Send request data early

Added backend IP header support
Allow specifying PROXY via BIND network
2025-04-11 06:22:48 +02:00 · 2025-04-11 06:02:01 +02:00 · 2025-04-11 05:47:32 +02:00 · 2025-04-11 05:46:05 +02:00 · 2025-04-10 07:00:43 +02:00 · 2025-04-10 06:43:24 +02:00
13 changed files with 644 additions and 78 deletions
--- a/17
+++ b/17
@@ -41,16 +41,23 @@ ENV GOAWAY_CHALLENGE_TEMPLATE="anubis"
 ENV GOAWAY_CHALLENGE_TEMPLATE_THEME=""
 ENV GOAWAY_SLOG_LEVEL="WARN"
 ENV GOAWAY_CLIENT_IP_HEADER=""
+ENV GOAWAY_BACKEND_IP_HEADER=""
 ENV GOAWAY_JWT_PRIVATE_KEY_SEED=""
 ENV GOAWAY_BACKEND=""
+ENV GOAWAY_DNSBL="dnsbl.dronebl.org"
+ENV GOAWAY_ACME_AUTOCERT=""
+ENV GOAWAY_CACHE="/cache"

 EXPOSE 8080/tcp
 EXPOSE 8080/udp

 ENV JWT_PRIVATE_KEY_SEED="${GOAWAY_JWT_PRIVATE_KEY_SEED}"

-ENTRYPOINT  /bin/go-away --bind ${GOAWAY_BIND} --bind-network ${GOAWAY_BIND_NETWORK} --socket-mode ${GOAWAY_SOCKET_MODE} \
-            --policy ${GOAWAY_POLICY} --client-ip-header ${GOAWAY_CLIENT_IP_HEADER} \
-            --challenge-template ${GOAWAY_CHALLENGE_TEMPLATE} --challenge-template-theme ${GOAWAY_CHALLENGE_TEMPLATE_THEME} \
-            --slog-level ${GOAWAY_SLOG_LEVEL} \
-            --backend ${GOAWAY_BACKEND}
+ENTRYPOINT  /bin/go-away --bind "${GOAWAY_BIND}" --bind-network "${GOAWAY_BIND_NETWORK}" --socket-mode "${GOAWAY_SOCKET_MODE}" \
+            --policy ${GOAWAY_POLICY} --client-ip-header "${GOAWAY_CLIENT_IP_HEADER}" --backend-ip-header "${GOAWAY_BACKEND_IP_HEADER}" \
+            --cache "${GOAWAY_CACHE}" \
+            --dnsbl "${GOAWAY_DNSBL}" \
+            --challenge-template "${GOAWAY_CHALLENGE_TEMPLATE}" --challenge-template-theme "${GOAWAY_CHALLENGE_TEMPLATE_THEME}" \
+            --slog-level "${GOAWAY_SLOG_LEVEL}" \
+            --acme-autocert "${GOAWAY_ACME_AUTOCERT}" \
+            --backend "${GOAWAY_BACKEND}"
--- a/README.md
+++ b/README.md
@@ -0,0 +1,135 @@
+# go-away
+
+Self-hosted abuse detection and rule enforcement against low-effort mass AI scraping and bots.
+
+[![Build Status](https://ci.gammaspectra.live/api/badges/git/go-away/status.svg)](https://ci.gammaspectra.live/git/go-away)
+[![Go Reference](https://pkg.go.dev/badge/git.gammaspectra.live/git/go-away.svg)](https://pkg.go.dev/git.gammaspectra.live/git/go-away)
+
+This documentation is a work in progress. For now, see policy examples under [examples/](examples/).
+
+## Setup
+
+It is recommended to have another reverse proxy above (for example [Caddy](https://caddyserver.com/), nginx, HAProxy) to handle HTTPs or similar.
+
+go-away for now only accepts plaintext connections, although it can take _HTTP/2_ / _h2c_ connections if desired over the same port.
+
+### Binary / Go
+
+Requires Go 1.22+. Builds statically without CGo
+
+```shell
+git clone https://git.gammaspectra.live/git/go-away.git && cd go-away
+
+CGO_ENABLED=0 go build -pgo=auto -v -trimpath -o ./go-away ./cmd/go-away
+
+# Run on port 8080, forwarding matching requests on git.example.com to http://forgejo:3000
+./go-away --bind :8080 \
+--backend git.example.com=http://forgejo:3000 \
+--policy examples/forgejo.yml \
+--challenge-template forgejo --challenge-template-theme forgejo-dark
+
+```
+
+### Dockerfile
+
+Available under [Dockerfile](Dockerfile). See the _docker compose_ below for the environment variables.
+
+### docker compose
+
+```yaml
+services:
+  go-away:
+    image: git.gammaspectra.live/git/go-away:latest
+    restart: always
+    ports:
+      - "3000:8080"
+    networks:
+      - forgejo
+    depends_on:
+      - forgejo
+    volumes:
+      - "./examples/forgejo.yml:/policy.yml:ro"
+    environment:
+      #GOAWAY_BIND: ":8080"
+      #GOAWAY_BIND_NETWORK: "tcp"
+      #GOAWAY_SOCKET_MODE: "0770"
+      
+      # default is WARN, set to INFO to also see challenge successes and others
+      #GOAWAY_SLOG_LEVEL: "INFO"
+      
+      # this value is used to sign cookies and challenges. by default a new one is generated each time
+      # set to generate to create one, then set the same value across all your instances
+      #GOAWAY_JWT_PRIVATE_KEY_SEED: ""
+      
+      # HTTP header that the client ip will be fetched from
+      # Defaults to the connection ip itself, if set here make sure your upstream proxy sets this properly
+      # Usually X-Forwarded-For is a good pick
+      GOAWAY_CLIENT_IP_HEADER: "X-Real-Ip"
+      
+      GOAWAY_POLICY: "/policy.yml"
+      
+      # Template, and theme for the template to pick. defaults to an anubis-like one
+      # An file path can be specified. See embed/templates for a few examples
+      GOAWAY_CHALLENGE_TEMPLATE: forgejo
+      GOAWAY_CHALLENGE_TEMPLATE_THEME: forgejo-dark
+      
+      # specify a DNSBL for usage in conditions. Defaults to DroneBL 
+      # GOAWAY_DNSBL: "dnsbl.dronebl.org"
+      
+      GOAWAY_BACKEND: "git.example.com=http://forgejo:3000"
+      
+    # additional backends can be specified via more command arguments  
+    # command: ["--backend", "ci.example.com=http://ci:3000"]
+
+```
+
+
+## Example policies
+
+### Forgejo
+
+The policy file at [examples/forgejo.yml](examples/forgejo.yml) provides a ready template to be used on your own Forgejo instance.
+
+Important notes:
+* Edit the `homesite` rule, as it's targeted to common users or orgs on the instance. A better regex might be possible in the future.
+* Edit the `http-cookie-check` challenge, as this will fetch the listed backend with the given session cookie to check for user login.
+* Adjust the desired blocked networks or others. A template list of network ranges is provided, feel free to remove these if not needed.
+* Check the conditions and base rules to change your challenges offered and other ordering.
+
+
+## Development
+
+### Compiling WASM runtime challenge modules
+
+Custom WASM runtime modules follow the WASI `wasip1` preview syscall API.
+
+It is recommended using TinyGo to compile / refresh modules, and some function helpers are provided.
+
+If you want to use a different language or compiler, enable `wasip1` and the following interface must be exported:
+
+```
+// Allocation is a combination of pointer location in WASM memory and size of it
+type Allocation uint64
+
+func (p Allocation) Pointer() uint32 {
+	return uint32(p >> 32)
+}
+func (p Allocation) Size() uint32 {
+	return uint32(p)
+}
+
+
+// MakeChallenge MakeChallengeInput / MakeChallengeOutput are valid JSON.
+// See lib/challenge/interface.go for a definition
+func MakeChallenge(in Allocation[MakeChallengeInput]) Allocation[MakeChallengeOutput]
+
+// VerifyChallenge VerifyChallengeInput is valid JSON.
+// See lib/challenge/interface.go for a definition
+func VerifyChallenge(in Allocation[VerifyChallengeInput]) VerifyChallengeOutput
+
+func malloc(size uint32) uintptr
+func free(size uintptr)
+
+```
+
+Modules will be recreated for each call, so there is no state leftover
--- a/cmd/go-away/main.go
+++ b/cmd/go-away/main.go
@@ -11,6 +11,9 @@ import (
 	"git.gammaspectra.live/git/go-away/lib"
 	"git.gammaspectra.live/git/go-away/lib/policy"
 	"git.gammaspectra.live/git/go-away/utils"
+	"github.com/pires/go-proxyproto"
+	"golang.org/x/crypto/acme"
+	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 	"gopkg.in/yaml.v3"
@@ -20,6 +23,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"path"
 	"runtime/debug"
 	"strconv"
 	"strings"
@@ -27,7 +31,12 @@ import (
 	"time"
 )

