├── debian ├── rules ├── install ├── copyright ├── postinst ├── control └── changelog ├── .github ├── ISSUE_TEMPLATE.md ├── FUNDING.yml ├── scripts │ ├── prepare-rhel.sh │ └── generate-changelog.sh └── workflows │ └── build-publish.yml ├── LICENSE ├── CHANGELOG ├── README.md └── rpm └── anti_ddos_challenge.spec /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | %: 4 | dh $@ 5 | -------------------------------------------------------------------------------- /debian/install: -------------------------------------------------------------------------------- 1 | lua/anti_ddos_challenge.lua etc/nginx/anti_ddos_challenge.lua 2 | LICENSE usr/share/doc/nginx-lua-anti-ddos-challenge/LICENSE 3 | README.md usr/share/doc/nginx-lua-anti-ddos-challenge/README.md 4 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | Upstream-Name: nginx-lua-anti-ddos-challenge 3 | Source: https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS 4 | 5 | Files: * 6 | Copyright: C0nw0nk 7 | License: MIT 8 | 9 | License: Please see /usr/share/doc/nginx-lua-anti-ddos-challenge/LICENSE 10 | -------------------------------------------------------------------------------- /debian/postinst: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -e 3 | 4 | if [ -f /etc/nginx/anti_ddos_challenge.lua.dpkg-dist ]; then 5 | echo "Warning: /etc/nginx/anti_ddos_challenge.lua already exists and differs from the packaged version." 6 | echo "A new version has been installed as /etc/nginx/anti_ddos_challenge.lua.dpkg-dist" 7 | echo "Please review and merge changes if appropriate." 8 | fi 9 | 10 | exit 0 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: unknown issue template 3 | about: Issue unknown 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | ### Issue title 11 | 12 | ### Issue Description 13 | 14 | ### Versions: 15 | 16 | - Browser(s): 17 | - Nginx version: 18 | - Operating system of web server running Nginx: 19 | 20 | ### Nginx config: 21 | ``` 22 | paste your nginx config here 23 | ``` 24 | 25 | ### Screenshot(s): 26 | 27 | [Screenshot(s) for difficult to describe visual issues are **mandatory**. Post links instead of **Inline Images** for Screenshots containing **Adult material**.] 28 | 29 | ### Settings: 30 | 31 | - [List here all the changes you made to the default settings] 32 | 33 | ### Other optional information you want to add other than the above: 34 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [C0nw0nk]# Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | custom: ['https://paypal.me/wimbledonfc','https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=ZH9PFY62YSD7U&source=url','https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki/funding'] 13 | -------------------------------------------------------------------------------- /.github/scripts/prepare-rhel.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | # Colors 6 | CGREEN='\033[0;32m' 7 | CRED='\033[0;31m' 8 | CEND='\033[0m' 9 | 10 | echo -ne 'Preparing [..]\r' 11 | 12 | if { 13 | dnf update -qy 14 | dnf install -qy epel-release 15 | /usr/bin/crb enable 16 | dnf update -qy 17 | dnf groupinstall -qy 'Development Tools' 18 | dnf install -qy rpmautospec rpmdevtools 19 | } >> /tmp/dependencies.log 2>&1; then 20 | # Set up rpmbuild tree and move sources 21 | rpmdev-setuptree 22 | mv rpm/anti_ddos_challenge.spec ~/rpmbuild/SPECS/ 23 | cp LICENSE README.md lua/anti_ddos_challenge.lua ~/rpmbuild/SOURCES/ 24 | echo -ne "Preparing done [${CGREEN}OK${CEND}]\n" 25 | else 26 | echo -e "Prepare failed [${CRED}FAIL${CEND}]" 27 | echo "Please see /tmp/dependencies.log" 28 | cat /tmp/dependencies.log 29 | exit 1 30 | fi 31 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Conor McKnight 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: nginx-lua-anti-ddos-challenge 2 | Section: web 3 | Priority: optional 4 | Maintainer: C0nw0nk 5 | Build-Depends: debhelper-compat (= 13) 6 | Standards-Version: 4.5.0 7 | Homepage: https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS 8 | 9 | Package: nginx-lua-anti-ddos-challenge 10 | Architecture: all 11 | # Dont explicit require due to compatiblity 12 | #Depends: lua, luajit2, lua-socket, lua-resty-core (>= 0.1.28), ${misc:Depends} 13 | Description: Nginx Lua Anti-DDoS script 14 | This package provides anti_ddos_challenge.lua, a Lua script designed to 15 | protect Nginx web servers from DDoS attacks by implementing an authentication 16 | puzzle mechanism. 17 | . 18 | Dependencies and Requirements: 19 | - Nginx must be compiled with the Lua module enabled. 20 | - The Lua environment should include: 21 | - lua 22 | - luajit2 23 | - lua-socket 24 | - lua-resty-core (version 0.1.28 or higher) 25 | . 26 | These dependencies are critical as the script relies on them for proper 27 | functionality within the Nginx Lua module context. 28 | . 29 | Make sure to install and configure these prerequisites before deploying 30 | this script to ensure its effectiveness and compatibility. 31 | -------------------------------------------------------------------------------- /.github/scripts/generate-changelog.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | CHANGELOG_FILE="CHANGELOG" 6 | SPEC_FILE="rpm/anti_ddos_challenge.spec" 7 | DEB_CHANGELOG="debian/changelog" 8 | PACKAGE_NAME="nginx-lua-anti-ddos-challenge" 9 | MAINTAINER_NAME="C0nw0nk" 10 | MAINTAINER_EMAIL="C0nw0nk@github" 11 | 12 | # 1️⃣ Get script version from lua file 13 | SCRIPT_VERSION=$(sed -n 's/^Script Version: //p' lua/anti_ddos_challenge.lua) 14 | [ -z "$SCRIPT_VERSION" ] && echo "ERROR: Cannot find Script Version in Lua file" && exit 1 15 | 16 | # 2️⃣ Extract changelog block for this version 17 | CHANGE_BLOCK=$(awk -v ver="$SCRIPT_VERSION" ' 18 | BEGIN {found=0} 19 | /^Version: / { 20 | if ($2 == ver) {found=1; next} 21 | else if (found) {exit} 22 | } 23 | found {print} 24 | ' "$CHANGELOG_FILE") 25 | 26 | [ -z "$CHANGE_BLOCK" ] && echo "ERROR: Version $SCRIPT_VERSION not found in $CHANGELOG_FILE" && exit 1 27 | 28 | # 3️⃣ Extract date and entries separately 29 | CHANGE_DATE=$(echo "$CHANGE_BLOCK" | awk '/^Date:/ {print $2}') 30 | CHANGE_ENTRIES=$(echo "$CHANGE_BLOCK" | awk '!/^Date:/ {print}') 31 | 32 | # 4️⃣ Prepare RPM changelog entry 33 | DATE_RPM=$(date -d "$CHANGE_DATE" +"%a %b %d %Y") 34 | { 35 | echo "* $DATE_RPM $MAINTAINER_NAME <$MAINTAINER_EMAIL> - $SCRIPT_VERSION-1" 36 | # Only add dash if missing 37 | echo "$CHANGE_ENTRIES" | sed '/^-/!s/^/- /' 38 | } > changelog.newentry 39 | 40 | # 5️⃣ Inject into SPEC while keeping old entries 41 | awk ' 42 | BEGIN {done=0} 43 | /^%changelog/ { 44 | print "%changelog" 45 | system("cat changelog.newentry") 46 | done=1 47 | next 48 | } 49 | done==1 { print; next } # print existing old changelog lines 50 | { print } 51 | ' "$SPEC_FILE" > "$SPEC_FILE.new" 52 | 53 | mv "$SPEC_FILE.new" "$SPEC_FILE" 54 | 55 | # 6️⃣ Generate Debian changelog (append old entries below new one) 56 | DATE_DEB=$(date -d "$CHANGE_DATE" +"%a, %d %b %Y %H:%M:%S %z") 57 | { 58 | echo "$PACKAGE_NAME ($SCRIPT_VERSION-1) stable; urgency=medium" 59 | echo "$CHANGE_ENTRIES" | sed 's/^/ /' 60 | echo 61 | echo " -- $MAINTAINER_NAME <$MAINTAINER_EMAIL> $DATE_DEB" 62 | echo 63 | # If old deb changelog exists, append it 64 | if [ -f "$DEB_CHANGELOG" ]; then 65 | tail -n +1 "$DEB_CHANGELOG" 66 | fi 67 | } > "$DEB_CHANGELOG.tmp" 68 | 69 | mv "$DEB_CHANGELOG.tmp" "$DEB_CHANGELOG" 70 | 71 | echo "✅ Changelog for version $SCRIPT_VERSION added to:" 72 | echo " - $SPEC_FILE (%changelog) (old entries preserved)" 73 | echo " - $DEB_CHANGELOG (old entries preserved)" -------------------------------------------------------------------------------- /.github/workflows/build-publish.yml: -------------------------------------------------------------------------------- 1 | name: Build and Publish RPM/DEB Packages 2 | 3 | on: 4 | push: 5 | paths: 6 | - '**.spec' 7 | - 'lua/anti_ddos_challenge.lua' 8 | - 'CHANGELOG' 9 | workflow_dispatch: 10 | 11 | jobs: 12 | prep_sources: 13 | name: Set Version, Tag, and Generate Changelogs 14 | runs-on: ubuntu-latest 15 | outputs: 16 | script_version: ${{ steps.get_version.outputs.script_version }} 17 | tag: ${{ steps.get_version.outputs.tag }} 18 | steps: 19 | - uses: actions/checkout@v4 20 | 21 | - name: Extract script version and tag 22 | id: get_version 23 | run: | 24 | SCRIPT_VERSION=$(sed -n 's/^Script Version: //p' lua/anti_ddos_challenge.lua) 25 | echo "script_version=$SCRIPT_VERSION" >> $GITHUB_OUTPUT 26 | TIMESTAMP=$(date +%Y%m%d_%H%M%S) 27 | echo "tag=$TIMESTAMP" >> $GITHUB_OUTPUT 28 | 29 | - name: Generate changelog 30 | run: bash .github/scripts/generate-changelog.sh 31 | 32 | - name: Commit updated changelogs 33 | run: | 34 | git config user.name "GitHub Actions" 35 | git config user.email "actions@github.com" 36 | 37 | # Track if changelog files existed before 38 | FILE_MISSING=false 39 | if [ ! -f debian/changelog ]; then 40 | echo "debian/changelog did not exist before — will force commit." 41 | FILE_MISSING=true 42 | fi 43 | 44 | if ! grep -q "%changelog" rpm/anti_ddos_challenge.spec; then 45 | echo "No %changelog section in spec before — will force commit." 46 | FILE_MISSING=true 47 | fi 48 | 49 | git add rpm/anti_ddos_challenge.spec debian/changelog 50 | 51 | if $FILE_MISSING; then 52 | echo "Forcing commit because this is the first creation of changelog files." 