• 1 Post
  • 5 Comments
Joined 13 days ago
Cake day: November 15th, 2025
  • SmokeyDope@piefed.socialOPtoSelfhosted@lemmy.worldAnubis is awesome and I want to talk about itEnglish
    12·
    4 hours ago

    Something that hasn’t been mentioned much in discussions about Anubis is that it has a graded tier system of how sketchy a client is and changing the kind of challenge based on a a weighted priority system.

    The default bot policies it comes with has it so squeaky clean regular clients are passed through, then only slightly weighted clients/IPs get the metarefresh, then its when you get to moderate-suspicion level that JavaScript Proof of Work kicks. The bot policy and weight triggers for these levels, challenge action, and duration of clients validity are all configurable.

    It seems to me that the sites who heavy hand the proof of work for every client with validity that only last every 5 minutes are the ones who are giving Anubis a bad wrap. The default bot policy settings Anubis comes with dont trigger PoW on the regular Firefox android clients ive tried including hardened ironfox. meanwhile other sites show the finger wag every connection no matter what.

    Its understandable why some choose strict policies but they give the impression this is the only way it should be done which Is overkill. I’m glad theres config options to mitigate impact normal user experience.

  • SmokeyDope@piefed.socialOPtoSelfhosted@lemmy.worldAnubis is awesome and I want to talk about itEnglish
    26·
    6 hours ago

    Theres a compute option that doesnt require javascript. The responsibility lays on site owners to properly configure IMO, though you can make the argument its not default I guess.

    https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

    From docs on Meta Refresh Method

    Meta Refresh (No JavaScript)

    The metarefresh challenge sends a browser a much simpler challenge that makes it refresh the page after a set period of time. This enables clients to pass challenges without executing JavaScript.

    To use it in your Anubis configuration:

    # Generic catchall rule
- name: generic-browser
  user_agent_regex: >-
    Mozilla|Opera
  action: CHALLENGE
  challenge:
    difficulty: 1 # Number of seconds to wait before refreshing the page
    algorithm: metarefresh # Specify a non-JS challenge method

    This is not enabled by default while this method is tested and its false positive rate is ascertained. Many modern scrapers use headless Google Chrome, so this will have a much higher false positive rate.

  • SmokeyDope@piefed.socialOPtoSelfhosted@lemmy.worldAnubis is awesome and I want to talk about itEnglish
    3·
    6 hours ago

    Security issues are always a concern the question is how much. Looking at it they seem to at most be ways to circumvent the Anubis redirect system to get to your page using very specific exploits. These are marked as m low to moderate priority and I do not see anything that implies like system level access which is the big concern. Obviously do what you feel is best but IMO its not worth sweating about. Nice thing about open source projects is that anyone can look through and fix, if this gets more popular you can expect bug bounties and professional pen testing submissions.

  • SmokeyDope@piefed.socialOPtoSelfhosted@lemmy.worldAnubis is awesome and I want to talk about itEnglish
    25·
    7 hours ago

    You know the thing is that they know the character is a problem/annoyance, thats how they grease the wheel on selling subscription access to a commecial version with different branding.

    https://anubis.techaro.lol/docs/admin/botstopper/

    pricing from site

    Commercial support and an unbranded version

    If you want to use Anubis but organizational policies prevent you from using the branding that the open source project ships, we offer a commercial version of Anubis named BotStopper. BotStopper builds off of the open source core of Anubis and offers organizations more control over the branding, including but not limited to:

    • Custom images for different states of the challenge process (in process, success, failure)
    • Custom CSS and fonts
    • Custom titles for the challenge and error pages
    • “Anubis” replaced with “BotStopper” across the UI
    • A private bug tracker for issues

    In the near future this will expand to:

    • A private challenge implementation that does advanced fingerprinting to check if the client is a genuine browser or not
    • Advanced fingerprinting via Thoth-based advanced checks

    In order to sign up for BotStopper, please do one of the following:

    • Sign up on GitHub Sponsors at the $50 per month tier or higher
    • Email sales@techaro.lol with your requirements for invoicing, please note that custom invoicing will cost more than using GitHub Sponsors for understandable overhead reasons

    I have to respect the play tbh its clever. Absolutely the kind of greasy shit play that Julian from the trailer park boys would do if he were an open source developer.