-func setupListener(network, address, socketMode string) (net.Listener, string) {
+func setupListener(network, address, socketMode string, proxy bool) (net.Listener, string) {
+	if network == "proxy" {
+		network = "tcp"
+		proxy = true
+	}
+
 	formattedAddress := ""
 	switch network {
 	case "unix":
@@ -58,6 +67,14 @@ func setupListener(network, address, socketMode string) (net.Listener, string) {
 		}
 	}

+	if proxy {
+		slog.Warn("listener PROXY enabled")
+		formattedAddress += " +PROXY"
+		listener = &proxyproto.Listener{
+			Listener: listener,
+		}
+	}
+
 	return listener, formattedAddress
 }

@@ -81,28 +98,66 @@ func (v *MultiVar) Set(value string) error {
 	return nil
 }

-func newServer(handler http.Handler) *http.Server {
-	h2s := &http2.Server{}
+func newServer(handler http.Handler, manager *autocert.Manager) *http.Server {

-	// TODO: use Go 1.24 Server.Protocols to add H2C
-	// https://pkg.go.dev/net/http#Server.Protocols
-	h1s := &http.Server{
-		Handler: h2c.NewHandler(handler, h2s),
+	if manager == nil {
+		h2s := &http2.Server{}
+
+		// TODO: use Go 1.24 Server.Protocols to add H2C
+		// https://pkg.go.dev/net/http#Server.Protocols
+		h1s := &http.Server{
+			Handler: h2c.NewHandler(handler, h2s),
+		}
+
+		return h1s
+	} else {
+		return &http.Server{
+			TLSConfig: manager.TLSConfig(),
+			Handler:   handler,
+		}
+	}
+}
+
+func newACMEManager(clientDirectory string, backends map[string]http.Handler) *autocert.Manager {
+
+	var domains []string
+	for d := range backends {
+		parts := strings.Split(d, ":")
+		d = parts[0]
+		if net.ParseIP(d) != nil {
+			continue
+		}
+		domains = append(domains, d)
 	}

