| src | ||
| .envrc | ||
| .gitignore | ||
| Caddyfile | ||
| Cargo.lock | ||
| Cargo.toml | ||
| LICENSE | ||
| README.md | ||
| shell.nix | ||
bombai: bomba + ai
instead of letting the ai boom bomb our websites, lets bomb the ai in return.
install via rust with cargo install --git https://git.tudbut.de/tudbut/bombai. https://rustup.rs
update policy: releases after around 2 weeks of no changes to main. config changes can be made whenever and must be documented in the release text. config changes made on main do not need to be marked; expect breakage resulting in crashes if you track main.
features
- not dependent on user agents
- metric is only what is requested
- configurable, allowing e.g. setting lower limits for rarely visited pages
- specifically designed to guard forgejo (and similar) things
- zip bombs
- traps (like iocaine but muuuch simpler)
- redirecting to iocaine :)
- metrics
more detail
detection
detection works by request counting for designated areas of the page ([[paths]])
- each paths entry has its own counter
- with separate max value after which requests get denied and the requester timeouted
- with a decay per hour, that is calculated at much finer resolution than hourly of course
- fail = timeout
- entries can be set to always fail to create "trap paths" (max = 0)
- subnets can be blobbed together into one entity, e.g. to catch alibaba's entire /24 subnet of bots
fail response
- http mode: signal caddy (or other reverse proxy) to do something special
- e.g. redirect to iocaine or other trap
- file mode: respond with simple http response or html file
- generated mode:
- customizable
- start text
- end text
- char spam in between
- total length can be set
- can be gzipped
- optionally only if client allows it (via Accept-Encoding)
- "gzip chance" from 0 to 100% (of requests)
- "continuous failure" mode where a few links that lead into a maze of more failure are generated between start text and spam
- customizable
config
default config is automatically dropped to disk and can also be found at src/bombai.toml
it contains a lot of documentation
metrics
dashboard base url can be set in config; metrics available at /bombai/metrics (assuming dashboard is at /bombai).
how to
add to caddyfile as per the caddyfile in this repo. the iocaine part is not required.
@read method GET HEAD
reverse_proxy @read 127.0.0.1:42067 {
@fallback status 421
handle_response @fallback
# optional, if using fail_response.data = http
@iocaine status 423
handle_response @iocaine {
reverse_proxy 127.0.0.1:42069 # iocaine needs to be configured to always serve its poison for this.
}
}
license
wtfpl+-ai. no ai allowed, everything else allowed.
cargo tree
i dont like big dependency trees. so this one is small.
tudbut@Tud-NixX260 ~/g/bombai (main)> cargo tree
bombai v0.1.0 (/home/tudbut/gitshit/bombai)
├── chrono v0.4.42
│ ├── iana-time-zone v0.1.64
│ └── num-traits v0.2.19
│ [build-dependencies]
│ └── autocfg v1.5.0
├── deborrow v0.3.1
│ └── deborrow-macro v0.2.0 (proc-macro)
├── flate2 v1.1.5
│ ├── crc32fast v1.5.0
│ │ └── cfg-if v1.0.4
│ └── miniz_oxide v0.8.9
│ ├── adler2 v2.0.1
│ └── simd-adler32 v0.3.8
├── horrorhttp v0.2.1
│ └── readformat v1.0.3
├── microlock v0.3.1
├── nanoserde v0.2.1 (https://github.com/tudbut/nanoserde#fc010f51)
│ └── nanoserde-derive v0.2.1 (proc-macro) (https://github.com/tudbut/nanoserde#fc010f51)
└── readformat v1.0.3