-
-
Notifications
You must be signed in to change notification settings - Fork 262
Configuration
C0nw0nk edited this page Mar 30, 2020
·
8 revisions
You must change this default configuration value The reason is so that the encryption method of cookies and puzzle variables etc can not be guessed by bots keeping the script dynamic so set it as something unique and random for maximum security.
The rest of the settings I recommend leaving as default but I listed here what they are what they do and what you can change and play with to suit your own unique needs.
--[[
This is a password that encrypts our puzzle and cookies unique to your sites and servers you should change this from the default.
]]
local secret = " enigma" --Signature secret key --CHANGE ME FROM DEFAULT!
--[[
How long when a users request is authenticated will they be allowed to browse and access the site until they will see the auth page again.
The time is expressed in seconds.
None : 0 (This would result in every page and request showing the auth before granting access) --DO NOT SET AS 0 I recommend nothing less than 30 seconds.
One minute: 60
One hour: 3600
One day: 86400
One week: 604800
One month: 2628000
One year: 31536000
Ten years: 315360000
]]
local expire_time = 86400 --One day
--[[
IP Address Whitelist
Any IP Addresses specified here will be whitelisted to grant direct access to your site bypassing our firewall checks
you can specify IP's like search engine crawler ip addresses here most search engines are smart enough they do not need to be specified,
Major search engines can execute javascript such as Google, Yandex, Bing, Baidu and such so they can solve the auth page puzzle and index your site same as how companies like Cloudflare, Succuri, BitMitigate etc work and your site is still indexed.
Supports IPv4 and IPv6 addresses aswell as subnet ranges
To find all IP ranges of an ASN use : https://www.enjen.net/asn-blocklist/index.php?asn=16509&type=iplist
]]
local ip_whitelist_remote_addr = "auto" --Automatically get the Clients IP address
local ip_whitelist = {
--"127.0.0.1", --localhost
--"192.168.0.1", --localhost
}
To block access to any abusive IP's that you do not want to ever access your website.
Supports IPv4 and IPv6 addresses aswell as subnet ranges.
To find all IP ranges of an ASN use : https://www.enjen.net/asn-blocklist/index.php?asn=16276&type=iplist
For the worst Botnet ASN IP's see here :
https://www.spamhaus.org/statistics/botnet-asn/
https://www.abuseat.org/public/asninfections.html
--[[
IP Address Blacklist
To block access to any abusive IP's that you do not want to ever access your website
Supports IPv4 and IPv6 addresses aswell as subnet ranges
To find all IP ranges of an ASN use : https://www.enjen.net/asn-blocklist/index.php?asn=16276&type=iplist
For the worst Botnet ASN IP's see here : https://www.spamhaus.org/statistics/botnet-asn/ You can add their IP addresses. https://www.abuseat.org/public/asninfections.html
]]
local ip_blacklist_remote_addr = "auto" --Automatically get the Clients IP address
local ip_blacklist = {
--"127.0.0.1/30", --localhost
--"192.168.0.1", --localhost
--ASN AS16276 OVH IP ranges Block all OVH Servers