53 | git commit -m "ci: add initial changelogs for ${{ steps.get_version.outputs.script_version }}" 54 | git push || echo "Push failed - probably no permission" 55 | else 56 | if git diff --cached --quiet; then 57 | echo "No changelog changes to commit" 58 | else 59 | git commit -m "ci: update changelogs for ${{ steps.get_version.outputs.script_version }}" 60 | git push || echo "Push failed - probably no permission" 61 | fi 62 | fi 63 | 64 | - name: Upload prepped spec and debian/changelog 65 | uses: actions/upload-artifact@v4 66 | with: 67 | name: prepped-sources 68 | path: | 69 | rpm/anti_ddos_challenge.spec 70 | debian/changelog 71 | 72 | build_rhel: 73 | name: Build RPM (AlmaLinux/RHEL) 74 | runs-on: ubuntu-latest 75 | container: 76 | image: almalinux:10 77 | needs: [prep_sources] 78 | steps: 79 | - uses: actions/checkout@v4 80 | 81 | - name: Download prepped spec/changelog 82 | uses: actions/download-artifact@v4 83 | with: 84 | name: prepped-sources 85 | path: . 86 | 87 | - name: Install dependencies and prepare sources 88 | run: bash .github/scripts/prepare-rhel.sh 89 | 90 | - name: Build SRPM 91 | run: | 92 | rpmbuild -bs \ 93 | --define "script_ver ${{ needs.prep_sources.outputs.script_version }}" \ 94 | --define "release_tag ${{ needs.prep_sources.outputs.tag }}" \ 95 | ~/rpmbuild/SPECS/anti_ddos_challenge.spec 96 | 97 | - name: Build RPM 98 | run: | 99 | rpmbuild -bb \ 100 | --define "script_ver ${{ needs.prep_sources.outputs.script_version }}" \ 101 | --define "release_tag ${{ needs.prep_sources.outputs.tag }}" \ 102 | ~/rpmbuild/SPECS/anti_ddos_challenge.spec 103 | 104 | - name: Upload built RPMs as artifacts 105 | uses: actions/upload-artifact@v4 106 | with: 107 | name: nginx-lua-anti-ddos-rpm 108 | path: | 109 | ~/rpmbuild/RPMS/**/*.rpm 110 | ~/rpmbuild/SRPMS/**/*.src.rpm 111 | 112 | build_deb: 113 | name: Build DEB (Debian/Ubuntu) 114 | runs-on: ubuntu-latest 115 | needs: [prep_sources] 116 | steps: 117 | - uses: actions/checkout@v4 118 | 119 | - name: Download prepped spec/changelog 120 | uses: actions/download-artifact@v4 121 | with: 122 | name: prepped-sources 123 | path: . 124 | 125 | - name: Install build dependencies 126 | run: sudo apt-get update && sudo apt-get install -y build-essential debhelper dh-make 127 | 128 | - name: Build Debian package 129 | run: | 130 | dpkg-buildpackage -us -uc -b 131 | mkdir -p deb_packages 132 | mv ../*.deb deb_packages/ 133 | 134 | - name: Upload .deb artifact 135 | uses: actions/upload-artifact@v4 136 | with: 137 | name: nginx-lua-anti-ddos-deb 138 | path: deb_packages/*.deb 139 | 140 | publish: 141 | name: Publish Release (GitHub) 142 | runs-on: ubuntu-latest 143 | needs: [prep_sources, build_rhel, build_deb] 144 | steps: 145 | - name: Download RPM artifacts 146 | uses: actions/download-artifact@v4 147 | with: 148 | name: nginx-lua-anti-ddos-rpm 149 | path: pkgs_download 150 | 151 | - name: Download DEB artifacts 152 | uses: actions/download-artifact@v4 153 | with: 154 | name: nginx-lua-anti-ddos-deb 155 | path: pkgs_download 156 | 157 | - name: Publish to releases 158 | uses: softprops/action-gh-release@v2 159 | with: 160 | tag_name: ${{ needs.prep_sources.outputs.script_version }}-${{ needs.prep_sources.outputs.tag }} 161 | body: | 162 | **🚀 NGINX Lua Anti DDoS Script Build Succeeded!** ✅ 163 | 164 | **🌟 Version:** `${{ needs.prep_sources.outputs.script_version }}` 165 | 166 | **🔎 Includes:** RPM & DEB builds 167 | files: | 168 | pkgs_download/**/*.rpm 169 | pkgs_download/**/*.deb 170 | -------------------------------------------------------------------------------- /CHANGELOG: -------------------------------------------------------------------------------- 1 | Version: 2.8 2 | Date: 2025-11-03 3 | - Added feature ability for script settings to be controlled from nginx configuration file nginx.conf or vhosts useful for those who do not want to edit the script but can instead use their vhosts virtual hosts or nginx config files to change settings of the script. 4 | - https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki/Script-Overrides 5 | - Example: nginx.conf inside the http block 6 | - http { 7 | - init_by_lua ' 8 | - localized_global = {} --define global var that script can read 9 | - localized_global.secret = " enigma" --nginx config now sets secret key and the script will use the secret key from here 10 | - localized_global.credits = 2 --disable ddos credits 11 | - '; 12 | - } 13 | 14 | Version: 2.7 15 | Date: 2025-10-24 16 | - Performance improvement and fixes for Tor .onion checks javascript authentication puzzle now shows and protects backends for Tor users. 17 | - Added support to detect if Linux, Windows or Mac for custom commands. 18 | 19 | Version: 2.6 20 | Date: 2025-10-08 21 | - Add ability to detect and auto whitelist servers IP address 22 | 23 | Version: 2.5 24 | Date: 2025-10-08 25 | - Add IPv6 Addresses to whitelist for localhost so that nginx setups using IPv6 do not internally ban themselves. 26 | - Added check if exit status is 444 for close the connection or 204 for no content we do not need to waste time disabling gzip since there is no response to gzip. 27 | 28 | Version: 2.4 29 | Date: 2025-09-20 30 | - Range filter will now work with content-type fix set to false. 31 | 32 | Version: 2.3 33 | Date: 2025-09-20 34 | - GET content-type function ability to toggle on / off via true / false statement 35 | - Default content-type function to true so users can turn it off if they need to 36 | 37 | Version: 2.2 38 | Date: 2025-09-13 39 | - String.find is faster than string match so use string.find where possible 40 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 41 | - Performance improvement with logs 42 | - Make sure users set custom commands get run on blocks 43 | 44 | Version: 2.1 45 | Date: 2025-09-12 46 | - Fix for users seeing javascript authentication puzzle i forgot to null out a line when doing tests. 47 | - Added a check on default secret key or password just incase a user has not changed it from default 48 | 49 | Version: 2.0 50 | Date: 2025-09-11 51 | - Remove dependancy for ngx.re.gsub tests come back string.gsub is fast enough and performs better overall. 52 | - Improved cache logs to make more readable/understandable 53 | - Added extra details to Range, WAF and blocking logs 54 | - Remove un-needed custom command checks 55 | - Fix incase user does not want to use shared memory zones the function to obtain users real ip was not present added. 56 | 57 | Version: 1.9 58 | Date: 2025-09-10 59 | - Move Internal headers to a function 60 | - Do IP blocked/banned checks before anything else no point generating headers if IP has been blocked for flooding 61 | - Nil vars checks incase user changes a empty table var to a empty string. 62 | - Fix for tor users authorization box / login box. 63 | - Extend ban duration on IP's flooding whats the point in letting them access the site on expired time if they are still flooding 64 | 65 | Version: 1.8 66 | Date: 2025-09-10 67 | - Fix for internal header not matching strip out unwanted chars of encrypted header that caused this bug 68 | 69 | Version: 1.7 70 | Date: 2025-09-09 71 | - Added Security feature to prevent spoofing on the Proxy headers CF-Connecting-IP or X-forwarded-for. 72 | - For example a smart DDoS attack will send a fake CF-Connecting-IP header or X-Forwarded-For header in their request 73 | - They do this to see if your server will use their real ip or the fake header they provide to you most servers do not even check this I do :) 74 | - Example : `curl.exe "http://localhost/" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-GB,en;q=0.5" -H "Accept-Encoding: gzip, deflate, br, zstd" -H "DNT: 1" -H "Connection: keep-alive" -H "Cookie: name1=1; name2=2; logged_in=1" -H "Upgrade-Insecure-Requests: 1" -H "Sec-Fetch-Dest: document" -H "Sec-Fetch-Mode: navigate" -H "Sec-Fetch-Site: none" -H "Sec-Fetch-User: ?1" -H "Priority: u=0, i" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "User-Agent:testagent1" -H "CF-Connecting-IP: 1" -H "X-Forwarded-For: 1" ` 75 | - Improvements for Tor / Onion network users script should now detect Tor automatically no need to change any settings. 76 | - Improve Page Caching cookie matching 77 | - Internal request header tracking encrypted so only the nginx process can use these headers 78 | - localize and and re-order some vars and functions for better performance and execution ordering 79 | 80 | Version: 1.6 81 | Date: 2025-09-07 82 | - Added Feature localized.ip_whitelist_bypass_flood_protection = 0 --0 IP's in whitelist can still be banned / blocked for DDoS flooding behaviour 1 IP's bypass the flood detection 83 | - Fixed Rate limit being double 84 | - Tidy IP checks by using a function 85 | - Increase default minimum request size from 20 bytes to 40 bytes 86 | - Improve the default User-Agent block string for empty user-agent to pick up spaces as empty also 87 | - Better setting for shared memory zones 88 | - Add crawler IP's google bing to whitelist example 89 | - Fix for cloudflare and proxys solving javascript puzzle make sure they don't override the 503 status and send their own custom error page. 90 | 91 | Version: 1.5 92 | Date: 2025-09-05 93 | - Fixed log to show IP address. 94 | - IPs in the block range to get added to shared memory zone if exist 95 | - IPs in whitelist range to get added to shared memory zone if exist 96 | - Added Feature javascript authentication puzzle protection users who fail to solve the javascript puzzle more than a certain number of times can be blocked. 97 | - Added feature ability to run external commands on IP addresses in the block list useful if you want to use iptables to block an address before it even reaches the nginx worker process. 98 | 99 | Version: 1.4 100 | Date: 2025-09-03 101 | - localize next functions 102 | - Add ability to override ngx.location.capture headers being sent to backends. 