# testcookie-nginx-module
**Repository Path**: mirrors_sudoconf/testcookie-nginx-module
## Basic Information
- **Project Name**: testcookie-nginx-module
- **Description**: simple robot mitigation module using cookie based challenge/response technique
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-09-26
- **Last Updated**: 2025-11-03
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
Description
===========
**testcookie-nginx-module** is a simple robot mitigation module using cookie based challenge/response.
Challenge cookies can be set using different methods:
* "Set-Cookie" + 302/307 HTTP Location redirect
* "Set-Cookie" + HTML meta refresh redirect
* Custom template, JavaScript can be used here.
To prevent automatic parsing, challenge cookie value can be encrypted with AES-128 in CBC mode using custom/random key and iv, and then decrypted at client side with JavaScript.
Directives
==========
testcookie
----------
**syntax:** *testcookie (on|off|var);*
**default:** *off*
**context:** *http, server, location, if*
on - Enable module
off - Disable module
var - Don't intercept requests, only set module variables.
testcookie_name
---------------
**syntax:** *testcookie_name <string>*
**default:** *TCK*
**context:** *http, server, location*
Sets cookie name.
testcookie_domain
-----------------
**syntax:** *testcookie_domain <string>*
**default:** *none, set by browser*
**context:** *http, server, location*
Sets cookie domain.
testcookie_expires
------------------
**syntax:** *testcookie_expires <string>*
**default:** *31 Dec 2037 23:55:55 GMT*
**context:** *http, server, location*
Sets cookie expiration value.
testcookie_path
---------------
**syntax:** *testcookie_path <string>*
**default:** */*
**context:** *http, server, location*
Sets cookie path, useful if you plan to use different keys for locations.
testcookie_secret
-----------------
**syntax:** *testcookie_secret <string>*
**default:** *none*
**context:** *http, server, location*
Secret string, used in challenge cookie computation, better to be long but static to prevent cookie reset for legitimate users every server restart.
If set to *"random"* - new secret will be generated every server restart, not recomended(all cookies with previous key will be invalid),
If not set, only value based on testcookie_session will be used.
testcookie_session
------------------
**syntax:** *testcookie_session <variable>*
**default:** *required configuration directive*
**context:** *http, server, location*
Sets the challenge generation function input,
* $remote_addr - clients IP address will be used as an user unique identifier
* $remote_addr$http_user_agent - clients IP + User-Agent
testcookie_arg
--------------
**syntax:** *testcookie_arg <string>*
**default:** *none*
**context:** *http, server, location*
Sets GET parameter name, used for cookie setting attempts computation,
If not set - server will try to set cookie infinitely.
testcookie_max_attempts
-----------------------
**syntax:** *testcookie_max_attempts <integer>*
**default:** *5*
**context:** *http, server, location*
Sets maximum number of redirects before user will be sent to fallback URL, according to RFC1945 can't be more than 5.
If set to 0 - server will try to set cookie infinitely(actually, browser will show the error page).
testcookie_p3p
--------------
**syntax:** *testcookie_p3p <string>*
**default:** *none*
**context:** *http, server, location*
Sets P3P policy.
testcookie_fallback
-------------------
**syntax:** *testcookie_fallback <script>*
**default:** *none*
**context:** *http, server, location*
Sets the fallback URL, user will be redirected to after maximum number of attempts, specified by directive *testcookie_max_attempts* exceded.
Nginx scripting variables can be used here. If not set - client will get 403 after max attempts reached.
testcookie_whitelist
--------------------
**syntax:** *testcookie_whitelist <network list>*
**default:** *none*
**context:** *http, server*
Sets the networks for which the testing will not be used, add search engine networks here. Currently IPv4 CIDR only.
testcookie_redirect_via_refresh
-------------------------------
**syntax:** *testcookie_redirect_via_refresh (on|off);*
**default:** *off*
**context:** *http, server, location*
Set cookie and redirect using HTTP meta refresh, required if *testcookie_refresh_template* used.
testcookie_refresh_template
---------------------------
**syntax:** *testcookie_refresh_template <string>*
**default:** *none*
**context:** *http, server, location*
Use custom html instead of simple HTTP meta refresh, you need to set cookie manually from the template
Available all the nginx variables and
$testcookie_nexturl - URL the client should be redirected to, if max_attempts exceeded *testcookie_fallback* value will be here
$testcookie_uid_got - cookie value received from client, empty if no cookie or it does not match format
$testcookie_uid_set - correct cookie value we're expecting from client
$testcookie_ok - user passed test (1 - passed, 0 - not passed) Note: changed from "yes"/"no" in v1.10
also, if testcookie_refresh_encrypt_cookie enabled there are three more variables:
$testcookie_enc_key - encryption key (32 hex digits)
$testcookie_enc_iv - encryption iv (32 hex digits)
$testcookie_enc_sec - encrypted cookie value (32 hex digits)
testcookie_deny_keepalive
-------------------------
**syntax:** *testcookie_deny_keepalive (on|off);*
**default:** *off*
**context:** *http, server, location*
Close connection just after setting the cookie, no reason to keep connections with bots.
testcookie_get_only
-------------------
**syntax:** *testcookie_get_only (on|off);*
**default:** *off*
**context:** *http, server, location*
Process only GET requests, POST requests will be bypassed.
