Tags

Tags give the ability to mark specific points in history as being important

  • v1.25.0

    35b5e78a · chore: tag v1.25.0 · 
    v1.25.0: Necron

Hey all,

I'm sure you've all been aware that things have been slowing down a little with Anubis development, and I want to apologize for that. A lot has been going on in my life lately (my blog will have a post out on Friday with more information), and as a result I haven't really had the energy to work on Anubis in publicly visible ways. There are things going on behind the scenes, but nothing is really shippable yet, sorry!

I've also been feeling some burnout in the wake of perennial waves of anger directed towards me. I'm handling it, I'll be fine, I've just had a lot going on in my life and it's been rough.

I've been missing the sense of wanderlust and discovery that comes with the artistic way I playfully develop software. I suspect that some of the stresses I've been through (setting up a complicated surgery in a country whose language you aren't fluent in is kind of an experience) have been sapping my energy. I'd gonna try to mess with things on my break, but realistically I'm probably just gonna be either watching Stargate SG-1 or doing unreasonable amounts of ocean fishing in Final Fantasy 14. Normally I'd love to keep the details about my medical state fairly private, but I'm more of a public figure now than I was this time last year so I don't really get the invisibility I'm used to for this.

I've also had a fair amount of negativity directed at me for simply being much more visible than the anonymous threat actors running the scrapers that are ruining everything, which though understandable has not helped.

Anyways, it all worked out and I'm about to be in the hospital for a week, so if things go really badly with this release please downgrade to the last version and/or upgrade to the main branch when the fix PR is inevitably merged. I hoped to have time to tame GPG and set up full release automation in the Anubis repo, but that didn't work out this time and that's okay.

If I can challenge you all to do something, go out there and try to actually create something new somehow. Combine ideas you've never mixed before. Be creative, be human, make something purely for yourself to scratch an itch that you've always had yet never gotten around to actually mending.

At the very least, try to be an example of how you want other people to act, even when you're in a situation where software written by someone else is configured to require a user agent to execute javascript to access a webpage.

Be well,

Xe

PS: if you're well-versed in FFXIV lore, the release title should give you an idea of the kind of stuff I've been going through mentally.

  • v1.24.0

    6d9c0abe · chore: tag v1.24.0 · 
    v1.24.0

  • v1.24.0-pre1

    9c54aa85 · chore: v1.24.0-pre1 · 
    v1.24.0-pre1

  • v1.23.1

    b8365067 · chore: v1.23.1 · 
    v1.23.1

  • v1.23.0

    62c1b801 · chore: tag v1.23.0 · 
    v1.23.0

  • v1.23.0-pre2

    ab8b91fc · chore: v1.23.0-pre2 · 
    v1.23.0-pre2

  • v1.23.0-pre1

    2fc37653 · chore: tag v1.23.0-pre1 · 
    v1.23.0-pre1

  • v1.22.0

    5d5c39e1 · chore: v1.22.0 · 
    v1.22.0

  • v1.22.0-pre2

    489abb6b · chore: release v1.22.0-pre2 · 
    v1.22.0-pre2

See CHANGELOG for changes.

  • v1.22.0-pre1

    a7a61690 · chore: commit for v1.22.0-pre1 · 
    v1.22.0-pre1

  • v1.21.3

    958992a6 · chore: release v1.21.3 · 
    v1.21.3: Minfilia Warde - Echo 3

Fixes GHSA-jhjj-2g64-px7c

This could allow an attacker to craft an Anubis pass-challenge URL that forces
a redirect to nonstandard URLs, such as the `javascript:` scheme which executes
arbitrary JavaScript code in a browser context when the user clicks the "Try
again" button.

This has been fixed by disallowing any URLs without the scheme `http` or
`https`.

Additionally, the "Try again" button has been fixed to completely ignore the
user-supplied redirect location. It now redirects to the home page (`/`).

  • v1.21.2

    5700512d · chore: release v1.21.2 · 
    v1.21.2: Minfilia Warde - Echo 2

-- Fixes a problem with nonstandard URLs and redirects --

This could allow an attacker to craft an Anubis pass-challenge URL
that forces a redirect to nonstandard URLs, such as the `javascript:`
scheme which executes arbitrary JavaScript code in a browser context
when the user clicks the "Try again" button.

This has been fixed by disallowing any URLs without the scheme `http`
or `https`.

  • v1.21.1

    1a19d7ee · chore: release v1.21.1 (#887) · 
    v1.21.1: Minfilia Warde - Echo 1

- Expired records are now properly removed from bbolt databases
  ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
- Fix hanging on service restart
  [#853](https://github.com/TecharoHQ/anubis/issues/853))

-- Added --

Anubis now supports the
[`missingHeader`](./admin/configuration/expressions.mdx#missingHeader)
function to assert the absence of headers in requests.