103 | 104 | Version: 1.3 105 | Date: 2025-09-03 106 | - localize vars so the script is compatible with all nginx lua versions old and new. 107 | - Fix content-type header depending on how early in execution process we are with nginx the content-type header could still be nil so i have fixed it. 108 | 109 | Version: 1.2 110 | Date: 2025-08-23 111 | - Fixed both guest and logged in user cache 112 | - Fixed POST request caching 113 | - Change default value to false in-case other scripts are present on the Nginx server to be executed after this script. 114 | - Improved content cache key so it works with other request types like POST etc 115 | 116 | Version: 1.1 117 | Date: 2025-08-20 118 | - Added Feature Content-Type Caching using ngx.location.capture 119 | - This is the same as `proxy_cache` or `fastcgi_cache` in nginx just more features and better. 120 | - Added Feature HTML modification / Modify you can capture and modify pages outputs with this includding adding javascript to pages etc. 121 | - Added Feature option for users who have other scripts on their nginx server to be able to run those after this. `ngx_exit` trigger. 122 | - Fixed the shdict check i left it as a string `tostring` and a true or false check was not working properly. 123 | 124 | Version: 1.0 125 | Date: 2025-08-09 126 | - Initial packaging (RPM and DEB) for anti_ddos_challenge.lua created and maintained by C0nw0nk (https://github.com/C0nw0nk) 127 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![Languages](https://img.shields.io/github/languages/count/C0nw0nk/Nginx-Lua-Anti-DDoS) ![Top language](https://img.shields.io/github/languages/top/C0nw0nk/Nginx-Lua-Anti-DDoS) ![File size](https://img.shields.io/github/size/C0nw0nk/Nginx-Lua-Anti-DDoS/lua/anti_ddos_challenge.lua)](https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki/funding) [![Build and Publish RPM/DEB Packages](https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/actions/workflows/build-publish.yml/badge.svg)](https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/actions/workflows/build-publish.yml) 2 | 3 | [![Cloudflare I am Under Attack Mode!](https://blog.cloudflare.com/content/images/im_under_attack_page.png.scaled500.png)](https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki/funding) 4 | 5 | [Master Branch for Modern Nginx Lua Builds](https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/tree/master) - [Old Outdated Nginx Lua Builds use this branch](https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/tree/old-outdated-nginx-lua-builds) 6 | 7 | # Nginx-Lua-Anti-DDoS 8 | A Anti-DDoS script to protect Nginx web servers using Lua with a Javascript based authentication puzzle inspired by Cloudflare I am under attack mode I built my own Anti-DDoS authentication HTML page puzzle intergrating my Lua, Javascript, HTML and HTTP knowledge. 9 | 10 | Mitigate a DDoS attack of any size using my free DDoS protection. Don't get ddos attacked! 11 | 12 | If you're under attack and use my script during the attack, visitors will receive an interstitial page for about five seconds while I analyze the traffic to make sure it is a legitimate human visitor. 13 | 14 | This can protect you from many different forms of DDoS works with both HTTP and HTTPS / SSL traffic. 15 | 16 | No limit on attack size 17 | Uptime guarantee 18 | 19 | # Features : 20 | 21 | These are some of the features I built into the script so far. 22 | 23 | ## Security 24 | 25 | Limit IP requests / Flooding 26 | 27 | Automatically turn on Under Attack mode if DDoS detected 28 | 29 | I am Under Attack Mode (DDoS Authentication HTML Page) 30 | 31 | IP Address Whitelist 32 | 33 | IP Subnet Ranges Whitelist 34 | 35 | IP Address Blacklist 36 | 37 | IP Subnet Ranges Blacklist 38 | 39 | User-Agent Whitelist 40 | 41 | User-Agent Blacklist 42 | 43 | Protected area / Restricted access field username / password box to restrict access to sites / paths. 44 | 45 | Enable or disable logging of users who either fail or succeed solving the authentication puzzle. (Fail2Ban users can use this to ban bots AI tools and IP addresses from the log file) 46 | 47 | Range header filtering Most download / Video streaming sites and services use range headers this allows you to filter and block slowhttp / slowloris attack types 48 | 49 | ## WAF (Web Application Firewall) 50 | 51 | IPv4 and IPv6 blocking and whitelisting including subnet ranges. 52 | 53 | User-Agent blocking and whitelisting to block bad bots and exploits / scanners. 54 | 55 | Ability to inspect POST Data / Fields and block malicious POST requests / exploits. 56 | 57 | Ability to inspect URL for malicious content SQL/SQI Injections XSS attacks / exploits. 58 | 59 | Ability to inspect query strings and arguements for malicious content / exploits. 60 | 61 | Ability to inspect all Request Headers provided by the client connecting. 62 | 63 | Ability to inspect cookies for exploits. 64 | 65 | ## Caching Speed and Performance 66 | 67 | Query String Sorting 68 | 69 | Query String Whitelist 70 | 71 | Query String Removal (It is a blacklist but it will just drop / remove the argument from the URL not block the request) 72 | 73 | Minification / Compression of files removing white space and nulled out code / lines JS JavaScript, CSS Stylesheets, HTML etc 74 | 75 | ## Customization of error pages responses and webpage outputs 76 | 77 | Custom error page interception to replace with your own error pages 78 | 79 | Hide Web application errors such as PHP errorrs MySQL errors it will intercept them and display a custom error page instead of showing visitors sensative information 80 | 81 | Modify webpage outputs to replace contents on pages / files 82 | 83 | # Information : 84 | 85 | If you have any bugs issues or problems just post a Issue request. 86 | 87 | https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/issues 88 | 89 | If you fork or make any changes to improve this or fix problems please do make a pull request for the community who also use this. 90 | 91 | https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/pulls 92 | 93 | ## Be sure to use the latest Nginx+Lua builds and libraries to avoid any issues. 94 | 95 | # Usage / Installation : 96 | 97 | Edit settings inside `anti_ddos_challenge.lua` to cater for your own unique needs or improve my work. (Please share your soloutions and additions) 98 | 99 | https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/blob/master/lua/anti_ddos_challenge.lua 100 | 101 | Add this to your Nginx configuration folder. 102 | 103 | `nginx/conf/lua/` 104 | 105 | Once installed into your `nginx/conf/` folder. 106 | 107 | Add this to your HTTP block or it can be in a server or location block depending where you want this script to run for individual locations the entire server or every single website on the server. 108 | 109 | ``` 110 | lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user 111 | lua_shared_dict antiddos_blocked 70m; #Anti-DDoS shared memory where blocked users are put 112 | lua_shared_dict ddos_counter 10m; #Anti-DDoS shared memory zone to track total number of blocked users 113 | lua_shared_dict jspuzzle_tracker 70m; #Anti-DDoS shared memory zone monitors each unique ip and number of times they stack up failing to solve the puzzle 114 | 115 | access_by_lua_file anti_ddos_challenge.lua; 116 | ``` 117 | 118 | ### Example nginx.conf : 119 | 120 | This will run for all websites on the nginx server 121 | 122 | ``` 123 | http { 124 | 125 | #shared memory addresses in http block 126 | lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user 127 | lua_shared_dict antiddos_blocked 70m; #Anti-DDoS shared memory where blocked users are put 128 | lua_shared_dict ddos_counter 10m; #Anti-DDoS shared memory zone to track total number of blocked users 129 | lua_shared_dict jspuzzle_tracker 70m; #Anti-DDoS shared memory zone monitors each unique ip and number of times they stack up failing to solve the puzzle 130 | 131 | #nginx config settings etc 132 | access_by_lua_file anti_ddos_challenge.lua; 133 | #more config settings and some server stuff 134 | 135 | } 136 | ``` 137 | 138 | This will make it run for this website only 139 | 140 | ``` 141 | http { 142 | #shared memory addresses in http block 143 | lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user 144 | lua_shared_dict antiddos_blocked 70m; #Anti-DDoS shared memory where blocked users are put 145 | lua_shared_dict ddos_counter 10m; #Anti-DDoS shared memory zone to track total number of blocked users 146 | lua_shared_dict jspuzzle_tracker 70m; #Anti-DDoS shared memory zone monitors each unique ip and number of times they stack up failing to solve the puzzle 147 | } 148 | 149 | server { 150 | #nginx config settings etc 151 | access_by_lua_file anti_ddos_challenge.lua; 152 | #more config settings and some server stuff 153 | } 154 | ``` 155 | 156 | This will run in this location block only 157 | 158 | ``` 159 | http { 160 | #shared memory addresses in http block 161 | lua_shared_dict antiddos 70m; #Anti-DDoS shared memory zone to track requests per each unique user 162 | lua_shared_dict antiddos_blocked 70m; #Anti-DDoS shared memory where blocked users are put 163 | lua_shared_dict ddos_counter 10m; #Anti-DDoS shared memory zone to track total number of blocked users 164 | lua_shared_dict jspuzzle_tracker 70m; #Anti-DDoS shared memory zone monitors each unique ip and number of times they stack up failing to solve the puzzle 165 | } 166 | 167 | location / { 168 | #nginx config settings etc 169 | access_by_lua_file anti_ddos_challenge.lua; 170 | #more config settings and some server stuff 171 | } 172 | ``` 173 | 174 | ### Other setup options 175 | 176 | https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki 177 | 178 | For setting up the script to run with Tor .onion services, Cloudflares proxy services, Configuration options of the script view the wiki. 179 | 180 | # Requirements : 181 | NONE! :D You only need Nginx + Lua to use my scripts. 