-	return h1s
+	manager := &autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		HostPolicy: autocert.HostWhitelist(domains...),
+		Client: &acme.Client{
+			HTTPClient:   http.DefaultClient,
+			DirectoryURL: clientDirectory,
+		},
+	}
+	return manager
 }

 func main() {
-	bind := flag.String("bind", ":8080", "network address to bind HTTP to")
+	bind := flag.String("bind", ":8080", "network address to bind HTTP/HTTP(s) to")
 	bindNetwork := flag.String("bind-network", "tcp", "network family to bind HTTP to, e.g. unix, tcp")
+	bindProxy := flag.Bool("bind-proxy", false, "use PROXY protocol in front of the listener")
 	socketMode := flag.String("socket-mode", "0770", "socket mode (permissions) for unix domain sockets.")

 	slogLevel := flag.String("slog-level", "WARN", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
 	debugMode := flag.Bool("debug", false, "debug mode with logs and server timings")
 	passThrough := flag.Bool("passthrough", false, "passthrough mode sends all requests to matching backends until state is loaded")
+	acmeAutocert := flag.String("acme-autocert", "", "enables HTTP(s) mode and uses the provided ACME server URL or available service (available: letsencrypt)")

 	clientIpHeader := flag.String("client-ip-header", "", "Client HTTP header to fetch their IP address from (X-Real-Ip, X-Client-Ip, X-Forwarded-For, Cf-Connecting-Ip, etc.)")
+	backendIpHeader := flag.String("backend-ip-header", "", "Backend HTTP header to set the client IP address from, if empty defaults to leaving Client header alone (X-Real-Ip, X-Client-Ip, X-Forwarded-For, Cf-Connecting-Ip, etc.)")
+
+	dnsbl := flag.String("dnsbl", "dnsbl.dronebl.org", "blocklist for DNSBL (default DroneBL)")
+
+	cachePath := flag.String("cache", path.Join(os.TempDir(), "go_away_cache"), "path to temporary cache directory")

 	policyFile := flag.String("policy", "", "path to policy YAML file")
 	challengeTemplate := flag.String("challenge-template", "anubis", "name or path of the challenge template to use (anubis, forgejo)")
@@ -200,6 +255,35 @@ func main() {
 		createdBackends[k] = backend
 	}

+	if *cachePath != "" {
+		err = os.MkdirAll(*cachePath, 0755)
+		if err != nil {
+			log.Fatal(fmt.Errorf("failed to create cache directory: %w", err))
+		}
+	}
+
+	var acmeManager *autocert.Manager
+
+	if *acmeAutocert != "" {
+		switch *acmeAutocert {
+		case "letsencrypt":
+			*acmeAutocert = "https://acme-v02.api.letsencrypt.org/directory"
+		}
+
+		acmeManager = newACMEManager(*acmeAutocert, createdBackends)
+		if *cachePath != "" {
+			err = os.MkdirAll(path.Join(*cachePath, "acme"), 0755)
+			if err != nil {
+				log.Fatal(fmt.Errorf("failed to create acme cache directory: %w", err))
+			}
+			acmeManager.Cache = autocert.DirCache(path.Join(*cachePath, "acme"))
+		}
+		slog.Warn(
+			"acme-autocert enabled",
+			"directory", *acmeAutocert,
+		)
+	}
+
 	var wg sync.WaitGroup

 	passThroughCtx, cancelFunc := context.WithCancel(context.Background())
@@ -218,9 +302,9 @@ func main() {
 				}

 				backend.ServeHTTP(w, r)
-			}))
+			}), acmeManager)

-			listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode)
+			listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode, *bindProxy)
 			slog.Warn(
 				"listening passthrough",
 				"url", listenUrl,
@@ -230,8 +314,15 @@ func main() {
 			wg.Add(1)
 			go func() {
 				defer wg.Done()
-				if err := server.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
-					log.Fatal(err)
+
+				if acmeManager != nil {
+					if err := server.ServeTLS(listener, "", ""); !errors.Is(err, http.ErrServerClosed) {
+						log.Fatal(err)
+					}
+				} else {
+					if err := server.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
+						log.Fatal(err)
+					}
 				}
 			}()

@@ -247,7 +338,7 @@ func main() {
 		}()
 	}

-	state, err := lib.NewState(p, lib.StateSettings{
+	settings := lib.StateSettings{
 		Backends:               createdBackends,
 		Debug:                  *debugMode,
 		PackageName:            *packageName,
@@ -255,7 +346,14 @@ func main() {
 		ChallengeTemplateTheme: *challengeTemplateTheme,
 		PrivateKeySeed:         seed,
 		ClientIpHeader:         *clientIpHeader,
-	})
+		BackendIpHeader:        *backendIpHeader,
+	}
+
+	if *dnsbl != "" {
+		settings.DNSBL = utils.NewDNSBL(*dnsbl, net.DefaultResolver)
+	}
+
+	state, err := lib.NewState(p, settings)

 	if err != nil {
 		log.Fatal(fmt.Errorf("failed to create state: %w", err))
@@ -265,15 +363,23 @@ func main() {
 	cancelFunc()
 	wg.Wait()

-	listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode)
+	listener, listenUrl := setupListener(*bindNetwork, *bind, *socketMode, *bindProxy)
 	slog.Warn(
 		"listening",
 		"url", listenUrl,
 	)

-	server := newServer(state)
+	server := newServer(state, acmeManager)