--- New locales ---

Anubis now supports these new languages:

- [Czech](https://github.com/TecharoHQ/anubis/pull/849)
- [Finnish](https://github.com/TecharoHQ/anubis/pull/863)
- [Norwegian Bokmål](https://github.com/TecharoHQ/anubis/pull/855)
- [Norwegian Nynorsk](https://github.com/TecharoHQ/anubis/pull/855)
- [Russian](https://github.com/TecharoHQ/anubis/pull/882)

-- Fixes --

--- Fix ["error: can't get challenge"](https://github.com/TecharoHQ/anubis/issues/869)
    when details about a challenge can't be found in the server
    side state ---

v1.21.0 changed the core challenge flow to maintain information about
challenges on the server side instead of only doing them via stateless
idempotent generation functions and relying on details to not change.
There was a subtle bug introduced in this change: if a client has an
unknown challenge ID set in its test cookie, Anubis will clear that
cookie and then throw an HTTP 500 error.

This has been fixed by making Anubis throw a new challenge page instead.

--- Fix event loop thrashing when solving a proof of work challenge ---

Previously the "fast" proof of work solver had a fragment of JavaScript
that attempted to only post an update about proof of work progress to
the main browser window every 1024 iterations. This fragment of
JavaScript was subtly incorrect in a way that passed review but
actually made the workers send an update back to the main thread every
iteration. This caused a pileup of unhandled async calls (similar to a
socket accept() backlog pileup in Unix) that caused stack space
exhaustion.

This has been fixed in the following ways:

1. The complicated boolean logic has been totally removed in favour of
   a worker-local iteration counter.
2. The progress bar is updated by worker `0` instead of all workers.

Hopefully this should limit the event loop thrashing and let ia32
browsers (as well as any environment with a smaller stack size than
amd64 and aarch64 seem to have) function normally when processing
Anubis proof of work challenges.

--- Fix potential memory leak when discovering a solution ---

In some cases, the parallel solution finder in Anubis could cause all of
the worker promises to leak due to the fact the promises were being improperly
terminated. This was fixed by having Anubis debounce worker termination
instead of allowing it to potentially recurse infinitely.

  • v1.21.0

    4d6b578f · chore: release v1.21.0 (#844) · 
    v1.21.0: Minfilia Warde

See https://anubis.techaro.lol/docs/CHANGELOG#v1210-minfilia-warde for
more information.

  • v1.21.0-pre3

    25d75b35 · chore: release v1.21.0-pre3 · 
    v1.21.0-pre3: Minfila Warde

Please report any issues with this prerelease so the full release can be
the best it can possibly be.

Now with fixed RPM signatures.

  • v1.21.0-pre2

    de17823b · chore: release v1.21.0-pre2 (#816) · 
    v1.21.0-pre2: Minfila Warde

Please report any issues with this prerelease so the full release can be
the best it can possibly be.

  • v1.21.0-pre1

    ea2e76c6 · chore: tag version 1.21.0-pre1 · 
    v1.21.0-pre1: Minfila Warde

Please report any issues with this prerelease so the full release can be
the best it can possibly be.

  • v1.20.0

    c2423d06 · chore: release v1.20.0 · 
    v1.20.0: Thancred Waters

The big ticket items are as follows:

- Implement a no-JS challenge method: [`metarefresh`](./admin/configuration/challenges/metarefresh.mdx) ([#95](https://github.com/TecharoHQ/anubis/issues/95))
- Implement request "weight", allowing administrators to customize the behaviour of Anubis based on specific criteria
- Implement GeoIP and ASN based checks via [Thoth](https://anubis.techaro.lol/docs/admin/thoth) ([#206](https://github.com/TecharoHQ/anubis/issues/206))
- Add [custom weight thresholds](./admin/configuration/thresholds.mdx) via CEL ([#688](https://github.com/TecharoHQ/anubis/pull/688))
- Move Open Graph configuration [to the policy file](./admin/configuration/open-graph.mdx)
- Enable support for Open Graph metadata to be returned by default instead of doing lookups against the target
- Add `robots2policy` CLI utility to convert robots.txt files to Anubis challenge policies using CEL expressions ([#409](https://github.com/TecharoHQ/anubis/issues/409))
- Refactor challenge presentation logic to use a challenge registry
- Allow challenge implementations to register HTTP routes
- [Imprint/Impressum support](./admin/configuration/impressum.mdx) ([#362](https://github.com/TecharoHQ/anubis/issues/362))
- Fix "invalid response" after "Success!" in Chromium ([#564](https://github.com/TecharoHQ/anubis/issues/564))

