Merge branch 'main' into cel-remoteAddrInList

Signed-off-by: Jason Cameron <[email protected]>

Author: JasonLovesDoggo

.github/actions/spelling/expect.txt

@@ -9,9 +9,10 @@ anubistest
 Applebot
 archlinux
 badregexes
+bdba
 berr
 bingbot
-Bitcoin
+bitcoin
 blogging
 Bluesky
 blueskybot
@@ -27,6 +28,7 @@ caninetools
 Cardyb
 celchecker
 CELPHASE
+cerr
 certresolver
 CGNAT
 cgr
@@ -100,6 +102,7 @@ Hashcash
 hashrate
 headermap
 healthcheck
+hebis
 hec
 hmc
 hostable
@@ -146,6 +149,7 @@ maintainership
 malware
 mcr
 memes
+metarefresh
 metrix
 mimi
 minica
@@ -154,6 +158,7 @@ Mojeek
 mojeekbot
 mozilla
 nbf
+netsurf
 nginx
 nobots
 NONINFRINGEMENT
@@ -166,6 +171,7 @@ onionservice
 openai
 openrc
 pag
+palemoon
 Pangu
 parseable
 passthrough
@@ -182,6 +188,7 @@ prebaked
 privkey
 promauto
 promhttp
+proofofwork
 pwcmd
 pwuser
 qualys
@@ -236,9 +243,11 @@ Tik
 Timpibot
 torproject
 traefik
+uberspace
 unixhttpd
 unmarshal
 uvx
+UXP
 Varis
 Velen
 vendored
@@ -251,6 +260,7 @@ webpage
 websecure
 websites
 Webzio
+wildbase
 wordpress
 Workaround
 workdir

.github/workflows/zizmor.yml

@@ -29,7 +29,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif
           category: zizmor

README.md

@@ -14,15 +14,36 @@
 
 Anubis is brought to you by sponsors and donors like:
 
-[![Distrust](./docs/static/img/sponsors/distrust-logo.webp)](https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis)
-[![Terminal Trove](./docs/static/img/sponsors/terminal-trove.webp)](https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh)
-[![canine.tools](./docs/static/img/sponsors/caninetools-logo.webp)](https://canine.tools?utm_campaign=github&utm_medium=referral&utm_content=anubis)
-[![Weblate](./docs/static/img/sponsors/weblate-logo.webp)](https://weblate.org/)
-[![Uberspace](./docs/static/img/sponsors/uberspace-logo.webp)](https://uberspace.de/)
+### Diamond Tier
+
+<a href="https://www.raptorcs.com/content/base/products.html">
+  <img src="./docs/static/img/sponsors/raptor-computing-logo.webp" alt="Raptor Computing Systems" height=64 />
+</a>
+
+### Gold Tier
+
+<a href="https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis">
+  <img src="./docs/static/img/sponsors/distrust-logo.webp" alt="Distrust" height="64">
+</a>
+<a href="https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh">
+  <img src="./docs/static/img/sponsors/terminal-trove.webp" alt="Terminal Trove" height="64">
+</a>
+<a href="https://canine.tools?utm_campaign=github&utm_medium=referral&utm_content=anubis">
+  <img src="./docs/static/img/sponsors/caninetools-logo.webp" alt="canine.tools" height="64">
+</a>
+<a href="https://weblate.org/">
+  <img src="./docs/static/img/sponsors/weblate-logo.webp" alt="Weblate" height="64">
+</a>
+<a href="https://uberspace.de/">
+  <img src="./docs/static/img/sponsors/uberspace-logo.webp" alt="Uberspace" height="64">
+</a>
+<a href="https://wildbase.xyz/">
+  <img src="./docs/static/img/sponsors/wildbase-logo.webp" alt="Wildbase" height="64">
+</a>
 
 ## Overview
 
-Anubis [weighs the soul of your connection](https://en.wikipedia.org/wiki/Weighing_of_souls) using a proof-of-work challenge in order to protect upstream resources from scraper bots.
+Anubis is a Web AI Firewall Utility that [weighs the soul of your connection](https://en.wikipedia.org/wiki/Weighing_of_souls) using one or more challenges in order to protect upstream resources from scraper bots.
 