182 | 183 | ###### Where can you download Nginx + Lua ? 184 | 185 | Openresty provide Nginx + Lua builds for Windows Linux etc here. 186 | 187 | https://openresty.org/en/download.html 188 | 189 | Nginx4windows has Windows specific builds with Lua here. 190 | 191 | http://nginx-win.ecsds.eu/ 192 | 193 | Or you can download the source code for Nginx here and compile Nginx yourself with Lua. 194 | 195 | https://nginx.org/en/download.html 196 | 197 | # About : 198 | 199 | I was inspired to create this because of Cloudflare feature "I'm Under Attack Mode" https://www.cloudflare.com/ 200 | 201 | There are similar sites and services like BitMitigate but I prefer my own script over their methods. 202 | 203 | ``` 204 | If you're under attack and have this feature enabled during the attack, visitors will receive an interstitial page for about five seconds while we analyze the traffic to make sure it is a legitimate human visitor. 205 | 206 | Advanced DDoS Attack Protection 207 | 208 | Unmetered DDoS mitigation to maintain performance and availability 209 | 210 | Denial of Service attacks continue to grow in sophistication and force: more distributed, greater volumes of traffic, and encroaching on the application layer. 211 | 212 | A successful attack increases unnecessary costs on your infrastructure and IT/security staff. More importantly, it hurts your revenue, customer satisfaction, and brand. 213 | 214 | To combat attacks and stay online, you’ll need a solution that’s resilient scalable, and intelligent. 215 | 216 | Mitigate a DDoS attack of any size or duration, Don't get ddos attacked! 217 | ``` 218 | 219 | I love that feature so much ontop of having it enabled on all my Cloudflare proxied sites I decided to make it into a feature on my own servers so the traffic that hits my servers without coming from Cloudflares network is kept in check and authenticated! (Every little helps right!) 220 | 221 | Thank you to @Cloudflare for the inspiration and your community for all the love, A big thanks to the @openresty community you guys rock Lua rocks you are all so awesome! 222 | 223 | Lets build a better internet together! Where Speed, Privacy, Security and Compression matter! 224 | 225 | Here are links to my favorite communities :) 226 | 227 | http://openresty.org/en/ 228 | 229 | https://community.cloudflare.com/ 230 | 231 | # Protected attack types : 232 | ``` 233 | All Layer 7 Attacks 234 | Mitigating Historic Attacks 235 | DoS 236 | DoS Implications 237 | DDoS 238 | All Brute Force Attacks 239 | Zero day exploits 240 | Social Engineering 241 | Rainbow Tables 242 | Password Cracking Tools 243 | Password Lists 244 | Dictionary Attacks 245 | Time Delay 246 | Any Hosting Provider 247 | Any CMS or Custom Website 248 | Unlimited Attempt Frequency 249 | Search Attacks 250 | HTTP Basic Authentication 251 | HTTP Digest Authentication 252 | HTML Form Based Authentication 253 | Mask Attacks 254 | Rule-Based Search Attacks 255 | Combinator Attacks 256 | Botnet Attacks 257 | Unauthorized IPs 258 | IP Whitelisting 259 | Bruter 260 | THC Hydra 261 | John the Ripper 262 | Brutus 263 | Ophcrack 264 | unauthorized logins 265 | Injection 266 | Broken Authentication and Session Management 267 | Sensitive Data Exposure 268 | XML External Entities (XXE) 269 | Broken Access Control 270 | Security Misconfiguration 271 | Cross-Site Scripting (XSS) 272 | Insecure Deserialization 273 | Using Components with Known Vulnerabilities 274 | Insufficient Logging & Monitoring 275 | And many others… 276 | ``` 277 | # Features : 278 | 279 | # Advanced DDoS Attack Protection 280 | My script gives you Unmetered DDoS mitigation to maintain performance and availability for free 281 | Denial of Service attacks continue to grow in sophistication and force: more distributed, greater volumes of traffic, and encroaching on the application layer. 282 | A successful attack increases unnecessary costs on your infrastructure and IT/security staff. More importantly, it hurts your revenue, customer satisfaction, and brand. 283 | To combat attacks and stay online, you’ll need a solution that’s resilient scalable, and intelligent. 284 | 285 | #### Common Types of DDoS Attacks 286 | 287 | # Block Malicious Bot Abuse 288 | Block abusive bots from damaging Internet properties through content scraping, fraudulent checkout, and account takeover. 289 | 290 | # Prevent Customer Data Breach 291 | Prevent attackers from compromising sensitive customer data, such as user credentials, credit card information, and other personally identifiable information. 292 | 293 | #### Layered Security Defense 294 | layered security approach combines multiple DDoS mitigation capabilities into one service. It prevents disruptions caused by bad traffic, while allowing good traffic through, keeping websites, applications and APIs highly available and performant. 295 | #### HTTP Flood (Layer 7) 296 | HTTP flood attacks generate high volumes of HTTP, GET, or POST requests from multiple sources, targeting the application layer, causing service degradation or unavailability. 297 | 298 | Defend against the largest attacks 299 | 300 | # Shared Network Intelligence / Collective Intelligence 301 | With every new property, contributor and person using this script your help and contributions to this script makes everyones network safer. You are helping identify and block new and evolving threats across the entire internet back bone / infrastructure. 302 | 303 | # No Performance Tradeoffs 304 | Eliminate security induced latencies by integrating my script with your servers. You do not need to rely on third party services like Cloudflare, BitMitigate, Sucuri or other such CDN Cloud distributed networks or companies anymore I have given you the tool for free. 305 | 306 | # Web Application Firewall 307 | enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests and protectects your existing infrastructure. 308 | 309 | # Rate Limiting 310 | 311 | Control to block suspicious visitors 312 | 313 | Rate Limiting protects against denial-of-service attacks, brute-force login attempts, and other types of abusive behavior targeting the application layer. 314 | 315 | Rate Limiting provides the ability to configure thresholds, define responses, and gain valuable insights into specific URLs of websites, applications, or API endpoints. It adds granular HTTP/HTTPS traffic control. This also reduces bandwidth costs by eliminating unpredictable traffic spikes or attacks. 316 | 317 | # Protect any Web Application 318 | This script can protect every web application ever built. 319 | ``` 320 | Drupal 321 | WordPress 322 | Joomla 323 | Flash 324 | Magento 325 | PHP 326 | Plone 327 | WHMCS 328 | Atlassian Products 329 | Adult video script avs 330 | KVS Kernel Video Sharing 331 | Clip Bucket 332 | Tube sites 333 | Content Management Systems 334 | Social networks 335 | scripts 336 | backends proxy proxies 337 | PHP 338 | Python 339 | Porn sites xxx adult 340 | gaming networks servers sites 341 | forums 342 | vbulletin 343 | phpbb 344 | mybb 345 | smf simple machines forum 346 | xenforo 347 | web hosting 348 | And many more... 349 | ``` 350 | 351 | # Government 352 | Protection for government gateways and websites. With foriegn agencies targeting critical infastructure this will help all government and critical civilian infastructure stay online. 353 | 354 | # Payment e-comerce content management 355 | If you use Joomla, Drupal, Wordpress, phpbb, mybb, vbulletin popular cms or forum software this will ensure maximum uptime and protection. 356 | 357 | # Military MoD 358 | Military grade protection for infastructure. MoD military of defence / Armed forces websites. Protecting Police and Army core or law enforcement. 359 | 360 | # Crypto Currency 361 | This script works well for crypto currency sites due to the nature of wallet controls security and access of crypto based websites it verifys traffic can run javascript and is legitimate before allowing them access protecting sensitive content like wallet access every crypto website that has a swap or dex / cex centralised or decentralised exchange will find this a must have requiremnet for their peer-to-peer marketplace where transactions occur directly between crypto traders. 362 | 363 | # Tor network / Project .onion : 364 | You can also use this script to protect servers and sites on the Tor network preventing ddos on .onion links. It can help stop attacks on the deepweb / darkweb aswell as on the mainline internet for those who browse your site through the tor browser it makes sure they are legitimate users. 365 | 366 | # HTTP(S) / HTTP2 / HTTP3 / QUIC : 367 | So with modern internet protocols yes this script does work with all of them! It can protect both encrypted and unencrypted connections and traffic served over TCP aswell as UDP the new method for HTTP3/QUIC connections. 