A lot of performance improvements have been made:

- Replace internal SHA256 hashing with xxhash for 4-6x performance improvement in policy evaluation and cache operations
- Optimized the OGTags subsystem with reduced allocations and runtime per request by up to 66%
- Replace cidranger with bart for IP range checking, improving IP matching performance by 3-20x with zero heap
  allocations

And some cleanups/refactors were added:

- Fix OpenGraph passthrough ([#717](https://github.com/TecharoHQ/anubis/issues/717))
- Remove the unused `/test-error` endpoint and update the testing endpoint `/make-challenge` to only be enabled in
  development
- Add `--xff-strip-private` flag/envvar to toggle skipping X-Forwarded-For private addresses or not
- Bump AI-robots.txt to version 1.37
- Make progress bar styling more compatible (UXP, etc)
- Add `--strip-base-prefix` flag/envvar to strip the base prefix from request paths when forwarding to target servers
- Fix an off-by-one in the default threshold config
- Add functionality for HS512 JWT algorithm
- Add support for dynamic cookie domains with the `--cookie-dynamic-domain`/`COOKIE_DYNAMIC_DOMAIN` flag/envvar

Request weight is one of the biggest ticket features in Anubis. This enables Anubis to be much closer to a Web Application Firewall and when combined with custom thresholds allows administrators to have Anubis take advanced reactions. For more information about request weight, see [the request weight section](./admin/policies.mdx#request-weight) of the policy file documentation.

TL;DR when you have one or more WEIGHT rules like this:

```yaml
bots:
  - name: gitea-session-token
    action: WEIGH
    expression:
      all:
        - '"Cookie" in headers'
        - headers["Cookie"].contains("i_love_gitea=")
    # Remove 5 weight points
    weight:
      adjust: -5
```

You can configure custom thresholds like this:

```yaml
thresholds:
  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
    expression: weight < 0 # a feather weighs zero units
    action: ALLOW # Allow the traffic through

  # For clients that had some weight reduced through custom rules, give them a
  # lightweight challenge.
  - name: mild-suspicion
    expression:
      all:
        - weight >= 0
        - weight < 10
    action: CHALLENGE
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
      algorithm: metarefresh
      difficulty: 1
      report_as: 1

  # For clients that are browser-like but have either gained points from custom
  # rules or report as a standard browser.
  - name: moderate-suspicion
    expression:
      all:
        - weight >= 10
        - weight < 20
    action: CHALLENGE
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
      algorithm: fast
      difficulty: 2 # two leading zeros, very fast for most clients
      report_as: 2

  # For clients that are browser like and have gained many points from custom
  # rules
  - name: extreme-suspicion
    expression: weight >= 20
    action: CHALLENGE
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
      algorithm: fast
      difficulty: 4
      report_as: 4
```

These thresholds apply when no other `ALLOW`, `DENY`, or `CHALLENGE` rule matches the request. `WEIGHT` rules add and remove request weight as needed:

```yaml
bots:
  - name: gitea-session-token
    action: WEIGH
    expression:
      all:
        - '"Cookie" in headers'
        - headers["Cookie"].contains("i_love_gitea=")
    # Remove 5 weight points
    weight:
      adjust: -5

  - name: bot-like-user-agent
    action: WEIGH
    expression: '"Bot" in userAgent'
    # Add 5 weight points
    weight:
      adjust: 5
```

Of note: the default "generic browser" rule assigns 10 weight points:

```yaml
  # Generic catchall rule
- name: generic-browser
  user_agent_regex: >-
    Mozilla|Opera
  action: WEIGH
  weight:
    adjust: 10
```

Adjust this as you see fit.

  • v1.20.0-pre2

    f9259299 · chore: release v1.20.0-pre2 · 
    v1.20.0-pre2: Thancred Waters prerelease 2

* Makefile: Build robots2policy by @heftig in https://github.com/TecharoHQ/anubis/pull/699
* fix(default-config): off-by-one error in the default thresholds by @Xe in https://github.com/TecharoHQ/anubis/pull/701
* feat: implement imprint/impressum support by @Xe in https://github.com/TecharoHQ/anubis/pull/706
* fix(web/js): broken progress bar with slow algo by @yut23 in https://github.com/TecharoHQ/anubis/pull/673
* build(deps): bump the github-actions group with 3 updates by @dependabot in https://github.com/TecharoHQ/anubis/pull/708
* fix(lib): fix invalid response after success in Chrome by @Xe in https://github.com/TecharoHQ/anubis/pull/711

  • v1.20.0-pre1

    ecc71694 · chore: release v1.20.0-pre1 · 
    v1.20.0-pre1: Thancred Waters

Anubis gains its biggest feature in this version: the weight system.

