fix(default-config): make the default config far less paranoid (#1179)

* test: add httpdebug tool Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(data/clients/git): more strictly match the git client Signed-off-by: Xe Iaso <me@xeiaso.net> * fix(default-config): make the default config far less paranoid This uses a variety of heuristics to make sure that clients that claim to be browsers are more likely to behave like browsers. Most of these are based on the results of a lot of reverse engineering and data collection from honeypot servers. Signed-off-by: Xe Iaso <me@xeiaso.net> * docs: update CHANGELOG Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> Signed-off-by: Xe Iaso <xe.iaso@techaro.lol>
2025-10-11 08:48:12 -04:00 · 2025-10-11 08:48:12 -04:00 · 9c47c180d0
commit 9c47c180d0
parent d51d32726c
3 changed files with 56 additions and 10 deletions
--- a/data/clients/git.yaml
+++ b/data/clients/git.yaml
@ -2,13 +2,19 @@
  action: ALLOW
  expression:
    all:
-    - >
-      (  
-        userAgent.startsWith("git/") ||
-        userAgent.contains("libgit") ||
-        userAgent.startsWith("go-git") ||
-        userAgent.startsWith("JGit/") ||
-        userAgent.startsWith("JGit-")
-      )
-    - '"Git-Protocol" in headers'
-    - headers["Git-Protocol"] == "version=2"
+      - >
+        (  
+          userAgent.startsWith("git/") ||
+          userAgent.contains("libgit") ||
+          userAgent.startsWith("go-git") ||
+          userAgent.startsWith("JGit/") ||
+          userAgent.startsWith("JGit-")
+        )
+      - '"Accept" in headers'
+      - headers["Accept"] == "*/*"
+      - '"Cache-Control" in headers'
+      - headers["Cache-Control"] == "no-cache"
+      - '"Pragma" in headers'
+      - headers["Pragma"] == "no-cache"
+      - '"Accept-Encoding" in headers'
+      - headers["Accept-Encoding"].contains("gzip")