Cavemanon
/
Nginx-Lua-Anti-DDoS
mirror of https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS.git
7
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remove unneeded Access-Control-Allow-Origin headers - this is never cross domain 

correctly use vars expected_header_status and authentication_page_status_output
simplify and faster exit in case of ajax request
default authentication_page_status_output status to 503 otherwise google and other crawlers index this page
This commit is contained in:
Stefan Priebe 2020-01-06 15:39:51 +01:00
parent c723cb4ee2
commit 99d3d5fc82
1 changed files with 13 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
lua/anti_ddos_challenge.lua
View File

@ -453,8 +453,8 @@ local request_uri = ngx.var.request_uri --request uri is full URL link including
local URL = scheme .. "://" .. host .. request_uri
local user_agent = ngx.var.http_user_agent --user agent of browser
local expected_header_status = 200 --503
local authentication_page_status_output = 200
local expected_header_status = 200
local authentication_page_status_output = 503
local domain = ""
if host == nil then
@ -512,10 +512,16 @@ local function grant_access()
set_cookie4 = cookie_name_encrypted_start_and_end_date.."="..calculate_signature(remote_addr .. currenttime .. (currenttime+expire_time) ).."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --start and end date combined to unique id
set_cookies = {set_cookie1 , set_cookie2 , set_cookie3 , set_cookie4}
ngx.header["Access-Control-Allow-Origin"] = "*"
ngx.header["Access-Control-Allow-Credentials"] = "true"
ngx.header["Access-Control-Allow-Methods"] = "GET, POST, PUT, HEAD"
ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
ngx.header["Set-Cookie"] = set_cookies
ngx.header["X-Content-Type-Options"] = "nosniff"
ngx.header["X-Frame-Options"] = "SAMEORIGIN"
ngx.header["X-XSS-Protection"] = "1; mode=block"
ngx.header["Cache-Control"] = "public, max-age=0 no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
ngx.header["Pragma"] = "no-cache"
ngx.header["Expires"] = "0"
ngx.header.content_type = "text/html; charset=" .. default_charset
ngx.status = expected_header_status
ngx.exit(ngx.HTTP_NO_CONTENT)
end
end
@ -770,10 +776,6 @@ if set_cookies == nil then
set_cookies = challenge.."="..answer.."; path=/; expires=" .. ngx.cookie_time(currenttime+expire_time) .. "; Max-Age=" .. expire_time .. ";" --apply our uid cookie in header here incase browsers javascript can't set cookies due to permissions.
end
ngx.header["Set-Cookie"] = set_cookies
ngx.header["Access-Control-Allow-Origin"] = "*"
ngx.header["Access-Control-Allow-Credentials"] = "true"
ngx.header["Access-Control-Allow-Methods"] = "GET, POST, PUT, HEAD"
ngx.header["Access-Control-Allow-Headers"] = "Content-Type"
ngx.header["X-Content-Type-Options"] = "nosniff"
ngx.header["X-Frame-Options"] = "SAMEORIGIN"
ngx.header["X-XSS-Protection"] = "1; mode=block"
@ -784,6 +786,6 @@ if credits == 1 then
ngx.header["X-Anti-DDoS"] = "Conor McKnight | facebook.com/C0nw0nk"
end
ngx.header.content_type = "text/html; charset=" .. default_charset
ngx.status = expected_header_status
ngx.status = authentication_page_status_output
ngx.say(anti_ddos_html_output)
ngx.exit(ngx.HTTP_OK)