-	if err := server.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
-		log.Fatal(err)
+	if acmeManager != nil {
+		if err := server.ServeTLS(listener, "", ""); !errors.Is(err, http.ErrServerClosed) {
+			log.Fatal(err)
+		}
+	} else {
+
+		if err := server.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
+			log.Fatal(err)
+		}
 	}
+
 }
--- a/examples/forgejo.yml
+++ b/examples/forgejo.yml
@@ -1,5 +1,5 @@
 # Example cmdline (forward requests from upstream to port :8080)
-# $ go-away --bind :8080 --backend git.example.com:http://forgejo:3000 --policy examples/forgejo.yml --challenge-template forgejo --challenge-template-theme forgejo-dark
+# $ go-away --bind :8080 --backend git.example.com=http://forgejo:3000 --policy examples/forgejo.yml --challenge-template forgejo --challenge-template-theme forgejo-dark



@@ -232,7 +232,7 @@ conditions:
    # Old IE browsers
    - 'userAgent.matches("MSIE ([2-9]|10|11)\\.")'
    # Old Linux browsers
-    - 'userAgent.contains("Linux i686")'
+    - 'userAgent.contains("Linux i[63]86") || userAgent.contains("FreeBSD i[63]86")'
    # Old Windows browsers
    - 'userAgent.matches("Windows (3|95|98|CE)") || userAgent.matches("Windows NT [1-5]\\.")'
    # Old mobile browsers
@@ -333,8 +333,10 @@ rules:

  - name: always-pow-challenge
    conditions:
-      # login paths
-      - 'path.startsWith("/user/sign_up") || path.startsWith("/user/login") || path.startsWith("/user/oauth2/")'
+      # login and sign up paths
+      - 'path.startsWith("/user/sign_up")'
+      - 'path.startsWith("/user/login") || path.startsWith("/user/oauth2/")'
+      - 'path.startsWith("/user/activate")'
      # repo / org / mirror creation paths
      - 'path == "/repo/create" || path == "/repo/migrate" || path ==  "/org/create"'
      # user profile info edit paths
@@ -392,7 +394,7 @@ rules:
  - name: desired-crawlers
    conditions:
      - 'userAgent.contains("+https://kagi.com/bot") && inNetwork("kagibot", remoteAddress)'
-      - '(userAgent.contains("+http://www.google.com/bot.html") || userAgent.contains("Google-InspectionTool")) && inNetwork("googlebot", remoteAddress)'
+      - '(userAgent.contains("+http://www.google.com/bot.html") || userAgent.contains("Google-InspectionTool") || userAgent.contains("Googlebot")) && inNetwork("googlebot", remoteAddress)'
      - 'userAgent.contains("+http://www.bing.com/bingbot.htm") && inNetwork("bingbot", remoteAddress)'
      - 'userAgent.contains("+http://duckduckgo.com/duckduckbot.html") && inNetwork("duckduckbot", remoteAddress)'
      - 'userAgent.contains("+https://help.qwant.com/bot/") && inNetwork("qwantbot", remoteAddress)'
@@ -408,12 +410,6 @@ rules:
      - 'path.matches("(?i)^/(WeebDataHoarder|P2Pool|mirror|git|S\\.O\\.N\\.G|FM10K|Sillycom|pwgen2155|kaitou|metonym)/[^/]+$")'
    action: pass

-  - name: suspicious-fetchers
-    action: challenge
-    challenges: [js-pow-sha256, http-cookie-check]
-    conditions:
-      - 'userAgent.contains("facebookexternalhit/") || userAgent.contains("facebookcatalog/")'
-
  # check a sequence of challenges
  - name: heavy-operations/0
    action: check
@@ -430,10 +426,23 @@ rules:
    conditions:
      - 'path.matches("^/[^/]+/[^/]+/raw/branch/")'
      - 'path.matches("^/[^/]+/[^/]+/archive/")'
-      - 'path.matches("^/[^/]+/[^/]+/media/")'
      - 'path.matches("^/[^/]+/[^/]+/releases/download/")'
+      - 'path.matches("^/[^/]+/[^/]+/media/") && ($is-generic-browser)'
    action: pass

+  # check DNSBL and serve harder challenges
+  - name: undesired-dnsbl
+    conditions:
+      - 'inDNSBL(remoteAddress)'
+    action: check
+    challenges: [js-pow-sha256, http-cookie-check]
+
+  - name: suspicious-fetchers
+    action: check
+    challenges: [js-pow-sha256]
+    conditions:
+      - 'userAgent.contains("facebookexternalhit/") || userAgent.contains("facebookcatalog/")'
+
  # Allow PUT/DELETE/PATCH/POST requests in general
  - name: non-get-request
    action: pass
@@ -441,13 +450,13 @@ rules:
      - '!(method == "HEAD" || method == "GET")'


-
  - name: standard-tools
    action: challenge
-    challenges: [self-meta-refresh]
+    challenges: [self-cookie]
    conditions:
      - '($is-generic-robot-ua)'
      - '($is-tool-ua)'
+      - '!($is-generic-browser)'

  - name: standard-browser
    action: challenge
--- a/go.mod
+++ b/go.mod
@@ -11,9 +11,11 @@ require (
 	github.com/google/cel-go v0.24.1
 	github.com/itchyny/gojq v0.12.17
 	github.com/klauspost/compress v1.18.0
+	github.com/pires/go-proxyproto v0.8.0
 	github.com/tetratelabs/wazero v1.9.0
 	github.com/yl2chen/cidranger v1.0.2
-	golang.org/x/net v0.26.0
+	golang.org/x/crypto v0.33.0
+	golang.org/x/net v0.35.0
 	gopkg.in/yaml.v3 v3.0.1
 )