"107.189.64.0/18","91.90.92.0/24","198.245.48.0/20","185.243.16.0/24","217.182.0.0/16","51.79.128.0/17","103.5.12.0/22","198.27.64.0/18","46.105.200.0/24","51.79.0.0/17","2607:5300::/32","144.217.0.0/16","46.244.32.0/20","46.105.201.0/24","46.105.198.0/24","54.39.0.0/16","46.105.203.0/24","51.81.128.0/17","46.105.0.0/16","51.178.0.0/16","167.114.128.0/18","91.90.88.0/24","8.7.244.0/24","139.99.128.0/17","144.2.32.0/19","51.38.0.0/16","91.90.94.0/24","8.33.128.0/21","8.21.41.0/24","216.32.194.0/24","51.89.0.0/16","5.196.0.0/16","195.110.30.0/23","51.195.0.0/16","2001:41d0::/32","91.90.93.0/24","8.29.224.0/24","167.114.192.0/19","8.24.8.0/21","91.90.90.0/24","167.114.0.0/17","91.121.0.0/16","51.91.0.0/16","139.99.0.0/17","178.32.0.0/15","8.26.94.0/24","51.77.0.0/16","91.90.89.0/24","185.228.97.0/24","151.80.0.0/16","213.251.128.0/18","149.56.0.0/16","37.59.0.0/16","213.186.32.0/19","2402:1f00::/32","193.70.0.0/17","142.44.128.0/17","51.161.0.0/17","54.38.0.0/16","185.228.98.0/24","91.90.88.0/21","216.32.220.0/24","92.222.0.0/16","147.135.128.0/17","142.4.192.0/19","5.135.0.0/16","192.95.0.0/18","46.105.202.0/24","185.12.32.0/23","145.239.0.0/16","213.32.0.0/17","37.187.0.0/16","37.60.48.0/21","198.100.144.0/20","149.202.0.0/16","94.23.0.0/16","167.114.224.0/19","193.109.63.0/24","51.254.0.0/15","91.90.91.0/24","216.32.213.0/24","216.32.218.0/24","8.33.96.0/21","5.39.0.0/17","185.228.96.0/24","164.132.0.0/16","158.69.0.0/16","46.105.199.0/24","8.30.208.0/21","54.37.0.0/16","46.105.204.0/24","2402:1f00:8100::/40","87.98.128.0/17","51.68.0.0/16","37.60.56.0/21","8.20.110.0/24","51.83.0.0/16","185.45.160.0/22","216.32.192.0/24","198.50.128.0/17","205.218.49.0/24","216.32.216.0/24","51.75.0.0/16","195.246.232.0/23","91.90.95.0/24","51.81.0.0/17","2402:1f00:8000::/40","23.92.224.0/19","192.240.152.0/21","91.134.0.0/16","92.246.224.0/19","176.31.0.0/16","79.137.0.0/17","193.104.19.0/24","137.74.0.0/16","192.99.0.0/16","198.27.92.0/24","147.135.0.0/17","8.33.136.0/24","2604:2dc0::/32","8.33.137.0/24","188.165.0.0/16","66.70.128.0/17","8.18.172.0/24","185.228.99.0/24","54.36.0.0/16","8.18.128.0/24",
--ASN AS12876 ONLINE S.A.S. IP ranges
"62.4.0.0/19","151.115.0.0/18","51.15.0.0/17","163.172.208.0/20","212.129.0.0/18","2001:bc8::/32","212.83.160.0/19","212.47.224.0/19","2001:bc8:1c00::/38","51.158.128.0/17","163.172.0.0/16","212.83.128.0/19","51.158.0.0/15","195.154.0.0/16","51.15.0.0/16","62.210.0.0/16",
}
--[[
Allow or block all Tor users
1 = Allow
2 = block
]]
local tor = 1 --Allow Tor Users
--[[
Enable/disable script this feature allows you to turn on or off this script so you can leave this file in your nginx configuration permamently.
This way you don't have to remove access_by_lua_file anti_ddos_challenge.lua; to stop protecting your websites :) you can set up your nginx config and use this feature to enable or disable protection
1 = enabled (Enabled Anti-DDoS authentication on all sites and paths)
2 = disabled (Won't show anywhere)
3 = custom (Will enable script on sites / URL paths and disable it on those specified)
]]
local master_switch = 1 --enabled by default
--[[
This feature is if you set "master_switch = 3" what this does is if you host multiple websites / services of one server / machine you can have this script disabled for all those websites / domain names other than those you specifiy.
For example you set master_switch to 3 and specifiy ".onion" then all Tor websites you host on your server will be protected by this script while the rest of the websites you host will not be authenticated. (pretty clever huh)
You can also specify full domain names like "github.com" to protect specific domains you can add as many as you like.
