Tags · SuperSandro2000/anubis

v1.16.0

v1.16.0: Fordola rem Lupis

> I want to make them pay! All of them! Everyone who ever mocked or looked down on me -- I want the power to make them pay!

The following features are the "big ticket" items:

- Added support for native Debian, Red Hat, and tarball packaging strategies including installation and use directions.
- A prebaked tarball has been added, allowing distros to build Anubis like they could in v1.15.x.
- The placeholder Anubis mascot has been replaced with a design by [CELPHASE](https://bsky.app/profile/celphase.bsky.social).
- Verification page now shows hash rate and a progress bar for completion probability.
- Added support for [OpenGraph tags](https://ogp.me/) when rendering the challenge page. This allows for social previews to be generated when sharing the challenge page on social media platforms ([TecharoHQ#195](TecharoHQ#195))
- Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`.

The other small fixes have been made:

- Added a periodic cleanup routine for the decaymap that removes expired entries, ensuring stale data is properly pruned.
- Added a no-store Cache-Control header to the challenge page
- Hide the directory listings for Anubis' internal static content
- Changed `--debug-x-real-ip-default` to `--use-remote-address`, getting the IP address from the request's socket address instead.
- DroneBL lookups have been disabled by default
- Static asset builds are now done on demand instead of the results being committed to source control
- The Dockerfile has been removed as it is no longer in use
- Developer documentation has been added to the docs site
- Show more errors when some predictable challenge page errors happen ([TecharoHQ#150](TecharoHQ#150))
- Added the `--debug-benchmark-js` flag for testing proof-of-work performance during development.
- Use `TrimSuffix` instead of `TrimRight` on containerbuild
- Fix the startup logs to correctly show the address and port the server is listening on
- Add [LibreJS](https://www.gnu.org/software/librejs/) banner to Anubis JavaScript to allow LibreJS users to run the challenge
- Added a wait with button continue + 30 second auto continue after 30s if you click "Why am I seeing this?"
- Fixed a typo in the challenge page title.
- Disabled running integration tests on Windows hosts due to it's reliance on posix features (see [TecharoHQ#133](TecharoHQ#133 (comment))).
- Fixed minor typos
- Added a Makefile to enable comfortable workflows for downstream packagers.
- Added `zizmor` for GitHub Actions static analysis
- Fixed most `zizmor` findings
- Enabled Dependabot
- Added an air config for autoreload support in development ([TecharoHQ#195](TecharoHQ#195))
- Added an `--extract-resources` flag to extract static resources to a local folder.
- Add noindex flag to all Anubis pages ([TecharoHQ#227](TecharoHQ#227)).
- Added `WEBMASTER_EMAIL` variable, if it is present then display that email address on error pages ([TecharoHQ#235](TecharoHQ#235), [TecharoHQ#115](TecharoHQ#115))
- Hash pinned all GitHub Actions

Apr 10, 2025
51bd058
zip
tar.gz

v1.15.2

Zenos yae Galvus: Echo 2

Backport TecharoHQ#204 to stable

Apr 3, 2025
35e0a81
zip
tar.gz

v1.15.1

Zenos yae Galvus: Echo 1

Fixes a recurrence of [CVE-2025-24369](GHSA-56w8-8ppj-2p4f)
due to an incorrect logic change in a refactor. This allows an attacker to mint a valid
access token by passing any SHA-256 hash instead of one that matches the proof-of-work
test.

This case has been added as a regression test. It was not when CVE-2025-24369 was released
due to the project not having the maturity required to enable this kind of regression testing.

Mar 31, 2025 10000
f844fff
zip
tar.gz

v1.15.0

Zenos yae Galvus

> Yes...the coming days promise to be most interesting. Most interesting.

Headline changes:

- ed25519 signing keys for Anubis can be stored in the flag
  `--ed25519-private-key-hex` or envvar
  `ED25519_PRIVATE_KEY_HEX`
- Add the ability to set the cookie domain with the envvar
  `COOKIE_DOMAIN=techaro.lol` for all domains under `techaro.lol`
- Add the ability to set the cookie partitioned flag with the envvar
  `COOKIE_PARTITIONED=true`

Many other small changes were made, including but not limited to:

- Fixed and clarified installation instructions
- Introduced integration tests using Playwright
- Refactor & Split up Anubis into cmd and lib.go
- Fixed bot check to only apply if address range matches
- Fix default difficulty setting that was broken in a refactor
- Linting fixes
- Make dark mode diff lines readable in the documentation
- Fix CI based browser smoke test

Users running Anubis' test suite may run into issues with the integration tests
on Windows hosts. This is a known issue and will be fixed at some point in the
future. In the meantime, use the Windows Subsystem for Linux (WSL).