@@ -23,7 +25,6 @@ require (
 	github.com/itchyny/timefmt-go v0.1.6 // indirect
 	github.com/kevinpollet/nego v0.0.0-20211010160919-a65cd48cee43 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
-	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac // indirect
 	golang.org/x/text v0.22.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 // indirect
@@ -39,7 +40,10 @@ replace golang.org/x/exp v0.0.0 => ./utils/exp
 // Pin latest versions to support Go 1.22 to prevent a package update from changing them
 // TODO: remove this when Go 1.22+ is supported by other higher users
 replace (
+	github.com/go-jose/go-jose/v4 => github.com/go-jose/go-jose/v4 v4.0.5
 	golang.org/x/crypto => golang.org/x/crypto v0.33.0
+	golang.org/x/net => golang.org/x/net v0.35.0
+	golang.org/x/text => golang.org/x/text v0.22.0
 	google.golang.org/genproto/googleapis/api => google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7
 	google.golang.org/genproto/googleapis/rpc => google.golang.org/genproto/googleapis/rpc v0.0.0-20240826202546-f6391c0de4c7
 )
--- a/go.sum
+++ b/go.sum
@@ -23,6 +23,8 @@ github.com/kevinpollet/nego v0.0.0-20211010160919-a65cd48cee43 h1:Pdirg1gwhEcGjM
 github.com/kevinpollet/nego v0.0.0-20211010160919-a65cd48cee43/go.mod h1:ahLMuLCUyDdXqtqGyuwGev7/PGtO7r7ocvdwDuEN/3E=
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
@@ -46,8 +48,8 @@ golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
 golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac h1:l5+whBCLH3iH2ZNHYLbAe58bo7yrN4mVcnkHDYz5vvs=
 golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac/go.mod h1:hH+7mtFmImwwcMvScyxUhjuVHR3HGaDPMn9rMSUUbxo=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 google.golang.org/genproto/googleapis/api v0.0.0-20240826202546-f6391c0de4c7 h1:YcyjlL1PRr2Q17/I0dPk2JmYS5CDXfcdb2Z3YRioEbw=
--- a/go.work.sum
+++ b/go.work.sum
@@ -9,8 +9,8 @@ github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUc
 github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 golang.org/x/mod v0.23.0 h1:Zb7khfcRGKk+kqfxFaP5tZqCnDZMjC5VtUBs87Hr6QM=
 golang.org/x/mod v0.23.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8=
+golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk=
 golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
 golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
--- a/lib/challenge.go
+++ b/lib/challenge.go
@@ -3,6 +3,8 @@ package lib
 import (
 	"crypto/sha256"
 	"encoding/binary"
+	"encoding/hex"
+	"errors"
 	"github.com/go-jose/go-jose/v4/jwt"
 	"net"
 	"net/http"
@@ -52,12 +54,45 @@ func getRequestAddress(r *http.Request, clientHeader string) net.IP {
 	return net.ParseIP(ipStr)
 }

-func (state *State) GetChallengeKeyForRequest(challengeName string, until time.Time, r *http.Request) []byte {
+type ChallengeKey []byte
+
+const ChallengeKeySize = sha256.Size
+
+func (k *ChallengeKey) Set(flags ChallengeKeyFlags) {
+	(*k)[0] |= uint8(flags)
+}
+func (k *ChallengeKey) Get(flags ChallengeKeyFlags) ChallengeKeyFlags {
+	return ChallengeKeyFlags((*k)[0] & uint8(flags))
+}
+func (k *ChallengeKey) Unset(flags ChallengeKeyFlags) {
+	(*k)[0] = (*k)[0] & ^(uint8(flags))
+}
+
+type ChallengeKeyFlags uint8
+
+const (
+	ChallengeKeyFlagIsIPv4 = ChallengeKeyFlags(1 << iota)
+)
+
+func ChallengeKeyFromString(s string) (ChallengeKey, error) {
+	b, err := hex.DecodeString(s)
+	if err != nil {
+		return nil, err
+	}
+	if len(b) != ChallengeKeySize {
+		return nil, errors.New("invalid challenge key")
+	}
+	return ChallengeKey(b), nil
+}
+
+func (state *State) GetChallengeKeyForRequest(challengeName string, until time.Time, r *http.Request) ChallengeKey {
+	data := RequestDataFromContext(r.Context())
+	address := data.RemoteAddress
 	hasher := sha256.New()
 	hasher.Write([]byte("challenge\x00"))
 	hasher.Write([]byte(challengeName))
 	hasher.Write([]byte{0})
-	hasher.Write(getRequestAddress(r, state.Settings.ClientIpHeader).To16())
+	hasher.Write(address.To16())
 	hasher.Write([]byte{0})

 	// specific headers
@@ -78,5 +113,13 @@ func (state *State) GetChallengeKeyForRequest(challengeName string, until time.T
 	hasher.Write(state.publicKey)
 	hasher.Write([]byte{0})

