Cool! 😎 So I can now block ASN(s) 🤣 (And I bet no-one noticed anything)
@prologic@twtxt.net what’s ASN again?
An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet.[1] Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end-user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use (and should therefore not be announced to the global Internet).
@prologic@twtxt.net can you give me an example of one ASN you have blocked? First time I heard of ASNs but, furthermore, blocking ASNs. It seems like they are huge blocks!
@bender@twtxt.net Yes they are rather large 🤣 Here you go:
proxy-1:~# cat /etc/caddy/waf/bad_asns.txt
# CHINANET-BACKBONE No.31,Jin-rong Street, CN
# Why: DDoS
4134
# CHINA169-BACKBONE CHINA UNICOM China169 Backbone, CN
# Why: DDoS
4837
# CHINAMOBILE-CN China Mobile Communications Group Co., Ltd., CN
# Why: DDoS
9808
# FACEBOOK, US
# Why: Bad Bots
32934
proxy-1:~#
@prologic@twtxt.net cool! Looking forward to the README for https://git.mills.io/prologic/caddy-waf! :-) I will probably build that module on my Caddy!
The rate-limit one too (https://git.mills.io/prologic/caddy-ratelimit), for sure! Would the caddy-waf be:
$ xcaddy build --with git.mills.io/prologic/caddy-waf
Yes? Still, the README for a configuration example would be awesome!
So this should build caddy with both modules:
$ xcaddy build --with git.mills.io/prologic/caddy-ratelimit --with git.mills.io/prologic/caddy-waf
Right?
Ahh fuck! Sorry I was fixing a rule 🤣 This is much better!
proxy-1:~# grep -c 'Bad ASN' /var/log/caddy/caddy.log
2441
This is how I build my caddy:
proxy-1:~# cat build.caddy.sh
#!/bin/sh
xcaddy build \
--with github.com/caddy-dns/cloudflare \
--with github.com/caddyserver/cache-handler \
--with git.mills.io/prologic/caddy-ratelimit \
--with git.mills.io/prologic/caddy-waf
proxy-1:~#
I’ll try to add a README for caddy-waf soon™ (going back to bed now) at least document the customizations I’ve made to this WAF (which I forked from caddy-coraza)
Notably the custom operator @lookupASN
Note for reference I was trying to write and fix this rule (fixed version below):
# Ignore Content-Type restrictions for Git
SecRule REQUEST_HEADERS:Host "@streq git.mills.io" "id:101,phase:1,t:none,nolog,ctl:ruleRemoveById=920420"
On a test I ran, with a static site that is a PWA, like this:
example.com {
root * /web/example.com
route / {
rate_limit {path} 20r/m
file_server
}
}
It works (as limiting rate), but when rate isn’t reached, the page doesn’t render. Not sure what could be going on.
Hmm, yeah, I am doing something wrong. Same is happening with any site to which I apply the this.
Is there a reason you forked this from mholt? What was added, or changed? Your “Initial commit” throws an error.
@prologic@twtxt.net i would be very interested in this as a caddy user who needs a WAF probably lol