 This program is designed to help protect the small internet from the endless storm of requests that flood in from AI companies. Anubis is as lightweight as possible to ensure that everyone can afford to protect the communities closest to them.
 

cmd/anubis/main.go

@@ -68,6 +68,7 @@ var (
 	extractResources         = flag.String("extract-resources", "", "if set, extract the static resources to the specified folder")
 	webmasterEmail           = flag.String("webmaster-email", "", "if set, displays webmaster's email on the reject page for appeals")
 	versionFlag              = flag.Bool("version", false, "print Anubis version")
+	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
 )
 
 func keyFromHex(value string) (ed25519.PrivateKey, error) {
@@ -336,7 +337,7 @@ func main() {
 	h = s
 	h = internal.RemoteXRealIP(*useRemoteAddress, *bindNetwork, h)
 	h = internal.XForwardedForToXRealIP(h)
-	h = internal.XForwardedForUpdate(h)
+	h = internal.XForwardedForUpdate(*xffStripPrivate, h)
 
 	srv := http.Server{Handler: h, ErrorLog: internal.GetFilteredHTTPLogger()}
 	listener, listenerUrl := setupListener(*bindNetwork, *bind)
@@ -420,11 +421,11 @@ func extractEmbedFS(fsys embed.FS, root string, destDir string) error {
 			return os.MkdirAll(destPath, 0o700)
 		}
 
-		data, err := fs.ReadFile(fsys, path)
+		embeddedData, err := fs.ReadFile(fsys, path)
 		if err != nil {
 			return err
 		}
 
-		return os.WriteFile(destPath, data, 0o644)
+		return os.WriteFile(destPath, embeddedData, 0o644)
 	})
 }

data/botPolicies.yaml

@@ -55,7 +55,9 @@ bots:
   - name: generic-browser
     user_agent_regex: >-
       Mozilla|Opera
-    action: CHALLENGE
+    action: WEIGH
+    weight:
+      adjust: 10
 
 dnsbl: false
 

data/bots/aggressive-brazilian-scrapers.yaml

@@ -1,28 +1,26 @@
 - name: deny-aggressive-brazilian-scrapers
-  action: DENY
+  action: WEIGH
+  weight:
+    adjust: 20
   expression:
     any:
-    # Internet Explorer should be out of support
-    - userAgent.contains("MSIE")
-    # Trident is the Internet Explorer browser engine
-    - userAgent.contains("Trident")
-    # Opera is a fork of chrome now
-    - userAgent.contains("Presto")
-    # Windows CE is discontinued
-    - userAgent.contains("Windows CE")
-    # Windows 95 is discontinued
-    - userAgent.contains("Windows 95")
-    # Windows 98 is discontinued
-    - userAgent.contains("Windows 98")
-    # Windows 9.x is discontinued
-    - userAgent.contains("Win 9x")
-    # Amazon does not have an Alexa Toolbar.
-    - userAgent.contains("Alexa Toolbar")
-- name: challenge-aggressive-brazilian-scrapers
-  action: CHALLENGE
-  expression:
-    any:
-    # This is not released, even Windows 11 calls itself Windows 10
-    - userAgent.contains("Windows NT 11.0")
-    # iPods are not in common use
-    - userAgent.contains("iPod")
+      # Internet Explorer should be out of support
+      - userAgent.contains("MSIE")
+      # Trident is the Internet Explorer browser engine
+      - userAgent.contains("Trident")
+      # Opera is a fork of chrome now
+      - userAgent.contains("Presto")
+      # Windows CE is discontinued
+      - userAgent.contains("Windows CE")
+      # Windows 95 is discontinued
+      - userAgent.contains("Windows 95")
+      # Windows 98 is discontinued
+      - userAgent.contains("Windows 98")
+      # Windows 9.x is discontinued
+      - userAgent.contains("Win 9x")
+      # Amazon does not have an Alexa Toolbar.
+      - userAgent.contains("Alexa Toolbar")
+      # This is not released, even Windows 11 calls itself Windows 10
+      - userAgent.contains("Windows NT 11.0")
+      # iPods are not in common use
+      - userAgent.contains("iPod")