-	return hasher.Sum(nil)
+	sum := ChallengeKey(hasher.Sum(nil))
+
+	sum[0] = 0
+
+	if address.To4() != nil {
+		// Is IPv4, mark
+		sum.Set(ChallengeKeyFlagIsIPv4)
+	}
+	return ChallengeKey(sum)
 }
--- a/lib/conditions.go
+++ b/lib/conditions.go
@@ -1,11 +1,14 @@
 package lib

 import (
+	"context"
 	"fmt"
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	"log/slog"
 	"net"
+	"time"
 )

 func (state *State) initConditions() (err error) {
@@ -20,6 +23,52 @@ func (state *State) initConditions() (err error) {
 		// http.Header
 		cel.Variable("headers", cel.MapType(cel.StringType, cel.StringType)),
 		//TODO: dynamic type?
+		cel.Function("inDNSBL",
+			cel.Overload("inDNSBL_ip",
+				[]*cel.Type{cel.AnyType},
+				cel.BoolType,
+				cel.UnaryBinding(func(val ref.Val) ref.Val {
+					if state.Settings.DNSBL == nil {
+						return types.Bool(false)
+					}
+
+					var ip net.IP
+					switch v := val.Value().(type) {
+					case []byte:
+						ip = v
+					case net.IP:
+						ip = v
+					case string:
+						ip = net.ParseIP(v)
+					}
+
+					if ip == nil {
+						panic(fmt.Errorf("invalid ip %v", val.Value()))
+					}
+
+					var key [net.IPv6len]byte
+					copy(key[:], ip.To16())
+
+					result, ok := state.DecayMap.Get(key)
+					if ok {
+						return types.Bool(result.Bad())
+					}
+
+					ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+					defer cancel()
+					result, err := state.Settings.DNSBL.Lookup(ctx, ip)
+					if err != nil {
+						slog.Debug("dnsbl lookup failed", "address", ip.String(), "result", result, "err", err)
+					} else {
+						slog.Debug("dnsbl lookup", "address", ip.String(), "result", result)
+					}
+					//TODO: configure decay
+					state.DecayMap.Set(key, result, time.Hour)
+
+					return types.Bool(result.Bad())
+				}),
+			),
+		),
 		cel.Function("inNetwork",
 			cel.Overload("inNetwork_string_ip",
 				[]*cel.Type{cel.StringType, cel.AnyType},
--- a/lib/http.go
+++ b/lib/http.go
@@ -18,7 +18,9 @@ import (
 	"io"
 	"log/slog"
 	"maps"
+	"net"
 	"net/http"
+	"net/http/pprof"
 	"path"
 	"path/filepath"
 	"strconv"
@@ -129,10 +131,11 @@ func (state *State) addTiming(w http.ResponseWriter, name, desc string, duration
 	}
 }

-func GetLoggerForRequest(r *http.Request, clientHeader string) *slog.Logger {
+func GetLoggerForRequest(r *http.Request) *slog.Logger {
+	data := RequestDataFromContext(r.Context())
 	return slog.With(
-		"request_id", r.Header.Get("X-Away-Id"),
-		"remote_address", getRequestAddress(r, clientHeader),
+		"request_id", hex.EncodeToString(data.Id[:]),
+		"remote_address", data.RemoteAddress.String(),
 		"user_agent", r.UserAgent(),
 		"host", r.Host,
 		"path", r.URL.Path,
@@ -141,7 +144,7 @@ func GetLoggerForRequest(r *http.Request, clientHeader string) *slog.Logger {
 }

 func (state *State) logger(r *http.Request) *slog.Logger {
-	return GetLoggerForRequest(r, state.Settings.ClientIpHeader)
+	return GetLoggerForRequest(r)
 }

 func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
@@ -327,6 +330,13 @@ func (state *State) setupRoutes() error {

 	state.Mux.HandleFunc("/", state.handleRequest)

+	if state.Settings.Debug {
+		http.HandleFunc(state.UrlPath+"/debug/pprof/", pprof.Index)
+		http.HandleFunc(state.UrlPath+"/debug/pprof/profile", pprof.Profile)
+		http.HandleFunc(state.UrlPath+"/debug/pprof/symbol", pprof.Symbol)
+		http.HandleFunc(state.UrlPath+"/debug/pprof/trace", pprof.Trace)
+	}
+
 	state.Mux.Handle("GET "+state.UrlPath+"/assets/", http.StripPrefix(state.UrlPath, gzipped.FileServer(gzipped.FS(embed.AssetsFs))))

 	for _, c := range state.Challenges {
@@ -404,15 +414,17 @@ func (state *State) setupRoutes() error {
 }

 func (state *State) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+
 	var data RequestData
 	// generate random id, todo: is this fast?
 	_, _ = rand.Read(data.Id[:])
+	data.RemoteAddress = getRequestAddress(r, state.Settings.ClientIpHeader)
 	data.Challenges = make(map[challenge.Id]challenge.VerifyResult, len(state.Challenges))
 	data.Expires = time.Now().UTC().Add(DefaultValidity).Round(DefaultValidity)
 	data.ProgramEnv = map[string]any{
 		"host":          r.Host,
 		"method":        r.Method,
-		"remoteAddress": getRequestAddress(r, state.Settings.ClientIpHeader),
+		"remoteAddress": data.RemoteAddress,
 		"userAgent":     r.UserAgent(),
 		"path":          r.URL.Path,
 		"query": func() map[string]string {
@@ -431,6 +443,8 @@ func (state *State) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}(),
 	}

