Minfilia Warde
Please, be at ease. You are among friends here.
In this release, Anubis becomes internationalized, gains the ability to use system load as input to issuing challenges,
This release is brought to you by FreeCAD, an open-source computer aided design tool that lets you design things for the real world.
Big ticket changes
The biggest change is that the "invalid response" after "success" bug is now finally fixed for good by totally rewriting how Anubis' challenge issuance flow works. Instead of generating challenge strings from request metadata (under the assumption that the values being compared against are stable), Anubis now generates random data for each challenge. This data is stored in the active storage backend for up to 30 minutes. This also fixes #746 and other similar instances of this issue.
In order to reduce confusion, the "Success" interstitial that shows up when you pass a proof of work challenge has been removed.
Storage
Anubis now is able to store things persistently in memory, on the disk, or in Valkey (this includes other compatible software). By default Anubis uses the in-memory backend. If you have an environment with mutable storage (even if it is temporary), be sure to configure the bbolt storage backend.
Localization
Anubis now supports localized responses. Locales can be added in lib/localization/locales/. This release includes support for the following languages:
If facts or local regulations demand, you can set Anubis default language with the FORCE_LANGUAGE environment variable:
FORCE_LANGUAGE=deLoad-based checks
Anubis can dynamically take action based on the system load average, allowing you to write rules like this:
## System load based checks.
# If the system is under high load for the last minute, add weight.
- name: high-load-average
action: WEIGH
expression: load_1m >= 10.0 # make sure to end the load comparison in a .0
weight:
adjust: 20
# If it is not for the last 15 minutes, remove weight.
- name: low-load-average
action: WEIGH
expression: load_15m <= 4.0 # make sure to end the load comparison in a .0
weight:
adjust: -10Something to keep in mind about system load average is that it is not aware of the number of cores the system has. If you have a 16 core system that has 16 processes running but none of them is hogging the CPU, then you will get a load average below 16. If you are in doubt, make your "high load" metric at least two times the number of CPU cores and your "low load" metric at least half of the number of CPU cores. For example:
| Kind | Core count | Load threshold |
|---|---|---|
| high load | 4 | 8.0
|
| low load | 4 | 2.0
|
| high load | 16 | 32.0
|
| low load | 16 | 8
|
Also keep in mind that this does not account for other kinds of latency like I/O latency. A system can have its web applications unresponsive due to high latency from a MySQL server but still have that web application server report a load near or at zero.
Other features and fixes
There are a bunch of other assorted features and fixes too:
- Add
COOKIE_SECUREoption to set the cookie Secure flag - Sets cookie defaults to use SameSite: None
- Determine the
BIND_NETWORK/--bind-networkvalue from the bind address (#677). - Implement a development container manifest to make contributions easier.
- Fix dynamic cookie domains functionality (#731)
- Add option for custom cookie prefix (#732)
- Make the Open Graph subsystem and DNSBL subsystem use storage backends instead of storing everything in memory by default.
- Allow Common Crawl by default so scrapers have less incentive to scrape
- The bbolt storage backend now runs its cleanup every hour instead of every five minutes.
Potentially breaking changes
The following potentially breaking change applies to native installs with systemd only:
Each instance of systemd service template now has a unique RuntimeDirectory, as opposed to each instance of the service sharing a RuntimeDirectory. This change was made to avoid the RuntimeDirectory getting nuked any time one of the Anubis instances restarts.
If you configured Anubis' unix sockets to listen on /run/anubis/foo.sock for instance anubis@foo, you will need to configure Anubis to listen on /run/anubis/foo/foo.sock and additionally configure your HTTP load balancer as appropriate.
If you need the legacy behaviour, install this systemd unit dropin:
# /etc/systemd/system/anubis@.service.d/50-runtimedir.conf
[Service]
RuntimeDirectory=anubis
Just keep in mind that this will cause problems when Anubis restarts.
What's Changed
- feat: implement localization system by @lolgzs in #716
- fix: determine bind network from bind address by @littlecxm in #714
- Add Brazilian Portuguese translation by @rffontenelle in #726
- fix: Dynamic cookie domain not working by @Earl0fPudding in #731
- feat(cmd): Add custom cookie prefix by @Earl0fPudding in #732
- build(deps): bump the github-actions group with 2 updates by @dependabot in #735
- build(deps): bump the gomod group with 2 updates by @dependabot in #736
- feat: dev container support by @Xe in #734
- Fix translations in pt-BR.json by @rffontenelle in #729
- Set cookies to have the Secure flag default to true by @victorvalenca in #739
- fix(web/main): remove the success interstitial by @Xe in #745
- feat(localization): Add option for forcing a language by @Earl0fPudding in #742
- fix(run/anubis@.service): unique runtimedir per instance by @Xe in #750
- feat(localization): Add German language translation by @Earl0fPudding in #741
- docs: add BotStopper docs from the git repo by @Xe in #752
- chore(default-config): allowlist common crawl by @Xe in #753
- feat(localization): Add Turkish language translation by @dcelasun in #751
- docs(known-instances): add ebird.org by @SGHFan in #755
- feat(lib): use new challenge creation flow by @Xe in #749
- chore(devcontainer): move playwright to its own devcontainer service by @Xe in #756
- docs(known-instances): Add Duke University, coinhoards.org (and myself) to known instances by @lotharsm in #757
- fix: make ogtags and dnsbl use the Store instead of memory by @Xe in #760
- fix(lib/store/bbolt): use a multi-bucket flow instead of a single bucket flow by @Xe in #761
- fix(lib/store/bbolt): run cleanup every hour instead of every 5 minutes by @Xe in #762
- docs: remove proof of work branding by @Xe in #763
- feat(localization): Update German language translation by @lotharsm in #764
- docs(known-instances): update list of known instances by @lotharsm in #767
- feat(localization): Add Traditional Chinese language translation by @xlionjuan in #759
- feat(lib/policy/expressions): add system load average to bot expression inputs by @Xe in #766
New Contributors
- @lolgzs made their first contribution in #716
- @littlecxm made their first contribution in #714
- @rffontenelle made their first contribution in #726
- @victorvalenca made their first contribution in #739
- @dcelasun made their first contribution in #751
- @SGHFan made their first contribution in #755
- @xlionjuan made their first contribution in #759
Full Changelog: v1.20.0...v1.21.0-pre1