data/bots/ai-robots-txt.yaml

@@ -2,5 +2,5 @@
 # Note: Blocks human-directed/non-training user agents
 - name: "ai-robots-txt"
   user_agent_regex: >-
-    AI2Bot|Ai2Bot-Dolma|aiHitBot|Amazonbot|anthropic-ai|Brightbot 1.0|Bytespider|CCBot|ChatGPT-User|Claude-SearchBot|Claude-User|Claude-Web|ClaudeBot|cohere-ai|cohere-training-data-crawler|Cotoyogi|Crawlspace|Diffbot|DuckAssistBot|FacebookBot|Factset_spyderbot|FirecrawlAgent|FriendlyCrawler|Google-CloudVertexBot|Google-Extended|GoogleOther|GoogleOther-Image|GoogleOther-Video|GPTBot|iaskspider/2.0|ICC-Crawler|ImagesiftBot|img2dataset|imgproxy|ISSCyberRiskCrawler|Kangaroo Bot|meta-externalagent|Meta-ExternalAgent|meta-externalfetcher|Meta-ExternalFetcher|MistralAI-User/1.0|NovaAct|OAI-SearchBot|omgili|omgilibot|Operator|PanguBot|Perplexity-User|PerplexityBot|PetalBot|QualifiedBot|Scrapy|SemrushBot-OCOB|SemrushBot-SWA|Sidetrade indexer bot|TikTokSpider|Timpibot|VelenPublicWebCrawler|Webzio-Extended|wpbot|YouBot
+    AI2Bot|Ai2Bot-Dolma|aiHitBot|Amazonbot|Andibot|anthropic-ai|Applebot|Applebot-Extended|bedrockbot|Brightbot 1.0|Bytespider|CCBot|ChatGPT-User|Claude-SearchBot|Claude-User|Claude-Web|ClaudeBot|cohere-ai|cohere-training-data-crawler|Cotoyogi|Crawlspace|Diffbot|DuckAssistBot|FacebookBot|Factset_spyderbot|FirecrawlAgent|FriendlyCrawler|Google-CloudVertexBot|Google-Extended|GoogleOther|GoogleOther-Image|GoogleOther-Video|GPTBot|iaskspider/2.0|ICC-Crawler|ImagesiftBot|img2dataset|ISSCyberRiskCrawler|Kangaroo Bot|meta-externalagent|Meta-ExternalAgent|meta-externalfetcher|Meta-ExternalFetcher|MistralAI-User/1.0|NovaAct|OAI-SearchBot|omgili|omgilibot|Operator|PanguBot|Panscient|panscient.com|Perplexity-User|PerplexityBot|PetalBot|PhindBot|QualifiedBot|QuillBot|quillbot.com|SBIntuitionsBot|Scrapy|SemrushBot-OCOB|SemrushBot-SWA|Sidetrade indexer bot|TikTokSpider|Timpibot|VelenPublicWebCrawler|Webzio-Extended|wpbot|YandexAdditional|YandexAdditionalBot|YouBot
   action: DENY

data/bots/cloudflare-workers.yaml

@@ -1,4 +1,6 @@
 - name: cloudflare-workers
   headers_regex:
     CF-Worker: .*
-  action: DENY
+  action: WEIGH
+  weight:
+    adjust: 15

data/clients/small-internet-browsers/_permissive.yaml

@@ -0,0 +1,2 @@
+- import: (data)/clients/small-internet-browsers/netsurf.yaml
+- import: (data)/clients/small-internet-browsers/palemoon.yaml

data/clients/small-internet-browsers/netsurf.yaml

@@ -0,0 +1,5 @@
+- name: "reduce-weight-netsurf"
+  user_agent_regex: "NetSurf"
+  action: WEIGH
+  weight:
+    adjust: -5