+	r = r.WithContext(context.WithValue(r.Context(), "_goaway_data", &data))
+
 	for _, c := range state.Challenges {
 		key := state.GetChallengeKeyForRequest(c.Name, data.Expires, r)
 		result, err := c.VerifyChallengeToken(state.publicKey, key, r)
@@ -457,14 +471,16 @@ func (state *State) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}

 	r.Header.Set("X-Away-Id", hex.EncodeToString(data.Id[:]))
-	w.Header().Set("X-Away-Id", hex.EncodeToString(data.Id[:]))
+	if state.Settings.BackendIpHeader != "" {
+		r.Header.Del(state.Settings.ClientIpHeader)
+		r.Header.Set(state.Settings.BackendIpHeader, data.RemoteAddress.String())
+	}
+	w.Header().Add("Via", fmt.Sprintf("%s %s", r.Proto, "go-away"))

 	// send these to client so we consistently get the headers
 	//w.Header().Set("Accept-CH", "Sec-CH-UA, Sec-CH-UA-Platform")
 	//w.Header().Set("Critical-CH", "Sec-CH-UA, Sec-CH-UA-Platform")

-	r = r.WithContext(context.WithValue(r.Context(), "_goaway_data", &data))
-
 	state.Mux.ServeHTTP(w, r)
 }

@@ -473,10 +489,11 @@ func RequestDataFromContext(ctx context.Context) *RequestData {
 }

 type RequestData struct {
-	Id         [16]byte
-	ProgramEnv map[string]any
-	Expires    time.Time
-	Challenges map[challenge.Id]challenge.VerifyResult
+	Id            [16]byte
+	ProgramEnv    map[string]any
+	Expires       time.Time
+	Challenges    map[challenge.Id]challenge.VerifyResult
+	RemoteAddress net.IP
 }

 func (d *RequestData) HasValidChallenge(id challenge.Id) bool {
--- a/lib/state.go
+++ b/lib/state.go
@@ -26,6 +26,7 @@ import (
 	"io"
 	"io/fs"
 	"log/slog"
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@@ -60,6 +61,10 @@ type State struct {
 	Poison map[string][]byte

 	ChallengeSolve sync.Map
+
+	DecayMap *utils.DecayMap[[net.IPv6len]byte, utils.DNSBLResponse]
+
+	close chan struct{}
 }

 func (state *State) AwaitChallenge(key []byte, ctx context.Context) challenge.VerifyResult {
@@ -107,10 +112,13 @@ type StateSettings struct {
 	ChallengeTemplate      string
 	ChallengeTemplateTheme string
 	ClientIpHeader         string
+	BackendIpHeader        string
+	DNSBL                  *utils.DNSBL
 }

-func NewState(p policy.Policy, settings StateSettings) (state *State, err error) {
-	state = new(State)
+func NewState(p policy.Policy, settings StateSettings) (handler http.Handler, err error) {
+	state := new(State)
+	state.close = make(chan struct{})
 	state.Settings = settings
 	state.Client = &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
@@ -119,6 +127,10 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 	}
 	state.UrlPath = "/.well-known/." + state.Settings.PackageName

+	if state.Settings.DNSBL != nil {
+		state.DecayMap = utils.NewDecayMap[[net.IPv6len]byte, utils.DNSBLResponse]()
+	}
+
 	// set a reasonable configuration for default http proxy if there is none
 	for _, backend := range state.Settings.Backends {
 		if proxy, ok := backend.(*httputil.ReverseProxy); ok {
@@ -220,6 +232,7 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)

 	idCounter := challenge.Id(1)

+	//TODO: move this to self-contained challenge files
 	for challengeName, p := range p.Challenges {

 		// allow nesting
@@ -371,6 +384,12 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)

 		case "cookie":
 			c.ServeChallenge = func(w http.ResponseWriter, r *http.Request, key []byte, expiry time.Time) challenge.Result {
+				if chall := r.URL.Query().Get("__goaway_challenge"); chall == challengeName {
+					state.logger(r).Warn("challenge failed", "challenge", c.Name)
+					utils.ClearCookie(utils.CookiePrefix+c.Name, w)
+					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", c.Name), "")
+					return challenge.ResultStop
+				}

 				token, err := c.IssueChallengeToken(state.privateKey, key, nil, expiry)
 				if err != nil {
@@ -378,9 +397,14 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 				} else {
 					utils.SetCookie(utils.CookiePrefix+challengeName, token, expiry, w)
 				}
+
 				// self redirect!
-				//TODO: add redirect loop detect parameter
-				http.Redirect(w, r, r.URL.String(), http.StatusTemporaryRedirect)
+				uri, err := url.ParseRequestURI(r.URL.String())
+				values := uri.Query()
+				values.Set("__goaway_challenge", challengeName)
+				uri.RawQuery = values.Encode()
+
+				http.Redirect(w, r, uri.String(), http.StatusTemporaryRedirect)
 				return challenge.ResultStop
 			}
 		case "meta-refresh":
@@ -566,7 +590,7 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)

 				redirect, err := utils.EnsureNoOpenRedirect(r.FormValue("redirect"))
 				if err != nil {
-					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusInternalServerError, err, "")
+					_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusBadRequest, err, "")
 					return
 				}

@@ -585,29 +609,37 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 					if ok, err := c.Verify(key, result, r); err != nil {
 						return err
 					} else if !ok {
-						state.logger(r).Warn("challenge failed", "challenge", challengeName, "redirect", redirect)
 						utils.ClearCookie(utils.CookiePrefix+challengeName, w)
-
+						data.Challenges[c.Id] = challenge.VerifyResultFAIL
 						state.SolveChallenge(key, challenge.VerifyResultFAIL)
+						state.logger(r).Warn("challenge failed", "challenge", challengeName, "redirect", redirect)