1 = run auth checks
2 = bypass auth checks
]]
local master_switch_custom_hosts = {
{
1, --run auth checks
"localhost/ddos.*", --authenticate Tor websites
},
{
1, --run auth checks
".onion/.*", --authenticate Tor websites
},
{
1, --run auth checks
"github.com/.*", --authenticate github
},
--[[
{
1, --run auth checks
"localhost",
}, --authenticate localhost
]]
--[[
{
1, --run auth checks
"127.0.0.1",
}, --authenticate localhost
]]
--[[
{
1, --run auth checks
".com",
}, --authenticate .com domains
]]
}
--[[
Enable/disable credits It would be nice if you would show these to help the community grow and make the internet safer for everyone
but if not I completely understand hence why I made it a option to remove them for you.
1 = enabled
2 = disabled
]]
local credits = 1 --enabled by default
--[[
User-Agent Blacklist
If you want to block access to bad bots / specific user-agents you can use this.
1 = case insensative
2 = case sensative
3 = regex case sensative
4 = regex lower case insensative
I added some examples of bad bots to block access to.
]]
local user_agent_blacklist_var = ngx.var.http_user_agent
local user_agent_blacklist_table = {
{
"^$",
3,
}, --blocks blank / empty user-agents
{
"Kodi",
1,
},
{
"XBMC",
1,
},
{
"curl",
1,
},
{
"winhttp",
1,
},
{
"HTTrack",
1,
},
{
"libwww-perl",
1,
},
{
"python",
1,
},
}
--[[
User-Agent Whitelist
If you want to allow access to specific user-agents use this.
1 case insensative
2 case sensative
3 regex case sensative
4 regex lower case insensative
I added some examples of user-agents you could whitelist mostly search engine crawlers.
]]
local user_agent_whitelist_var = ngx.var.http_user_agent
local user_agent_whitelist_table = {
--[[
{
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
2,
},
{
"Mozilla/5.0 (compatible; Bingbot/2.0; +http://www.bing.com/bingbot.htm)",
2,
},
{
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
2,
},
{
"DuckDuckBot/1.0; (+http://duckduckgo.com/duckduckbot.html)",
2,
},
{
"Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)",
2,
},
{
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
2,
}
{
"facebot",
2,
}
{
"facebookexternalhit/1.0 (+http://www.facebook.com/externalhit_uatext.php)",
2,
}
{
"facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)",
2,
}
{
"ia_archiver (+http://www.alexa.com/site/help/webmasters; crawler@alexa.com)",
2,
}
]]
}
--[[
Authorization Required Box Restricted Access Field
This will NOT use Javascript to authenticate users trying to access your site instead it will use a username and password that can be static or dynamic to grant users access
0 = Disabled
1 = Enabled Browser Sessions (You will see the box again when you restart browser)
2 = Enabled Cookie session (You won't see the box again until the expire_time you set passes)
]]
local authorization = 0
--[[
authorization domains / file paths to protect / restrict access to
1 = Allow showing auth box on matching path(s)
2 = Disallow Showing box matching path(s)
Regex matching file path (.*) will match any
If we should show the client seeing the box what login they can use (Tor websites do this what is why i made this a feature)
0 = Don't display login details
1 = Display login details
]]
local authorization_paths = {
{
1, --show auth box on this path
"localhost/ddos.*", --regex paths i recommend having the domain in there too
1, --display username/password
},
{
1, --show auth box on this path
".onion/administrator.*", --regex paths i recommend having the domain in there too
0, --do NOT display username/password
},
{
1, --show auth box on this path
".com/admin.*", --regex paths i recommend having the domain in there too
0, --do NOT display username/password
},
--[[
{ --Show on All sites and paths
1, --show auth box on this path
".*", --match all sites/domains paths
1, --display username/password
},
]]
}
--[[
Static or Dynamic username and password for Authorization field
0 = Static
1 = Dynamic
]]
local authorization_dynamic = 0 --Static will use list
local authorization_dynamic_length = 5 --max length of our dynamic generated username and password
--[[
Auth box Message
]]
local authorization_message = "Restricted Area " --Message to be displayed with box
local authorization_username_message = "Your username is :" --Message to show username
local authorization_password_message = "Your password is :" --Message to show password
local authorization_logins = { --static password list if you use this i recommend setting authorization_display_user_details = 0 unless you want to show users the login details for sensative areas ?
{
"userid1", --username
"pass1", --password
},
{
"userid2", --username
"pass2", --password
},
}