TecharoHQ/anubis v1.23.0

v1.23.0: Lyse Hext

on GitHub

Sorry this took so long, work has been wiping me out. If you know of any companies that are hiring for someone of my skillset, please let me know.

• Add default tencent cloud DENY rule.
• Added (data)/meta/default-config.yaml for importing the entire default configuration at once.
• Add -custom-real-ip-header flag to get the original request IP from a different header than x-real-ip.
• Add contentLength variable to bot expressions.
• Add COOKIE_SAME_SITE_MODE to force anubis cookies SameSite value, and downgrade automatically from None to Lax if cookie is insecure.
• Fix lock convoy problem in decaymap (#1103).
• Fix lock convoy problem in bbolt by implementing the actor pattern (#1103).
• Remove bbolt actorify implementation due to causing production issues.
• Document missing environment variables in installation guide: SLOG_LEVEL, COOKIE_PREFIX, FORCED_LANGUAGE, and TARGET_DISABLE_KEEPALIVE (#1086).
• Add validation warning when persistent storage is used without setting signing keys.
• Fixed robots2policy to properly group consecutive user agents into any: instead of only processing the last one (#925).
• Make the fast algorithm prefer purejs when running in an insecure context.
• Add the s3api storage backend to allow Anubis to use S3 API compatible object storage as its storage backend.
• Fix a "stutter" in the cookie name prefix so the auth cookie is named techaro.lol-anubis-auth instead of techaro.lol-anubis-auth-auth.
• Make cmd/containerbuild support commas for separating elements of the --docker-tags argument as well as newlines.
• Add the DIFFICULTY_IN_JWT option, which allows one to add the difficulty field in the JWT claims which indicates the difficulty of the token (#1063).
• Ported the client-side JS to TypeScript to avoid egregious errors in the future.
• Fixes concurrency problems with very old browsers (#1082).
• Randomly use the Refresh header instead of the meta refresh tag in the metarefresh challenge.
• Update OpenRC service to truncate the runtime directory before starting Anubis.
• Make the git client profile more strictly match how the git client behaves.
• Make the default configuration reward users using normal browsers.
• Allow multiple consecutive slashes in a row in application paths (#754).
• Add option to set targetSNI to special keyword 'auto' to indicate that it should be automatically set to the request Host name (424).
• The Preact challenge has been removed from the default configuration. It will be deprecated in the future.
• An open redirect when in subrequest mode has been fixed.

Potentially breaking changes

Multiple checks at once has and-like semantics instead of or-like semantics

Anubis lets you stack multiple checks at once with blocks like this:

name: allow-prometheus
action: ALLOW
user_agent_regex: ^prometheus-probe$
remote_addresses:
  - 192.168.2.0/24

Previously, this only returned ALLOW if any one of the conditions matched. This behaviour has changed to only return ALLOW if all of the conditions match. I expect this to have some issues with user configs, however this fix is grave enough that it's worth the risk of breaking configs. If this bites you, please let me know so we can make an escape hatch.

Better error messages

In order to make it easier for legitimate clients to debug issues with their browser configuration and Anubis, Anubis will emit internal error detail in base 64 so that administrators can chase down issues. Future versions of this may also include a variant that encrypts the error detail messages.

Bug Fixes

Sometimes the enhanced temporal assurance in #1038 and #1068 could backfire because Chromium and its ilk randomize the amount of time they wait in order to avoid a timing side channel attack. This has been fixed by both increasing the amount of time a client has to wait for the metarefresh and preact challenges as well as making the server side logic more permissive.

