CXM's land

Config Anubis With Nginx

Install Anubis

GitHub: TecharoHQ/anubis

# debian/ubuntu
sudo apt update
sudo apt install -y curl
curl -OL https://github.com/TecharoHQ/anubis/releases/download/v$VERSION/anubis_$VERSION_$ARCH.deb
sudo apt install ./anubis-$VERSION-$ARCH.deb

Copy env & botPolicies:

sudo cp /etc/anubis/default.env /etc/anubis/gitea.env
sudo cp /usr/share/doc/anubis/botPolicies.yaml /etc/anubis/gitea.botPolicies.yaml

Configure Anubis

(Based on v1.19.1, it may change in the future)

For nginx change BIND to /run/anubis/nginx.sock (without unix prefix) .
If use unix socket, set BIND_NETWORK to unix.
If you use TCP, set it to tcp and change BIND to :xx (e.g. :8923).

I use openresty, so I set TARGET to /run/openresty/instance.sock. make sure before you setTARGET, you have created the socket file in/run/openresty/nginx.sock and set the right permissions

BIND=/run/anubis/instance.sock
BIND_NETWORK=unix
SOCKET_MODE=0666
DIFFICULTY=4
METRICS_BIND=:9090
SERVE_ROBOTS_TXT=0
POLICY_FNAME=/etc/anubis/gitea.botPolicies.yaml
TARGET=unix:///run/openresty/nginx.sock

Test to make sure it’s running with curl:

# test anubis is running
sudo curl -X GET --unix-socket /run/anubis/instance.sock http:/any
# test anubis metrics
sudo curl -X GET http://localhost:9090/metrics

Configure Nginx

Most references to Anubis in the Nginx configuration on official docs with my modifications.

  • Create anubis upstream in your Nginx configuration:
# /etc/nginx/conf.d/upstream-anubis.conf
# /usr/local/openresty/nginx/conf/upstream-anubis.conf

upstream anubis {
  # Make sure this matches the values you set for `BIND` and `BIND_NETWORK`.
  # If this does not match, your services will not be protected by Anubis.

  # Try anubis first over a UNIX socket
  server unix:/run/anubis/instance.sock;
  #server 127.0.0.1:8923;

  # Optional: fall back to serving the websites directly. This allows your
  # websites to be resilient against Anubis failing, at the risk of exposing
  # them to the raw internet without protection. This is a tradeoff and can
  # be worth it in some edge cases.
  #server unix:/run/nginx.sock backup;
}
  • Create a new conf-anubis.inc file in /etc/nginx/conf.d/ (or /usr/local/openresty/nginx/conf/) to include the upstream and proxy settings for Anubis:
# /etc/nginx/conf.d/conf-anubis.inc
# /usr/local/openresty/nginx/conf/conf-anubis.inc

include "upstream-anubis.conf";
# Forward to anubis
location / {
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_pass http://anubis;
}
  • Setting nginx file
# /etc/nginx/conf.d/server-mimi-techaro-lol.conf
# /usr/local/openresty/nginx/conf/server-mimi-techaro-lol.conf

server {
  # Listen on 443 with SSL
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  # Slipstream via Anubis
  include "conf-anubis.inc";

  server_name mimi.techaro.lol;

  ssl_certificate     /path/to/your/certs/mimi.techaro.lol.crt;
  ssl_certificate_key /path/to/your/certs/mimi.techaro.lol.key;
}

server {
  listen unix:/run/openresty/nginx.sock;

  server_name mimi.techaro.lol;
  root "/srv/http/mimi.techaro.lol";
  index index.html;

  # Your normal configuration can go here
  # location .php { fastcgi...} etc.
}

Custom Policies

You can customize the policies in /etc/anubis/gitea.botPolicies.yaml.
Docs
Built-in config
Official example

For example, to add 10 weight points to requests with a specific header and accept type

bots:
    # import embed policies
    - import: (data)/crawlers/_allow-good.yaml
    # custom policies
    - name: some-fancy-factor
        action: CHALLENGE
        expression:
        all:
            - '"X-Whatever-Header-Exists" in headers'
            - 'headers["Accept"] == "application/json"'
        weight:
        adjust: 10