368 | 369 | # Works with : 370 | Nginx 371 | 372 | Nginx + Lua 373 | 374 | Openresty 375 | 376 | Custom Nginx builds with Lua compiled 377 | 378 | Litespeed / Litespeedtech as can be seen here https://openlitespeed.org/kb/openlitespeed-lua-module/ the reason this works with Litespeed Lua is because they use Openresty Lua builds on their server as can be understood here https://openlitespeed.org/kb/openlitespeed-lua-module/#Use 379 | -------------------------------------------------------------------------------- /rpm/anti_ddos_challenge.spec: -------------------------------------------------------------------------------- 1 | ############################################################ 2 | # Version Macros (set via build parameters or defaults) 3 | ############################################################ 4 | %{!?script_ver: %global script_ver 1.0} 5 | %{!?release_tag: %global release_tag 1} 6 | 7 | ############################################################ 8 | # Package Information 9 | ############################################################ 10 | Name: nginx-lua-anti-ddos-challenge 11 | Version: %{script_ver} 12 | Release: %{release_tag} 13 | Summary: Nginx Lua Anti-DDoS script 14 | 15 | License: MIT 16 | URL: https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS 17 | Source0: anti_ddos_challenge.lua 18 | SOURCE1: LICENSE 19 | Source2: README.md 20 | 21 | BuildArch: noarch 22 | 23 | # Dont explicit require due to compatiblity 24 | #Requires: lua luajit2 lua-socket 25 | #Requires: lua-resty-core >= 0.1.28 26 | 27 | %description 28 | This package provides `anti_ddos_challenge.lua`, a Lua script designed to protect Nginx web servers from DDoS attacks by implementing an authentication puzzle mechanism. 29 | 30 | **Dependencies and Requirements:** 31 | 32 | - Nginx must be compiled with the Lua module enabled. 33 | - The Lua environment should include: 34 | - lua 35 | - luajit2 36 | - lua-socket 37 | - lua-resty-core (version 0.1.28 or higher) 38 | 39 | These dependencies are critical as the script relies on them for proper functionality within the Nginx Lua module context. 40 | 41 | Make sure to install and configure these prerequisites before deploying this script to ensure its effectiveness and compatibility. 42 | 43 | %prep 44 | # No preparation needed 45 | 46 | %build 47 | # No build needed 48 | 49 | %install 50 | rm -rf %{buildroot} 51 | install -D -m 0644 %{SOURCE0} %{buildroot}/etc/nginx/anti_ddos_challenge.lua 52 | install -D -m 0644 %{SOURCE1} %{buildroot}/usr/share/licenses/%{name}/LICENSE 53 | install -D -m 0644 %{SOURCE2} %{buildroot}/usr/share/doc/%{name}/README.md 54 | 55 | %files 56 | %license LICENSE 57 | %doc README.md 58 | %config(noreplace) /etc/nginx/anti_ddos_challenge.lua 59 | 60 | %post 61 | if [ -f /etc/nginx/anti_ddos_challenge.lua.rpmnew ]; then 62 | echo "Warning: /etc/nginx/anti_ddos_challenge.lua already exists and differs from the packaged version." 63 | echo "A new version of the file has been installed as /etc/nginx/anti_ddos_challenge.lua.rpmnew." 64 | echo "Please review and merge changes if appropriate." 65 | fi 66 | 67 | # Auto added - DONT REMOVE 68 | %changelog 69 | * Mon Nov 03 2025 C0nw0nk - 2.8-1 70 | - Added feature ability for script settings to be controlled from nginx configuration file nginx.conf or vhosts useful for those who do not want to edit the script but can instead use their vhosts virtual hosts or nginx config files to change settings of the script. 71 | - https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki/Script-Overrides 72 | - Example: nginx.conf inside the http block 73 | - http { 74 | - init_by_lua ' 75 | - localized_global = {} --define global var that script can read 76 | - localized_global.secret = " enigma" --nginx config now sets secret key and the script will use the secret key from here 77 | - localized_global.credits = 2 --disable ddos credits 78 | - '; 79 | - } 80 | * Fri Oct 24 2025 C0nw0nk - 2.7-1 81 | - Performance improvement and fixes for Tor .onion checks javascript authentication puzzle now shows and protects backends for Tor users. 82 | - Added support to detect if Linux, Windows or Mac for custom commands. 83 | * Wed Oct 08 2025 C0nw0nk - 2.6-1 84 | - Add ability to detect and auto whitelist servers IP address 85 | * Wed Oct 08 2025 C0nw0nk - 2.5-1 86 | - Add IPv6 Addresses to whitelist for localhost so that nginx setups using IPv6 do not internally ban themselves. 87 | - Added check if exit status is 444 for close the connection or 204 for no content we do not need to waste time disabling gzip since there is no response to gzip. 88 | * Sat Sep 20 2025 C0nw0nk - 2.4-1 89 | - Range filter will now work with content-type fix set to false. 90 | * Sat Sep 20 2025 C0nw0nk - 2.3-1 91 | - GET content-type function ability to toggle on / off via true / false statement 92 | - Default content-type function to true so users can turn it off if they need to 93 | * Sat Sep 20 2025 C0nw0nk - 2.3-1 94 | - GET content-type function ability to toggle on / off via true / false statement 95 | - Default content-type function to true so users can turn it off if they need to 96 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 97 | - String.find is faster than string match so use string.find where possible 98 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 99 | - Performance improvement with logs 100 | - Make sure users set custom commands get run on blocks 101 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 102 | - String.find is faster than string match so use string.find where possible 103 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 104 | - Performance improvement with logs 105 | - Make sure users set custom commands get run on blocks 106 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 107 | - String.find is faster than string match so use string.find where possible 108 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 109 | - Performance improvement with logs 110 | - Make sure users set custom commands get run on blocks 111 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 112 | - String.find is faster than string match so use string.find where possible 113 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 114 | - Performance improvement with logs 115 | - Make sure users set custom commands get run on blocks 116 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 117 | - String.find is faster than string match so use string.find where possible 118 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 119 | - Performance improvement with logs 120 | - Make sure users set custom commands get run on blocks 121 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 122 | - String.find is faster than string match so use string.find where possible 123 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 124 | - Performance improvement with logs 125 | - Make sure users set custom commands get run on blocks 126 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 127 | - String.find is faster than string match so use string.find where possible 128 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 129 | - Performance improvement with logs 130 | - Make sure users set custom commands get run on blocks 131 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 132 | - String.find is faster than string match so use string.find where possible 133 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 134 | - Performance improvement with logs 135 | - Make sure users set custom commands get run on blocks 136 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 137 | - String.find is faster than string match so use string.find where possible 138 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 139 | - Performance improvement with logs 140 | - Make sure users set custom commands get run on blocks 141 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 142 | - String.find is faster than string match so use string.find where possible 143 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 144 | - Performance improvement with logs 145 | - Make sure users set custom commands get run on blocks 146 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 147 | - String.find is faster than string match so use string.find where possible 148 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 149 | - Performance improvement with logs 150 | - Make sure users set custom commands get run on blocks 151 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 152 | - String.find is faster than string match so use string.find where possible 153 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 154 | - Performance improvement with logs 155 | - Make sure users set custom commands get run on blocks 156 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 157 | - String.find is faster than string match so use string.find where possible 158 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 159 | - Performance improvement with logs 160 | - Make sure users set custom commands get run on blocks 161 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 162 | - String.find is faster than string match so use string.find where possible 163 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 164 | - Performance improvement with logs 165 | - Make sure users set custom commands get run on blocks 166 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 167 | - String.find is faster than string match so use string.find where possible 168 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 169 | - Performance improvement with logs 170 | - Make sure users set custom commands get run on blocks 171 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 172 | - String.find is faster than string match so use string.find where possible 173 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 174 | - Performance improvement with logs 175 | - Make sure users set custom commands get run on blocks 176 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 177 | - String.find is faster than string match so use string.find where possible 178 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 179 | - Performance improvement with logs 180 | - Make sure users set custom commands get run on blocks 181 | * Sat Sep 13 2025 C0nw0nk - 2.2-1 182 | - String.find is faster than string match so use string.find where possible 183 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 184 | - Performance improvement with logs 185 | - Make sure users set custom commands get run on blocks 186 | * Fri Sep 12 2025 C0nw0nk - 2.1-1 187 | - Fix for users seeing javascript authentication puzzle i forgot to null out a line when doing tests. 