Mar 27, 2025
a3c0269
zip
tar.gz

v1.14.2

Livia sas Junius: Echo 2

Fix TecharoHQ#67

Mar 21, 2025
5f7942f
zip
tar.gz

v1.14.1

Livia sas Junius: Echo 1

This is a SHAME release to fix TecharoHQ#62.

Mar 21, 2025
07e6695
zip
tar.gz

v1.14.0

Livia sas Junius

> Fail to do as my lord commands...and I will spare him the trouble of blocking you.

- Add explanation of what Anubis is doing to the challenge page [TecharoHQ#25](TecharoHQ#25)
- Administrators can now define artificially hard challenges using the "slow" algorithm:

  ```json
  {
    "name": "generic-bot-catchall",
    "user_agent_regex": "(?i:bot|crawler)",
    "action": "CHALLENGE",
    "challenge": {
      "difficulty": 16,
      "report_as": 4,
      "algorithm": "slow"
    }
  }
  ```

  This allows administrators to cause particularly malicious clients to use unreasonable amounts of CPU. The UI will also lie to the client about the difficulty.

- Docker images now explicitly call `docker.io/library/<thing>` to increase compatibility with Podman et. al
  [TecharoHQ#21](TecharoHQ#21)
- Don't overflow the image when browser windows are small (eg. on phones)
  [TecharoHQ#27](TecharoHQ#27)
- Lower the default difficulty to 4 from 5
- Don't duplicate work across multiple threads [TecharoHQ#36](TecharoHQ#36)
- Documentation has been moved to https://anubis.techaro.lol/ with sources in docs/
- Removed several visible AI artifacts (e.g., 6 fingers) [TecharoHQ#37](TecharoHQ#37)
- [KagiBot](https://kagi.com/bot) is allowed through the filter [TecharoHQ#44](TecharoHQ#44)
- Fixed hang when navigator.hardwareConcurrency is undefined
- Support Unix domain sockets [TecharoHQ#45](TecharoHQ#45)
- Allow filtering by remote addresses:

  ```json
  {
    "name": "qwantbot",
    "user_agent_regex": "\\+https\\:\\/\\/help\\.qwant\\.com/bot/",
    "action": "ALLOW",
    "remote_addresses": ["91.242.162.0/24"]
  }
  ```

  This also works at an IP range level:

  ```json
  {
    "name": "internal-network",
    "action": "ALLOW",
    "remote_addresses": ["100.64.0.0/10"]
  }
  ```

Mar 21, 2025
5ad44d7
zip
tar.gz

v1.13.0

Anubis v1.13.0: Nero tol Scaeva

Soon you will be made to know the true power of Anubis.

- Proof-of-work challenges are drastically sped up
  [TecharoHQ#19](TecharoHQ#19)
- Docker images are now built with the timestamp set to the commit timestamp
- The README now points to TecharoHQ/anubis instead of Xe/x
- Images are built using ko instead of `docker buildx build`
  [TecharoHQ#13](TecharoHQ#13)

Mar 20, 2025
240159e
zip
tar.gz

v1.12.1

Version 1.12.1

This is a shame release mostly to test the release process before people
are suggested to migrate over to this repository from /x/.

- Phrasing in the `<noscript>` warning was replaced from its original placeholder text to
  something more suitable for general consumption
  ([fd6903a](TecharoHQ@fd6903a)).
- Footer links on the check page now point to Techaro's brand
  ([4ebccb1](TecharoHQ@4ebccb1))
- Anubis was imported from [Xe/x](https://github.com/Xe/x).

Mar 19, 2025
1a13292
zip
tar.gz

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

v1.16.0

v1.15.2

v1.15.1

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.0

v1.12.1

Tags: SuperSandro2000/anubis