What's Changed

• docs(installation): add SLOG_LEVEL environment variable to configuration by @JasonLovesDoggo in #1086
• docs: document some missing env vars by @JasonLovesDoggo in #1087
• build(deps): bump the github-actions group across 1 directory with 8 updates by @dependabot[bot] in #1071
• fix(robots2policy): handle multiple user agents under one block by @JasonLovesDoggo in #925
• feat(lib/store): add s3api storage backend by @Xe in #1089
• Xe/demote temporal assurance by @Xe in #1090
• feat: Warn on missing signing keys when persisting challenges by @JasonLovesDoggo in #1088
• docs: add reminder for verified signatures in PR template by @JasonLovesDoggo in #1092
• build(deps): bump the github-actions group with 4 updates by @dependabot[bot] in #1093
• security: npm audit fix for GHSA-hfm8-9jrf-7g9w et. al by @Xe in #1098
• fix(cmd/containerbuild): support commas in --docker-tags by @Xe in #1099
• feat(lib): Add option for adding difficulty field to JWT claims by @Earl0fPudding in #1063
• chore: port client-side JS to TypeScript by @Xe in #1100
• fix(decaymap): fix lock convoy by @Xe in #1106
• feat(store/bbolt): implement actor pattern by @Xe in #1107
• feat: allow to set cookie sameSite mode and fallback to Lax mode if cookie is not secure by @vaab in #1105
• docs: add link to preact in challenge list by @agoujot in #1111
• ci: add aarch64 for ssh CI by @Xe in #1112
• ci(ssh): don't print uname -av output by @Xe in #1114
• feat(expressions): add contentLength to bot expressions by @Xe in #1120
• fix(run/openrc): truncate runtime directory before starting Anubis by @CyberTailor in #1122
• build(deps): bump the npm group with 2 updates by @dependabot[bot] in #1117
• build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in #1118
• Update nl.json removing literal translated cookie 'koekje' with 'cookie' by @jieter in #1126
• convert issue templates into issue forms by @NetSysFire in #1115
• build(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible in /test by @dependabot[bot] in #1130
• feat(metarefresh): randomly use the Refresh header by @Xe in #1133
• Add Door43 link to known instances documentation by @richmahn in #1136
• fix: mend auth cookie name stutter by @Xe in #1139
• Update Nynorsk translation by @turtlegarden in #1143
• feat: support reading real client IP from a custom header by @avioletheart in #1138
• enable auto setting of SNI based on host header by @jmcclelland in #1129
• fix(lib): enable multiple consecutive slash support by @Xe in #1155
• build(deps-dev): bump esbuild from 0.25.9 to 0.25.10 in the npm group by @dependabot[bot] in #1147
• build(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 by @dependabot[bot] in #1132
• build(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible by @dependabot[bot] in #1131
• fix(lib): serve CSS properly by @Xe in #1158
• fix(default-config): make the default config far less paranoid by @Xe in #1179
• fix(default-config): remove preact challenge by @Xe in #1184
• feat: default config macro by @Xe in #1186
• fix(lib): de-flake package lib tests by @Xe in #1187
• Updated REDIRECT_DOMAINS documentation by @zc-devs in #1171
• fix(default-config): sometimes browsers don't send Upgrade-Insecure-Requests by @Xe in #1189
• fix(algorithms/fast): fix fast challenge on insecure contexts by @Xe in #1198
• Xe/show error state by @Xe in #1203
• locale: Update Nynorsk translation by @turtlegarden in #1204
• docs: point get started button to the per-environment setup docs by @Xe in #1213
• fix(store/bbolt): remove actorify by @Xe in #1215
• feat(default-config): block tencent cloud by default by @Xe in #1216
• link to docs site from readme by @pushcx in #1214
• fix!(policy/checker): make List and-like by @Xe in #1217
• chore: remove copilot instructions by @Xe in #1218
• build(deps): bump the github-actions group across 1 directory with 6 updates by @dependabot[bot] in #1221
• fix(lib): close open redirect when in subrequest mode by @Xe in #1222

New Contributors

• @vaab made their first contribution in #1105
• @agoujot made their first contribution in #1111
• @NetSysFire made their first contribution in #1115
• @richmahn made their first contribution in #1136
• @avioletheart made their first contribution in #1138
• @jmcclelland made their first contribution in #1129
• @zc-devs made their first contribution in #1171
• @pushcx made their first contribution in #1214

Full Changelog: v1.22.0...v1.23.0