github TecharoHQ/anubis v1.24.0-pre1
v1.24.0-pre1: Y'shtola Rhul Prerelease 1
on GitHub

pre-release3 hours ago

Anubis is back and better than ever! Lots of minor fixes with some big ones interspersed.

  • Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an ALLOW threshold.
  • Expose WEIGHT rule matches as Prometheus metrics.
  • Allow more OCI registry clients based on feedback.
  • Expose services directory in the embedded (data) filesystem.
  • Add Ukrainian locale (#1044).
  • Allow Renovate as an OCI registry client.
  • Properly handle 4in6 addresses so that IP matching works with those addresses.
  • Add support to simple Valkey/Redis cluster mode
  • Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. (1283)
  • Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.

Deprecate report_as in challenge configuration

Previously Anubis let you lie to users about the difficulty of a challenge to interfere with operators of malicious scrapers as a psychological attack: 

bots:
  # Punish any bot with "bot" in the user-agent string
  # This is known to have a high false-positive rate, use at your own risk
  - name: generic-bot-catchall
    user_agent_regex: (?i:bot|crawler)
    action: CHALLENGE
    challenge:
      difficulty: 16 # impossible
      report_as: 4 # lie to the operator
      algorithm: slow # intentionally waste CPU cycles and time

This has turned out to be a bad idea because it has caused massive user experience problems and has been removed. If you are using this setting, you will get a warning in your logs like this: 

{
  "time": "2025-11-25T23:10:31.092201549-05:00",
  "level": "WARN",
  "source": {
    "function": "github.com/TecharoHQ/anubis/lib/policy.ParseConfig",
    "file": "/home/xe/code/TecharoHQ/anubis/lib/policy/policy.go",
    "line": 201
  },
  "msg": "use of deprecated report_as setting detected, please remove this from your policy file when possible",
  "at": "config-validate",
  "name": "mild-suspicion"
}

To remove this warning, remove this setting from your policy file.

Logging customization

Anubis now supports the ability to log to multiple backends ("sinks"). This allows you to have Anubis log to a file instead of just logging to standard out. You can also customize the logging level in the policy file: 

logging:
  level: "warn" # much less verbose logging
  sink: file # log to a file
  parameters:
    file: "./var/anubis.log"
    maxBackups: 3 # keep at least 3 old copies
    maxBytes: 67108864 # each file can have up to 64 Mi of logs
    maxAge: 7 # rotate files out every n days
    oldFileTimeFormat: 2006-01-02T15-04-05 # RFC 3339-ish
    compress: true # gzip-compress old log files
    useLocalTime: false # timezone for rotated files is UTC

Additionally, information about how Anubis uses each logging level has been added to the documentation.

DNS Features

  • CEL expressions for:
    • FCrDNS checks
    • Forward DNS queries
    • Reverse DNS queries
    • arpaReverseIP to transform IPv4/6 addresses into ARPA reverse IP notation.
    • regexSafe to escape regex special characters (useful for including remoteAddress or headers in regular expressions).
  • DNS cache and other optimizations to minimize unnecessary DNS queries.

The DNS cache TTL can be changed in the bots config like this: 

dns_ttl:
  forward: 600
  reverse: 600

The default value for both forward and reverse queries is 300 seconds.

The verifyFCrDNS CEL function has two overloads:

  • (addr)
    Simply verifies that the remote side has PTR records pointing to the target address.
  • (addr, ptrPattern)
    Verifies that the remote side refers to a specific domain and that this domain points to the target IP.

What's Changed

  • feat: Add thai language. by @karorogunso in #900
  • Update is.json by @sveinki in #1241
  • fix(data/docker-client): allow some more OCI clients through by @Xe in #1258
  • fix(data): add services folder to embedded filesystem by @Xe in #1259
  • feat(localization): Add Ukrainian language translation by @nykula in #1044
  • build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in #1262
  • Add Renovate to Docker clients by @DrJosh9000 in #1267
  • fix(docs): use node:lts by @Xe in #1274
  • fix(run): mark openrc service script as executable by @kouhaidev in #1272
  • test: ipv4 in v6 address checking by @SlyEcho in #1271
  • (feat) Add cluster support to redis/vaultkey store by @egimbernat in #1276
  • feat(lib): expose WEIGH matches as prometheus metrics by @Xe in #1277
  • Fix challenge validation panic when follow-up hits ALLOW by @JasonLovesDoggo in #1278
  • feat(internal/headers): extend debug logging of X-Forwarded-For middlewares by @DerRockWolf in #1269
  • test: Valkey test improvements for testcontainers by @SlyEcho in #1280
  • docs: use nginx http2 directive instead of deprecated http2 listen parameter by @kouhaidev in #1251
  • perf: field-align struct definitions to cut padding by @JasonLovesDoggo in #1284
  • fix(tests): make CVE-2025-24369 regression deterministic by @JasonLovesDoggo in #1285
  • build(deps): bump go deps by @JasonLovesDoggo in #1287
  • build(deps): bump github.com/testcontainers/testcontainers-go from 0.39.0 to 0.40.0 in the gomod group across 1 directory by @dependabot[bot] in #1288
  • test(deps): update dependencies to latest versions by @JasonLovesDoggo in #1289
  • build(deps-dev): bump esbuild from 0.25.12 to 0.27.0 in the npm group by @dependabot[bot] in #1260
  • fix(ogtags): respect target host/SNI/insecure flags in OG passthrough by @JasonLovesDoggo in #1283
  • docs: clarify usage of PUBLIC_URL and REDIRECT_DOMAINS in installatio… by @JasonLovesDoggo in #1286
  • feat(store/valkey): Add Redis(R) Sentinel support by @Xe in #1294
  • Pass the remote IP to the proxied application by @eXpl0it3r in #1298
  • ci: add go mod tidy check workflow by @Xe in #1300
  • feat: writing logs to the filesystem with rotation support by @Xe in #1299
  • chore: add dependabot cooldown by @Xe in #1302
  • add Polish language translation by @bplajzer in #1309
  • fix(config): deprecate the report_as field for challenges by @Xe in #1311
  • Implement FCrDNS and other DNS features by @btomaev in #1308
  • Show how to use subrequest auth with Caddy by @tbodt in #1312
  • build(deps): bump actions-hub/kubectl from 1.34.1 to 1.34.2 in the github-actions group by @dependabot[bot] in #1303
  • fix: pin Node.js and Go versions in CI configuration files by @JasonLovesDoggo in #1318
  • build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in #1317
  • build(deps): bump the gomod group with 5 updates by @dependabot[bot] in #1316

New Contributors

Full Changelog: v1.23.1...v1.24.0-pre1

Check out latest releases or
releases around TecharoHQ/anubis v1.24.0-pre1

Don't miss a new anubis release

NewReleases is sending notifications on new releases.

Get notifications