188 | - Added a check on default secret key or password just incase a user has not changed it from default 189 | * Fri Sep 12 2025 C0nw0nk - 2.1-1 190 | - Fix for users seeing javascript authentication puzzle i forgot to null out a line when doing tests. 191 | - Added a check on default secret key or password just incase a user has not changed it from default 192 | * Thu Sep 11 2025 C0nw0nk - 2.0-1 193 | - Remove dependancy for ngx.re.gsub tests come back string.gsub is fast enough and performs better overall. 194 | - Improved cache logs to make more readable/understandable 195 | - Added extra details to Range, WAF and blocking logs 196 | - Remove un-needed custom command checks 197 | - Fix incase user does not want to use shared memory zones the function to obtain users real ip was not present added. 198 | * Wed Sep 10 2025 C0nw0nk - 1.9-1 199 | - Move Internal headers to a function 200 | - Do IP blocked/banned checks before anything else no point generating headers if IP has been blocked for flooding 201 | - Nil vars checks incase user changes a empty table var to a empty string. 202 | - Fix for tor users authorization box / login box. 203 | - Extend ban duration on IP's flooding whats the point in letting them access the site on expired time if they are still flooding 204 | * Wed Sep 10 2025 C0nw0nk - 1.8-1 205 | - Fix for internal header not matching strip out unwanted chars of encrypted header that caused this bug 206 | * Wed Sep 10 2025 C0nw0nk - 1.8-1 207 | - Fix for internal header not matching strip out unwanted chars of encrypted header that caused this bug 208 | * Tue Sep 09 2025 C0nw0nk - 1.7-1 209 | - Added Security feature to prevent spoofing on the Proxy headers CF-Connecting-IP or X-forwarded-for. 210 | - For example a smart DDoS attack will send a fake CF-Connecting-IP header or X-Forwarded-For header in their request 211 | - They do this to see if your server will use their real ip or the fake header they provide to you most servers do not even check this I do :) 212 | - Example : `curl.exe "http://localhost/" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-GB,en;q=0.5" -H "Accept-Encoding: gzip, deflate, br, zstd" -H "DNT: 1" -H "Connection: keep-alive" -H "Cookie: name1=1; name2=2; logged_in=1" -H "Upgrade-Insecure-Requests: 1" -H "Sec-Fetch-Dest: document" -H "Sec-Fetch-Mode: navigate" -H "Sec-Fetch-Site: none" -H "Sec-Fetch-User: ?1" -H "Priority: u=0, i" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "User-Agent:testagent1" -H "CF-Connecting-IP: 1" -H "X-Forwarded-For: 1" ` 213 | - Improvements for Tor / Onion network users script should now detect Tor automatically no need to change any settings. 214 | - Improve Page Caching cookie matching 215 | - Internal request header tracking encrypted so only the nginx process can use these headers 216 | - localize and and re-order some vars and functions for better performance and execution ordering 217 | * Sun Sep 07 2025 C0nw0nk - 1.6-1 218 | - Added Feature localized.ip_whitelist_bypass_flood_protection = 0 --0 IP's in whitelist can still be banned / blocked for DDoS flooding behaviour 1 IP's bypass the flood detection 219 | - Fixed Rate limit being double 220 | - Tidy IP checks by using a function 221 | - Increase default minimum request size from 20 bytes to 40 bytes 222 | - Improve the default User-Agent block string for empty user-agent to pick up spaces as empty also 223 | - Better setting for shared memory zones 224 | - Add crawler IP's google bing to whitelist example 225 | - Fix for cloudflare and proxys solving javascript puzzle make sure they don't override the 503 status and send their own custom error page. 226 | * Sun Sep 07 2025 C0nw0nk - 1.6-1 227 | - Added Feature localized.ip_whitelist_bypass_flood_protection = 0 --0 IP's in whitelist can still be banned / blocked for DDoS flooding behaviour 1 IP's bypass the flood detection 228 | - Fixed Rate limit being double 229 | - Tidy IP checks by using a function 230 | - Increase default minimum request size from 20 bytes to 40 bytes 231 | - Improve the default User-Agent block string for empty user-agent to pick up spaces as empty also 232 | - Better setting for shared memory zones 233 | - Add crawler IP's google bing to whitelist example 234 | - Fix for cloudflare and proxys solving javascript puzzle make sure they don't override the 503 status and send their own custom error page. 235 | * Fri Sep 05 2025 C0nw0nk - 1.5-1 236 | - Fixed log to show IP address. 237 | - IPs in the block range to get added to shared memory zone if exist 238 | - IPs in whitelist range to get added to shared memory zone if exist 239 | - Added Feature javascript authentication puzzle protection users who fail to solve the javascript puzzle more than a certain number of times can be blocked. 240 | - Added feature ability to run external commands on IP addresses in the block list useful if you want to use iptables to block an address before it even reaches the nginx worker process. 241 | * Fri Sep 05 2025 C0nw0nk - 1.5-1 242 | - Fixed log to show IP address. 243 | - IPs in the block range to get added to shared memory zone if exist 244 | - IPs in whitelist range to get added to shared memory zone if exist 245 | - Added Feature javascript authentication puzzle protection users who fail to solve the javascript puzzle more than a certain number of times can be blocked. 246 | - Added feature ability to run external commands on IP addresses in the block list useful if you want to use iptables to block an address before it even reaches the nginx worker process. 247 | * Wed Sep 03 2025 C0nw0nk - 1.4-1 248 | - localize next functions 249 | - Add ability to override ngx.location.capture headers being sent to backends. 250 | * Wed Sep 03 2025 C0nw0nk - 1.4-1 251 | - localize next functions 252 | - Add ability to override ngx.location.capture headers being sent to backends. 253 | * Wed Sep 03 2025 C0nw0nk - 1.3-1 254 | - localize vars so the script is compatible with all nginx lua versions old and new. 255 | - Fix content-type header depending on how early in execution process we are with nginx the content-type header could still be nil so i have fixed it. 256 | * Wed Sep 03 2025 C0nw0nk - 1.3-1 257 | - localize vars so the script is compatible with all nginx lua versions old and new. 258 | - Fix content-type header depending on how early in execution process we are with nginx the content-type header could still be nil so i have fixed it. 259 | * Sat Aug 23 2025 C0nw0nk - 1.2-1 260 | - Fixed both guest and logged in user cache 261 | - Fixed POST request caching 262 | - Change default value to false in-case other scripts are present on the Nginx server to be executed after this script. 263 | - Improved content cache key so it works with other request types like POST etc 264 | * Sat Aug 23 2025 C0nw0nk - 1.2-1 265 | - Fixed both guest and logged in user cache 266 | - Fixed POST request caching 267 | - Change default value to false in-case other scripts are present on the Nginx server to be executed after this script. 268 | - Improved content cache key so it works with other request types like POST etc 269 | * Wed Aug 20 2025 C0nw0nk - 1.1-1 270 | - Added Feature Content-Type Caching using ngx.location.capture 271 | - This is the same as `proxy_cache` or `fastcgi_cache` in nginx just more features and better. 272 | - Added Feature HTML modification / Modify you can capture and modify pages outputs with this includding adding javascript to pages etc. 273 | - Added Feature option for users who have other scripts on their nginx server to be able to run those after this. `ngx_exit` trigger. 274 | - Fixed the shdict check i left it as a string `tostring` and a true or false check was not working properly. 275 | * Sat Aug 09 2025 C0nw0nk - 1.0-1 276 | - Initial packaging (RPM and DEB) for anti_ddos_challenge.lua created and maintained by C0nw0nk (https://github.com/C0nw0nk) 277 | * Sat Aug 09 2025 C0nw0nk - 1.0-1 278 | - Initial packaging (RPM and DEB) for anti_ddos_challenge.lua created and maintained by C0nw0nk (https://github.com/C0nw0nk) 279 | * Sat Aug 09 2025 C0nw0nk - 1.0-1 280 | - Initial packaging (RPM and DEB) for anti_ddos_challenge.lua created and maintained by C0nw0nk (https://github.com/C0nw0nk) 281 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | nginx-lua-anti-ddos-challenge (2.8-1) stable; urgency=medium 2 | - Added feature ability for script settings to be controlled from nginx configuration file nginx.conf or vhosts useful for those who do not want to edit the script but can instead use their vhosts virtual hosts or nginx config files to change settings of the script. 3 | - https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS/wiki/Script-Overrides 4 | - Example: nginx.conf inside the http block 5 | - http { 6 | - init_by_lua ' 7 | - localized_global = {} --define global var that script can read 8 | - localized_global.secret = " enigma" --nginx config now sets secret key and the script will use the secret key from here 9 | - localized_global.credits = 2 --disable ddos credits 10 | - '; 11 | - } 12 | 13 | -- C0nw0nk Mon, 03 Nov 2025 00:00:00 +0000 14 | 15 | nginx-lua-anti-ddos-challenge (2.7-1) stable; urgency=medium 16 | - Performance improvement and fixes for Tor .onion checks javascript authentication puzzle now shows and protects backends for Tor users. 17 | - Added support to detect if Linux, Windows or Mac for custom commands. 18 | 19 | -- C0nw0nk Fri, 24 Oct 2025 00:00:00 +0000 20 | 21 | nginx-lua-anti-ddos-challenge (2.6-1) stable; urgency=medium 22 | - Add ability to detect and auto whitelist servers IP address 23 | 24 | -- C0nw0nk Wed, 08 Oct 2025 00:00:00 +0000 25 | 26 | nginx-lua-anti-ddos-challenge (2.5-1) stable; urgency=medium 27 | - Add IPv6 Addresses to whitelist for localhost so that nginx setups using IPv6 do not internally ban themselves. 28 | - Added check if exit status is 444 for close the connection or 204 for no content we do not need to waste time disabling gzip since there is no response to gzip. 29 | 30 | -- C0nw0nk Wed, 08 Oct 2025 00:00:00 +0000 31 | 32 | nginx-lua-anti-ddos-challenge (2.4-1) stable; urgency=medium 33 | - Range filter will now work with content-type fix set to false. 34 | 35 | -- C0nw0nk Sat, 20 Sep 2025 00:00:00 +0000 36 | 37 | nginx-lua-anti-ddos-challenge (2.3-1) stable; urgency=medium 38 | - GET content-type function ability to toggle on / off via true / false statement 39 | - Default content-type function to true so users can turn it off if they need to 40 | 41 | -- C0nw0nk Sat, 20 Sep 2025 00:00:00 +0000 42 | 43 | nginx-lua-anti-ddos-challenge (2.3-1) stable; urgency=medium 44 | - GET content-type function ability to toggle on / off via true / false statement 45 | - Default content-type function to true so users can turn it off if they need to 46 | 47 | -- C0nw0nk Sat, 20 Sep 2025 00:00:00 +0000 48 | 49 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 50 | - String.find is faster than string match so use string.find where possible 51 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 52 | - Performance improvement with logs 53 | - Make sure users set custom commands get run on blocks 54 | 55 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 56 | 57 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 58 | - String.find is faster than string match so use string.find where possible 59 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 60 | - Performance improvement with logs 61 | - Make sure users set custom commands get run on blocks 62 | 63 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 64 | 65 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 66 | - String.find is faster than string match so use string.find where possible 67 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 68 | - Performance improvement with logs 69 | - Make sure users set custom commands get run on blocks 70 | 71 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 72 | 73 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 74 | - String.find is faster than string match so use string.find where possible 75 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 76 | - Performance improvement with logs 77 | - Make sure users set custom commands get run on blocks 78 | 79 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 80 | 81 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 82 | - String.find is faster than string match so use string.find where possible 83 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 84 | - Performance improvement with logs 85 | - Make sure users set custom commands get run on blocks 86 | 87 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 88 | 89 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 90 | - String.find is faster than string match so use string.find where possible 91 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 92 | - Performance improvement with logs 93 | - Make sure users set custom commands get run on blocks 94 | 95 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 96 | 97 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 98 | - String.find is faster than string match so use string.find where possible 99 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 100 | - Performance improvement with logs 101 | - Make sure users set custom commands get run on blocks 102 | 103 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 104 | 105 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 106 | - String.find is faster than string match so use string.find where possible 107 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 108 | - Performance improvement with logs 109 | - Make sure users set custom commands get run on blocks 110 | 111 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 112 | 113 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 114 | - String.find is faster than string match so use string.find where possible 115 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 116 | - Performance improvement with logs 117 | - Make sure users set custom commands get run on blocks 118 | 119 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 120 | 121 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 122 | - String.find is faster than string match so use string.find where possible 123 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 124 | - Performance improvement with logs 125 | - Make sure users set custom commands get run on blocks 126 | 127 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 128 | 129 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 130 | - String.find is faster than string match so use string.find where possible 131 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 132 | - Performance improvement with logs 133 | - Make sure users set custom commands get run on blocks 134 | 135 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 136 | 137 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 138 | - String.find is faster than string match so use string.find where possible 139 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 140 | - Performance improvement with logs 141 | - Make sure users set custom commands get run on blocks 142 | 143 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 144 | 145 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 146 | - String.find is faster than string match so use string.find where possible 147 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 148 | - Performance improvement with logs 149 | - Make sure users set custom commands get run on blocks 150 | 151 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 152 | 153 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 154 | - String.find is faster than string match so use string.find where possible 155 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 156 | - Performance improvement with logs 157 | - Make sure users set custom commands get run on blocks 158 | 159 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 160 | 161 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 162 | - String.find is faster than string match so use string.find where possible 163 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 164 | - Performance improvement with logs 165 | - Make sure users set custom commands get run on blocks 166 | 167 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 168 | 169 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 170 | - String.find is faster than string match so use string.find where possible 171 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 172 | - Performance improvement with logs 173 | - Make sure users set custom commands get run on blocks 174 | 175 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 176 | 177 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 178 | - String.find is faster than string match so use string.find where possible 179 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 180 | - Performance improvement with logs 181 | - Make sure users set custom commands get run on blocks 182 | 183 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 184 | 185 | nginx-lua-anti-ddos-challenge (2.2-1) stable; urgency=medium 186 | - String.find is faster than string match so use string.find where possible 187 | - Improve speed of wildcard matches by not using string.find or string.match and using a custom function 188 | - Performance improvement with logs 189 | - Make sure users set custom commands get run on blocks 190 | 191 | -- C0nw0nk Sat, 13 Sep 2025 00:00:00 +0000 192 | 193 | nginx-lua-anti-ddos-challenge (2.1-1) stable; urgency=medium 194 | - Fix for users seeing javascript authentication puzzle i forgot to null out a line when doing tests. 195 | - Added a check on default secret key or password just incase a user has not changed it from default 196 | 197 | -- C0nw0nk Fri, 12 Sep 2025 00:00:00 +0000 198 | 199 | nginx-lua-anti-ddos-challenge (2.1-1) stable; urgency=medium 200 | - Fix for users seeing javascript authentication puzzle i forgot to null out a line when doing tests. 201 | - Added a check on default secret key or password just incase a user has not changed it from default 202 | 203 | -- C0nw0nk Fri, 12 Sep 2025 00:00:00 +0000 204 | 205 | nginx-lua-anti-ddos-challenge (2.0-1) stable; urgency=medium 206 | - Remove dependancy for ngx.re.gsub tests come back string.gsub is fast enough and performs better overall. 207 | - Improved cache logs to make more readable/understandable 208 | - Added extra details to Range, WAF and blocking logs 209 | - Remove un-needed custom command checks 210 | - Fix incase user does not want to use shared memory zones the function to obtain users real ip was not present added. 211 | 212 | -- C0nw0nk Thu, 11 Sep 2025 00:00:00 +0000 213 | 214 | nginx-lua-anti-ddos-challenge (1.9-1) stable; urgency=medium 215 | - Move Internal headers to a function 216 | - Do IP blocked/banned checks before anything else no point generating headers if IP has been blocked for flooding 217 | - Nil vars checks incase user changes a empty table var to a empty string. 218 | - Fix for tor users authorization box / login box. 219 | - Extend ban duration on IP's flooding whats the point in letting them access the site on expired time if they are still flooding 220 | 221 | -- C0nw0nk Wed, 10 Sep 2025 00:00:00 +0000 222 | 223 | nginx-lua-anti-ddos-challenge (1.8-1) stable; urgency=medium 224 | - Fix for internal header not matching strip out unwanted chars of encrypted header that caused this bug 225 | 226 | -- C0nw0nk Wed, 10 Sep 2025 00:00:00 +0000 227 | 228 | nginx-lua-anti-ddos-challenge (1.8-1) stable; urgency=medium 229 | - Fix for internal header not matching strip out unwanted chars of encrypted header that caused this bug 230 | 231 | -- C0nw0nk Wed, 10 Sep 2025 00:00:00 +0000 232 | 233 | nginx-lua-anti-ddos-challenge (1.7-1) stable; urgency=medium 234 | - Added Security feature to prevent spoofing on the Proxy headers CF-Connecting-IP or X-forwarded-for. 235 | - For example a smart DDoS attack will send a fake CF-Connecting-IP header or X-Forwarded-For header in their request 236 | - They do this to see if your server will use their real ip or the fake header they provide to you most servers do not even check this I do :) 237 | - Example : `curl.exe "http://localhost/" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" -H "Accept-Language: en-GB,en;q=0.5" -H "Accept-Encoding: gzip, deflate, br, zstd" -H "DNT: 1" -H "Connection: keep-alive" -H "Cookie: name1=1; name2=2; logged_in=1" -H "Upgrade-Insecure-Requests: 1" -H "Sec-Fetch-Dest: document" -H "Sec-Fetch-Mode: navigate" -H "Sec-Fetch-Site: none" -H "Sec-Fetch-User: ?1" -H "Priority: u=0, i" -H "Pragma: no-cache" -H "Cache-Control: no-cache" -H "User-Agent:testagent1" -H "CF-Connecting-IP: 1" -H "X-Forwarded-For: 1" ` 238 | - Improvements for Tor / Onion network users script should now detect Tor automatically no need to change any settings. 239 | - Improve Page Caching cookie matching 240 | - Internal request header tracking encrypted so only the nginx process can use these headers 241 | - localize and and re-order some vars and functions for better performance and execution ordering 242 | 243 | -- C0nw0nk Tue, 09 Sep 2025 00:00:00 +0000 244 | 245 | nginx-lua-anti-ddos-challenge (1.6-1) stable; urgency=medium 246 | - Added Feature localized.ip_whitelist_bypass_flood_protection = 0 --0 IP's in whitelist can still be banned / blocked for DDoS flooding behaviour 1 IP's bypass the flood detection 247 | - Fixed Rate limit being double 248 | - Tidy IP checks by using a function 249 | - Increase default minimum request size from 20 bytes to 40 bytes 250 | - Improve the default User-Agent block string for empty user-agent to pick up spaces as empty also 251 | - Better setting for shared memory zones 252 | - Add crawler IP's google bing to whitelist example 253 | - Fix for cloudflare and proxys solving javascript puzzle make sure they don't override the 503 status and send their own custom error page. 254 | 255 | -- C0nw0nk Sun, 07 Sep 2025 00:00:00 +0000 256 | 257 | nginx-lua-anti-ddos-challenge (1.6-1) stable; urgency=medium 258 | - Added Feature localized.ip_whitelist_bypass_flood_protection = 0 --0 IP's in whitelist can still be banned / blocked for DDoS flooding behaviour 1 IP's bypass the flood detection 259 | - Fixed Rate limit being double 260 | - Tidy IP checks by using a function 261 | - Increase default minimum request size from 20 bytes to 40 bytes 262 | - Improve the default User-Agent block string for empty user-agent to pick up spaces as empty also 263 | - Better setting for shared memory zones 264 | - Add crawler IP's google bing to whitelist example 265 | - Fix for cloudflare and proxys solving javascript puzzle make sure they don't override the 503 status and send their own custom error page. 266 | 267 | -- C0nw0nk Sun, 07 Sep 2025 00:00:00 +0000 268 | 269 | nginx-lua-anti-ddos-challenge (1.5-1) stable; urgency=medium 270 | - Fixed log to show IP address. 271 | - IPs in the block range to get added to shared memory zone if exist 272 | - IPs in whitelist range to get added to shared memory zone if exist 273 | - Added Feature javascript authentication puzzle protection users who fail to solve the javascript puzzle more than a certain number of times can be blocked. 274 | - Added feature ability to run external commands on IP addresses in the block list useful if you want to use iptables to block an address before it even reaches the nginx worker process. 275 | 276 | -- C0nw0nk Fri, 05 Sep 2025 00:00:00 +0000 277 | 278 | nginx-lua-anti-ddos-challenge (1.5-1) stable; urgency=medium 279 | - Fixed log to show IP address. 280 | - IPs in the block range to get added to shared memory zone if exist 281 | - IPs in whitelist range to get added to shared memory zone if exist 282 | - Added Feature javascript authentication puzzle protection users who fail to solve the javascript puzzle more than a certain number of times can be blocked. 283 | - Added feature ability to run external commands on IP addresses in the block list useful if you want to use iptables to block an address before it even reaches the nginx worker process. 284 | 285 | -- C0nw0nk Fri, 05 Sep 2025 00:00:00 +0000 286 | 287 | nginx-lua-anti-ddos-challenge (1.4-1) stable; urgency=medium 288 | - localize next functions 289 | - Add ability to override ngx.location.capture headers being sent to backends. 290 | 291 | -- C0nw0nk Wed, 03 Sep 2025 00:00:00 +0000 292 | 293 | nginx-lua-anti-ddos-challenge (1.4-1) stable; urgency=medium 294 | - localize next functions 295 | - Add ability to override ngx.location.capture headers being sent to backends. 296 | 297 | -- C0nw0nk Wed, 03 Sep 2025 00:00:00 +0000 298 | 299 | nginx-lua-anti-ddos-challenge (1.3-1) stable; urgency=medium 300 | - localize vars so the script is compatible with all nginx lua versions old and new. 301 | - Fix content-type header depending on how early in execution process we are with nginx the content-type header could still be nil so i have fixed it. 302 | 303 | -- C0nw0nk Wed, 03 Sep 2025 00:00:00 +0000 304 | 305 | nginx-lua-anti-ddos-challenge (1.3-1) stable; urgency=medium 306 | - localize vars so the script is compatible with all nginx lua versions old and new. 307 | - Fix content-type header depending on how early in execution process we are with nginx the content-type header could still be nil so i have fixed it. 308 | 309 | -- C0nw0nk Wed, 03 Sep 2025 00:00:00 +0000 310 | 311 | nginx-lua-anti-ddos-challenge (1.2-1) stable; urgency=medium 312 | - Fixed both guest and logged in user cache 313 | - Fixed POST request caching 314 | - Change default value to false in-case other scripts are present on the Nginx server to be executed after this script. 315 | - Improved content cache key so it works with other request types like POST etc 316 | 317 | -- C0nw0nk Sat, 23 Aug 2025 00:00:00 +0000 318 | 319 | nginx-lua-anti-ddos-challenge (1.2-1) stable; urgency=medium 320 | - Fixed both guest and logged in user cache 321 | - Fixed POST request caching 322 | - Change default value to false in-case other scripts are present on the Nginx server to be executed after this script. 323 | - Improved content cache key so it works with other request types like POST etc 324 | 325 | -- C0nw0nk Sat, 23 Aug 2025 00:00:00 +0000 326 | 327 | nginx-lua-anti-ddos-challenge (1.1-1) stable; urgency=medium 328 | - Added Feature Content-Type Caching using ngx.location.capture 329 | - This is the same as `proxy_cache` or `fastcgi_cache` in nginx just more features and better. 330 | - Added Feature HTML modification / Modify you can capture and modify pages outputs with this includding adding javascript to pages etc. 331 | - Added Feature option for users who have other scripts on their nginx server to be able to run those after this. `ngx_exit` trigger. 332 | - Fixed the shdict check i left it as a string `tostring` and a true or false check was not working properly. 333 | 334 | -- C0nw0nk Wed, 20 Aug 2025 00:00:00 +0000 335 | 336 | nginx-lua-anti-ddos-challenge (1.0-1) stable; urgency=medium 337 | - Initial packaging (RPM and DEB) for anti_ddos_challenge.lua created and maintained by C0nw0nk (https://github.com/C0nw0nk) 338 | 339 | -- C0nw0nk Sat, 09 Aug 2025 00:00:00 +0000 340 | 341 | nginx-lua-anti-ddos-challenge (1.0-1) stable; urgency=medium 342 | - Initial packaging (RPM and DEB) for anti_ddos_challenge.lua created and maintained by C0nw0nk (https://github.com/C0nw0nk) 343 | 344 | -- C0nw0nk Sat, 09 Aug 2025 00:00:00 +0000 345 | 346 | nginx-lua-anti-ddos-challenge (1.0-1) stable; urgency=medium 347 | - Initial packaging (RPM and DEB) for anti_ddos_challenge.lua created and maintained by C0nw0nk (https://github.com/C0nw0nk) 348 | 349 | -- C0nw0nk Sat, 09 Aug 2025 00:00:00 +0000 350 | 351 | --------------------------------------------------------------------------------