865d513e35
* feat(lib/policy): add support for CEL checkers
This adds the ability for administrators to use Common Expression
Language[0] (CEL) for more advanced check logic than Anubis previously
offered.
These can be as simple as:
```yaml
- name: allow-api-routes
action: ALLOW
expression:
and:
- '!(method == "HEAD" || method == "GET")'
- path.startsWith("/api/")
```
or get as complicated as:
```yaml
- name: allow-git-clients
action: ALLOW
expression:
and:
- userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-")
- >
"Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
```
Internally these are compiled and evaluated with cel-go[1]. This also
leaves room for extensibility should that be desired in the future. This
will intersect with #338 and eventually intersect with TLS fingerprints
as in #337.
[0]: https://cel.dev/
[1]: https://github.com/google/cel-go
Signed-off-by: Xe Iaso <me@xeiaso.net>
* feat(data/apps): add API route allow rule for non-HEAD/GET
Signed-off-by: Xe Iaso <me@xeiaso.net>
* docs: document expression syntax
Signed-off-by: Xe Iaso <me@xeiaso.net>
* fix: fixes in review
Signed-off-by: Xe Iaso <me@xeiaso.net>
---------
Signed-off-by: Xe Iaso <me@xeiaso.net>
29 lines
No EOL
559 B
JSON
29 lines
No EOL
559 B
JSON
{
|
|
"bots": [
|
|
{
|
|
"import": "(data)/bots/_deny-pathological.yaml"
|
|
},
|
|
{
|
|
"import": "(data)/bots/ai-robots-txt.yaml"
|
|
},
|
|
{
|
|
"import": "(data)/crawlers/_allow-good.yaml"
|
|
},
|
|
{
|
|
"import": "(data)/bots/aggressive-brazilian-scrapers.yaml"
|
|
},
|
|
{
|
|
"import": "(data)/common/keep-internet-working.yaml"
|
|
},
|
|
{
|
|
"name": "generic-browser",
|
|
"user_agent_regex": "Mozilla|Opera",
|
|
"action": "CHALLENGE"
|
|
}
|
|
],
|
|
"dnsbl": false,
|
|
"status_codes": {
|
|
"CHALLENGE": 200,
|
|
"DENY": 200
|
|
}
|
|
} |