lua) before the site loads, which is the current solution I am implementing on my service (I'm writing my own script now). I think your script is best used for clearweb applications.
Does tor browser run javascript and does it allow cookies to be set
didn't you think yet? finish captcha?
I think it would be better to use lua script to purely force load a captcha page before index page using access_by_lua, cookie, ip useragent filtering is completely no use when using tor (tor browsers all register as a same Mozilla user agent, ips are all localhost, and cookies are sometimes manually disabled by people)
@RuiSiang While captcha is a stronger defence for Tor users it still requies Javascript to function the same as this script does the same as Cloudflare, BitMitigate, Sucuri etc use Javascript to authenticate users so Tor users need Javascript enabled Mandatory
They still have an IP we just don't use it we use their User-Agent because that is static.
Cookies are allowed on Tor browser (I have checked and tested) If a random Tor user disabled cookies in their settings then the same with Cloudflare, BitMitigate, Sucuri they won't be able to access those sites lol..
I updated the script to fix a couple of bugs with the output Tor users might of seen and because of sites using this script that pass their traffic through services like Cloudflare to Tor users i fixed a bug where Tor browser would Block cookies. https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/commit/113f1dacae67934b994efa16813dc456a426cebc
So the latest version of the script should fix allot of these issues and should display their Tor browsers fake IP address correctly this time.
OK, thanks a lot. I'll try the script on my server in a bit. Been a bit busy.
Using user agents to id end users seem to be a good idea, should be good to use with sites less than fifty connected at most times. The method implemented by HttpGuard is better against high use rate, which uses hashed cookies with time limiting.
I have been working a rather big update i will be pushing it to the main repo soon when I do I will close this issue as it is to address Tor users problems in a automated way and solve the dilemas they would have. The previous updates I made solved the above problems but this new feature I built in makes the script intelligent enough to be able to detect a Tor user and I took it further giving server admins using this the power to decide if they want to allow or block tor users.
Happy to see that. A reply to a previous comment, it is possible to implement captcha without javascript if you run the lua module in nginx. And as for the Tor user part, I think you're not grasping the point. The problem is not with Tor browser users, but the server of Tor hidden services, which is routed by torrc, and surfaces some very interesting effects on your script. I'm still sticking to my method (force users to captcha and hand out a unique key in cookie that has an expiration), and have already succeeded (for safety reasons, I cannot disclose the name of location of the site). Just some suggestions and comments here. No offense.
Doesn't sound like u have much faith in your implementation if you can't give an example. lol.
On Wed, Feb 5, 2020, 03:08 Goodx1000 notifications@github.com wrote:
Happy to see that. A reply to a previous comment, it is possible to implement captcha without javascript if you run the lua module in nginx. And as for the Tor user part, I think you're not grasping the point. The problem is not with Tor browser users, but the server of Tor hidden services, which is routed by torrc, and surfaces some very interesting effects on your script. I'm still sticking to my method (force users to captcha and hand out a unique key in cookie that has an expiration), and have already succeeded (for safety reasons, I cannot disclose the name of location of the site). Just some suggestions and comments here. No offense.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues/16?email_source=notifications&email_token=AE6DR6HV6SZ22UHH7JHK3ETRBIGP5A5CNFSM4KMAAG62YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKZZBCY#issuecomment-582193291, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6DR6HKHJ5G2SBN25ZCQCTRBIGP5ANCNFSM4KMAAG6Q .
@RuiSiang
it is possible to implement captcha without javascript if you run the lua module in nginx.
With this i would have to build in a method to read/grab HTTP responses or use a third party script since that is how captcha works it needs the server side to send a message to google as a confirmation something that is not easily done in a standalone enviorment like this but with a third party Lua library what then all users of this script would need installing on their servers as a mandatory requirement for it to function not something i want to do or force upon them.
force users to captcha and hand out a unique key in cookie that has an expiration
The script already creates a unique key and cookie that has an expiration i don't see why you think it is so different from googles captcha that does that same thing just uses Pictures and a manual way of comparing matching pictures to do the same thing.
@AndreiG6
It might be legal reasons or just he does not want people penetration testing his site.
Updated : https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/commit/3563ed21f031c9f41a033a29c0a3fed28ff4855d
Closing this Issue as it is no longer relevant since the prior issues have been resolved.
With this i would have to build in a method to read/grab HTTP responses or use a third party script since that is how captcha works it needs the server side to send a message to google as a confirmation something that is not easily done in a standalone enviorment like this but with a third party Lua library what then all users of this script would need installing on their servers as a mandatory requirement for it to function not something i want to do or force upon them.
Actually, a php file using gd is sufficient to draw the captcha images. You can set the script to be run on the server at an hourly status, letting the captchas to be 10k verification sets that renews every hour. At least, that is my implemented method, just thought that you should know.
And Google Recaptcha is disliked by most tor site admins, since it may reveil and uncover both server and client site MAC addresses and IPs.
PHP is a no go, With projects like this you need to think of compatibility sakes for everybody. Not everyone can use PHP and my experience with it is that running PHP upstreams in the backend of Nginx just means if i did do such a thing it would be a exploit for those to DDoS the backend PHP generator.
The script is highly secure and fine as it is it really does not need such things added to it.
Every cookie generated is encrypted every header is encrypted meaning they have to guess and because there is not one header or cookie there are multiple they don't know what one is what. Bots that crack things like this have something static to latch onto I give them nothing due to the dynamic nature of the script.
If you take Cloudflare as an example you can take other scripts they make cookies and headers static...I don't know why you can read the name and the values making it simple for bots to identify what they need to gain access hence why they get bypassed with mine nothing is static by default I give you the option in the config to make them static but it is only for debugging purposes really i wouldn't recommend you leave it at that in a production enviorment.
The other variables like IP address and User-agent change for each client meaning you can clone cookies from one computer to another but that computer won't have the same IP heance why they will see the authentication page.
Then after a certain period of time I force them to expire 86400
1 day basically unless you change it in the script. They will see the auth page again you can test by turning the script on connecting to your site once the script grants you access change the expirey time to like 30 seconds or something restart your nginx and connect to your site again and you will see it will have expired your session and want to create a new session for you.
I also obfuscate javascript something that nobody else does to improve security of it, I have a few TODO:
items listed in my source code that i am going to improve allot I just have not done so yet since I have been ironing out these other bugs and things people would like.
Making this script work for Tor users was the main priority over the last week since Tor services do recieve the brunt/bulk of attacks and this is a great battle field / testing ground to fire up my script to see what it can do for such sites.
Issue title
It is stuck in continuous loop of the five second countdown, then it auto-reloads and counts again
Issue Description
After setup on whonix-nginx server, I tested on a pc. I checked the access and error logs, all is normal. But the script is stuck in loop, please help. Thank you very much.
Versions:
Nginx config:
Settings:
Other optional information you want to add other than the above: