Simple javascript proof-of-work based access for Nginx with virtually no overhead.
Easy installation: just add load_module /path/to/ngx_http_js_challenge_module.so;
to your
nginx.conf
file and follow the configuration instructions.
Simple configuration
server {
js_challenge on;
js_challenge_secret "change me!";
# ...
}
Advanced configuration
server {
js_challenge on;
js_challenge_secret "change me!";
js_challenge_html /path/to/body.html;
js_challenge_bucket_duration 3600;
js_challenge_title "Verifying your browser...";
location /static {
js_challenge off;
alias /static_files/;
}
location /sensitive {
js_challenge_bucket_duration 600;
#...
}
#...
}
js_challenge on|off
Toggle javascript challenges for this config blockjs_challenge_secret "secret"
Secret for generating the challenges. DEFAULT: "changeme"js_challenge_html "/path/to/file.html"
Path to html file to be inserted in the<body>
tag of the interstitial pagejs_challenge_title "title"
Will be inserted in the<title>
tag of the interstitial page. DEFAULT: "Verifying your browser..."js_challenge_bucket_duration time
Interval to prompt js challenge, in seconds. DEFAULT: 3600
- Add
load_module ngx_http_js_challenge_module.so;
to/etc/nginx/nginx.conf
- Reload
nginx -s reload
These steps have to be performed on machine with compatible configuration (same nginx, glibc, openssl version etc.)
- Install dependencies
apt install libperl-dev libgeoip-dev libgd-dev libxslt1-dev libpcre3-dev
- Download nginx tarball corresponding to your current version (Check with
nginx -v
)wget https://nginx.org/download/nginx-1.16.1.tar.gz tar -xzf nginx-1.16.1.tar.gz export NGINX_PATH=$(pwd)/nginx-1.16.1/
- Compile the module
git clone https://github.com/simon987/ngx_http_js_challenge_module cd ngx_http_js_challenge_module ./build.sh
- The dynamic module can be found at
${NGINX_PATH}/objs/ngx_http_js_challenge_module.so
- Users with cookies disabled will be stuck in an infinite refresh loop (TODO: redirect with a known query param, if no cookie is specified but the query arg is set, display an error page)
- If nginx is behind a reverse proxy/load balancer, the same challenge will be sent to different users and/or the response cookie will be invalidated when the user is re-routed to another server. (TODO: use the x-real-ip header when available)