The big ticket items are as follows:

- Implement a no-JS challenge method:
  [`metarefresh`](./admin/configuration/challenges/metarefresh.mdx)
  ([#95](https://github.com/TecharoHQ/anubis/issues/95))
- Implement request "weight", allowing administrators to customize the
  behaviour of Anubis based on specific criteria
- Implement GeoIP and ASN based checks via
  [Thoth](https://anubis.techaro.lol/docs/admin/thoth)
  ([#206](https://github.com/TecharoHQ/anubis/issues/206))
- Add
  [custom weight thresholds](./admin/configuration/thresholds.mdx) via CEL
  ([#688](https://github.com/TecharoHQ/anubis/pull/688))
- Move Open Graph configuration
  [to the policy file](./admin/configuration/open-graph.mdx)
- Enable support for Open Graph metadata to be returned by default
  instead of doing lookups against the target
- Add `robots2policy` CLI utility to convert robots.txt files to Anubis
  challenge policies using CEL expressions
  ([#409](https://github.com/TecharoHQ/anubis/issues/409))
- Refactor challenge presentation logic to use a challenge registry
- Allow challenge implementations to register HTTP routes

A lot of performance improvements have been made:

- Replace internal SHA256 hashing with xxhash for 4-6x performance improvement
  in policy evaluation and cache operations
- Optimized the OGTags subsystem with reduced allocations and runtime per
  request by up to 66%
- Replace cidranger with bart for IP range checking, improving IP matching
  performance by 3-20x with zero heap allocations

And some cleanups/refactors were added:

- Remove the unused `/test-error` endpoint and update the testing endpoint
  `/make-challenge` to only be enabled in development
- Add `--xff-strip-private` flag/envvar to toggle skipping X-Forwarded-For
  private addresses or not
- Bump AI-robots.txt to version 1.37
- Make progress bar styling more compatible (UXP, etc)
- Add `--strip-base-prefix` flag/envvar to strip the base prefix from request
  paths when forwarding to target servers

Request weight is one of the biggest ticket features in Anubis. This enables
Anubis to be much closer to a Web Application Firewall and when combined with
custom thresholds allows administrators to have Anubis take advanced reactions.
For more information about request weight, see
[the request weight section](./admin/policies.mdx#request-weight)
of the policy file documentation.

TL;DR when you have one or more WEIGHT rules like this:

```yaml
bots:
  - name: gitea-session-token
    action: WEIGH
    expression:
      all:
        - '"Cookie" in headers'
        - headers["Cookie"].contains("i_love_gitea=")
    # Remove 5 weight points
    weight:
      adjust: -5
```

You can configure custom thresholds like this:

```yaml
thresholds:
  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
    expression: weight < 0 # a feather weighs zero units
    action: ALLOW # Allow the traffic through

  # For clients that had some weight reduced through custom rules, give them a
  # lightweight challenge.
  - name: mild-suspicion
    expression:
      all:
        - weight >= 0
        - weight < 10
    action: CHALLENGE
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
      algorithm: metarefresh
      difficulty: 1
      report_as: 1

  # For clients that are browser-like but have either gained points from custom
  # rules or report as a standard browser.
  - name: moderate-suspicion
    expression:
      all:
        - weight >= 10
        - weight < 20
    action: CHALLENGE
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
      algorithm: fast
      difficulty: 2 # two leading zeros, very fast for most clients
      report_as: 2

  # For clients that are browser like and have gained many points from custom
  # rules
  - name: extreme-suspicion
    expression: weight >= 20
    action: CHALLENGE
    challenge:
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
      algorithm: fast
      difficulty: 4
      report_as: 4
```

These thresholds apply when no other `ALLOW`, `DENY`, or `CHALLENGE` rule
matches the request. `WEIGHT` rules add and remove request weight as needed:

```yaml
bots:
  - name: gitea-session-token
    action: WEIGH
    expression:
      all:
        - '"Cookie" in headers'
        - headers["Cookie"].contains("i_love_gitea=")
    # Remove 5 weight points
    weight:
      adjust: -5

  - name: bot-like-user-agent
    action: WEIGH
    expression: '"Bot" in userAgent'
    # Add 5 weight points
    weight:
      adjust: 5
```

Of note: the default "generic browser" rule assigns 10 weight points:

```yaml
- name: generic-browser
  user_agent_regex: >-
    Mozilla|Opera
  action: WEIGH
  weight:
    adjust: 10
```

Adjust this as you see fit.