diff --git a/data/botPolicies.yaml b/data/botPolicies.yaml index f62af353..5d66564a 100644 --- a/data/botPolicies.yaml +++ b/data/botPolicies.yaml @@ -93,6 +93,44 @@ bots: # weight: # adjust: -10 + # Assert behaviour that only genuine browsers display. This ensures that Chrome + # or Firefox versions + - name: realistic-browser-catchall + expression: + all: + - '"User-Agent" in headers' + - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )' + - '"Accept" in headers' + - '"Sec-Fetch-Dest" in headers' + - '"Sec-Fetch-Mode" in headers' + - '"Sec-Fetch-Site" in headers' + - '"Upgrade-Insecure-Requests" in headers' + - '"Accept-Encoding" in headers' + - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )' + - '"Accept-Language" in headers' + action: WEIGH + weight: + adjust: -10 + + # Chrome should behave like Chrome + - name: chrome-is-proper + expression: + all: + - userAgent.contains("Chrome") + - '"Sec-Ch-Ua" in headers' + - 'headers["Sec-Ch-Ua"].contains("Chromium")' + - '"Sec-Ch-Ua-Mobile" in headers' + - '"Sec-Ch-Ua-Platform" in headers' + action: WEIGH + weight: + adjust: -5 + + - name: should-have-accept + expression: '!("Accept" in headers)' + action: WEIGH + weight: + adjust: 5 + # Generic catchall rule - name: generic-browser user_agent_regex: >- diff --git a/data/clients/git.yaml b/data/clients/git.yaml index 4fba66b7..f6296f3b 100644 --- a/data/clients/git.yaml +++ b/data/clients/git.yaml @@ -2,13 +2,19 @@ action: ALLOW expression: all: - - > - ( - userAgent.startsWith("git/") || - userAgent.contains("libgit") || - userAgent.startsWith("go-git") || - userAgent.startsWith("JGit/") || - userAgent.startsWith("JGit-") - ) - - '"Git-Protocol" in headers' - - headers["Git-Protocol"] == "version=2" \ No newline at end of file + - > + ( + userAgent.startsWith("git/") || + userAgent.contains("libgit") || + userAgent.startsWith("go-git") || + userAgent.startsWith("JGit/") || + userAgent.startsWith("JGit-") + ) + - '"Accept" in headers' + - headers["Accept"] == "*/*" + - '"Cache-Control" in headers' + - headers["Cache-Control"] == "no-cache" + - '"Pragma" in headers' + - headers["Pragma"] == "no-cache" + - '"Accept-Encoding" in headers' + - headers["Accept-Encoding"].contains("gzip") diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index f5f54d18..3a8a161f 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -29,6 +29,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Fixes concurrency problems with very old browsers ([#1082](https://github.com/TecharoHQ/anubis/issues/1082)). - Randomly use the Refresh header instead of the meta refresh tag in the metarefresh challenge. - Update OpenRC service to truncate the runtime directory before starting Anubis. +- Make the git client profile more strictly match how the git client behaves. +- Make the default configuration reward users using normal browsers. - Allow multiple consecutive slashes in a row in application paths ([#754](https://github.com/TecharoHQ/anubis/issues/754)). - Add option to set `targetSNI` to special keyword 'auto' to indicate that it should be automatically set to the request Host name ([424](https://github.com/TecharoHQ/anubis/issues/424)).