testcookie_https_location
-------------------------
**syntax:** *testcookie_https_location (on|off);*
**default:** *off*
**context:** *http, server, location*
Redirect client to https protocol after setting the cookie, also affects *$testcookie_nexturl*, useful with 3dparty SSL offload.
testcookie_refresh_encrypt_cookie
---------------------------------
**syntax:** *testcookie_refresh_encrypt_cookie (on|off);*
**default:** *off*
**context:** *http, server, location*
Encrypt cookie variable, used with *testcookie_refresh_template* to force client-side decryption with AES-128 CBC.
testcookie_refresh_encrypt_cookie_key
-------------------------------------
**syntax:** *testcookie_refresh_encrypt_cookie_key <32 hex digits|random>*
**default:** *required directive if encryption enabled*
**context:** *http, server, location*
Sets encryption key.
Possible values:
random - new key generated every nginx restart
32 hex digits - static key, useful if you plan to obfuscate it deep in client-side javascript.
testcookie_refresh_encrypt_iv
-----------------------------
**syntax:** *testcookie_refresh_encrypt_iv <32 hex digits|random|random2>*
**default:** *random*
**context:** *http, server, location*
Sets encryption iv.
Possible values:
random - new iv generated for every client request
random2 - new iv generated for every nginx restart
32 hex digits - static iv, useful if you plan to obfuscate it deep in client-side javascript
testcookie_internal
-------------------
**syntax:** *testcookie_internal (on|off);*
**default:** *off*
**context:** *http, server, location*
Process only GET requests, POST requests will be bypassed.
Enable testcookie check for internal redirects (disabled by default for optimization purposes!), useful for this type of configs:
rewrite ^/(.*)$ /index.php?$1 last;
testcookie_httponly_flag
------------------------
**syntax:** *testcookie_httponly_flag (on|off);*
**default:** *off*
**context:** *http, server, location*
Enable HttpOnly flag for cookie.
testcookie_secure_flag
------------------------
**syntax:** *testcookie_secure_flag (on|off|$variable);*
**default:** *off*
**context:** *http, server, location*
Enable Secure flag for cookie.
Any variable value except "off" interpreted as True.
Installation
============
Grab the nginx source code from [nginx.org](http://nginx.org/), for example, the version 1.1.15 (see nginx compatibility), and then build the source with this module:
wget 'http://nginx.org/download/nginx-1.1.15.tar.gz'
tar -xzvf nginx-1.1.15.tar.gz
cd nginx-1.1.15/
./configure --add-module=/path/to/testcookie-nginx-module
make
make install
For using client-side cookie decryption, you need to manually grab [SlowAES](http://code.google.com/p/slowaes/) JavaScript AES implementation,
patch it(utils/aes.patch) and put it to document root.
Compatibility
=============
Module was tested with nginx 1.1+, but should work with 1.0+.
Example configuration
=====================
http {
#default config, module disabled
testcookie off;
#setting cookie name
testcookie_name BPC;
#setting secret
testcookie_secret keepmesecret;
#setting session key
testcookie_session $remote_addr;
#setting argument name
testcookie_arg ckattempt;
#setting maximum number of cookie setting attempts
testcookie_max_attempts 3;
#setting p3p policy
testcookie_p3p 'CP="CUR ADM OUR NOR STA NID", policyref="/w3c/p3p.xml"';
#setting fallback url
testcookie_fallback http://google.com/cookies.html?backurl=http://$host$request_uri;
#configuring whitelist
testcookie_whitelist {
8.8.8.8/32;
}
#setting redirect via html code
testcookie_redirect_via_refresh on;
#enable encryption
testcookie_refresh_encrypt_cookie on;
#setting encryption key
testcookie_refresh_encrypt_cookie_key deadbeefdeadbeefdeadbeefdeadbeef;
#setting encryption iv
testcookie_refresh_encrypt_cookie_iv deadbeefdeadbeefdeadbeefdeadbeef;
#setting response template
testcookie_refresh_template 'setting cookie...';
server {
listen 80;
server_name test.com;
location = /aes.min.js {
gzip on;
gzip_min_length 1000;
gzip_types text/plain;
root /var/www/public_html;
}
location = /w3c/p3p.xml {
root /var/www/public_html;
}
location / {
#enable module for specific location
testcookie on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:80;
}
}
}
See more cases in "docs" directory of the project.
Test suite
===========
This module comes with a Perl-driven test suite. Thanks to the [Test::Nginx](http://search.cpan.org/perldoc?Test::Nginx) module in the Perl world.
Sources
=======
Available on github at [kyprizel/testcookie-nginx-module](http://github.com/kyprizel/testcookie-nginx-module).
TODO
====
* Code review
* Statistics (?)
Bugs
====
Feel free to report bugs and send patches to kyprizel@gmail.com
or using [github's issue tracker](http://github.com/kyprizel/testcookie-nginx-module/issues).
Support the project
===================
Send your donations to 1FHmPTP6aDBAzVtM7Pe7Y69zqhjPRx847s
Copyright & License
===================
Copyright (C) 2011-2015 Eldar Zaitov (kyprizel@gmail.com).
All rights reserved.
This module is licenced under the terms of BSD license.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of the authors nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.