Show HN: Shapow – Nginx module to block bots with PoW
github.comHi HN!
Since my cgit instance has been getting hammered by botnets for a while now, I've decided put a little more effort into my blocking strategy.
In practice this meant putting a JS proof-of-work challenge on the site as these less unobtrusive than traditional CAPTCHAs and seem difficult to solve in bulk. I also wanted
* Support for users who block cookies
* Something I could easily integrate into my existing configuration
* Something simple, I need it to do one thing well
I looked at a few existing solutions but wasn't satisfied (and admittedly I wanted an excuse to make something with Nginx), so I made my own!
Source: https://github.com/markozajc/shapow
Demo: https://zajc.tel/shapow-demo-diff25 (you stay whitelisted for 5s)
Demo with a more reasonable difficulty: https://zajc.tel/shapow-demo
Binaries are only available for Debian stable amd64, and I've also uploaded an AUR package. Build instructions for others are in the README. The repo doesn't mention a licence but the actual JS for the proof of work system mentions AGPL3, which is going to make this unsuitable for a lot of people. The copyright information is in debian/copyright, I forgot to also add a LICENSE.txt to the repo root. Indeed, all source files are covered by AGPLv3. Is this an issue for adoption? It only covers the challenge itself, not the services it's deployed on, and no extra work is needed if the source isn't modified. I'm not a lawyer, or a licence/copyleft expert. Plenty of people who know lots more than I do about those subjects specifically recommend any reliance on AGPL projects/tools/libraries/what have you, because of the viral nature of *GPL licences that don't have the linking exception of lgpl. Google's lawyers have a pretty clear-cut take on it: https://opensource.google/documentation/reference/using/agpl...