-						_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", challengeName), redirect)
-						return nil
-					}
+						// catch happy eyeballs IPv4 -> IPv6 migration, re-direct to try again
+						if resultKey, err := ChallengeKeyFromString(result); err == nil && resultKey.Get(ChallengeKeyFlagIsIPv4) > 0 && key.Get(ChallengeKeyFlagIsIPv4) == 0 {

-					state.logger(r).Warn("challenge passed", "challenge", challengeName, "redirect", redirect)
-
-					token, err := c.IssueChallengeToken(state.privateKey, key, []byte(result), data.Expires)
-					if err != nil {
-						utils.ClearCookie(utils.CookiePrefix+challengeName, w)
+						} else {
+							_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusForbidden, fmt.Errorf("access denied: failed challenge %s", challengeName), redirect)
+							return nil
+						}
 					} else {
-						utils.SetCookie(utils.CookiePrefix+challengeName, token, data.Expires, w)
-					}
-					data.Challenges[c.Id] = challenge.VerifyResultPASS
+						state.logger(r).Warn("challenge passed", "challenge", challengeName, "redirect", redirect)

-					state.SolveChallenge(key, challenge.VerifyResultPASS)
+						token, err := c.IssueChallengeToken(state.privateKey, key, []byte(result), data.Expires)
+						if err != nil {
+							utils.ClearCookie(utils.CookiePrefix+challengeName, w)
+						} else {
+							utils.SetCookie(utils.CookiePrefix+challengeName, token, data.Expires, w)
+						}
+						data.Challenges[c.Id] = challenge.VerifyResultPASS
+						state.SolveChallenge(key, challenge.VerifyResultPASS)
+					}

 					switch httpCode {
 					case http.StatusMovedPermanently, http.StatusFound, http.StatusSeeOther, http.StatusTemporaryRedirect, http.StatusPermanentRedirect:
+						if redirect == "" {
+							_ = state.errorPage(w, r.Header.Get("X-Away-Id"), http.StatusBadRequest, errors.New("no redirect found"), "")
+							return nil
+						}
 						http.Redirect(w, r, redirect, httpCode)
 					default:
 						w.Header().Set("Content-Type", mimeType)
@@ -761,6 +793,20 @@ func NewState(p policy.Policy, settings StateSettings) (state *State, err error)
 		return nil, err
 	}

+	if state.DecayMap != nil {
+		go func() {
+			ticker := time.NewTicker(17 * time.Minute)
+			for {
+				select {
+				case <-ticker.C:
+					state.DecayMap.Decay()
+				case <-state.close:
+					return
+				}
+			}
+		}()
+	}
+
 	return state, nil
 }

--- a/utils/decaymap.go
+++ b/utils/decaymap.go
@@ -0,0 +1,73 @@
+package utils
+
+import (
+	"sync"
+	"time"
+)
+
+func zilch[T any]() T {
+	var zero T
+	return zero
+}
+
+type DecayMap[K, V comparable] struct {
+	data map[K]DecayMapEntry[V]
+	lock sync.RWMutex
+}
+
+type DecayMapEntry[V comparable] struct {
+	Value  V
+	expiry time.Time
+}
+
+func NewDecayMap[K, V comparable]() *DecayMap[K, V] {
+	return &DecayMap[K, V]{
+		data: make(map[K]DecayMapEntry[V]),
+	}
+}
+
+func (m *DecayMap[K, V]) Get(key K) (V, bool) {
+	m.lock.RLock()
+	value, ok := m.data[key]
+	m.lock.RUnlock()
+
+	if !ok {
+		return zilch[V](), false
+	}
+
+	if time.Now().After(value.expiry) {
+		m.lock.Lock()
+		// Since previously reading m.data[key], the value may have been updated.
+		// Delete the entry only if the expiry time is still the same.
+		if m.data[key].expiry == value.expiry {
+			delete(m.data, key)
+		}
+		m.lock.Unlock()
+
+		return zilch[V](), false
+	}
+
+	return value.Value, true
+}
+
+func (m *DecayMap[K, V]) Set(key K, value V, ttl time.Duration) {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	m.data[key] = DecayMapEntry[V]{
+		Value:  value,
+		expiry: time.Now().Add(ttl),
+	}
+}
+
+func (m *DecayMap[K, V]) Decay() {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	now := time.Now()
+	for key, entry := range m.data {
+		if now.After(entry.expiry) {
+			delete(m.data, key)
+		}
+	}
+}
--- a/utils/dnsbl.go
+++ b/utils/dnsbl.go
@@ -0,0 +1,75 @@
+package utils
+
+import (
+	"context"
+	"net"
+	"strconv"
+)
+
+type DNSBL struct {
+	target   string
+	resolver *net.Resolver
+}
+
+func NewDNSBL(target string, resolver *net.Resolver) *DNSBL {
+	if resolver == nil {
+		resolver = net.DefaultResolver
+	}
+	return &DNSBL{
+		target:   target,
+		resolver: resolver,
+	}
+}
+
+var nibbleTable = [16]byte{
+	'0', '1', '2', '3',
+	'4', '5', '6', '7',
+	'8', '9', 'a', 'b',
+	'c', 'd', 'e', 'f',
+}
+
+type DNSBLResponse uint8
+
+func (r DNSBLResponse) Bad() bool {
+	return r != ResponseGood && r != ResponseUnknown
+}
+
+const (
+	ResponseGood    = DNSBLResponse(0)
+	ResponseUnknown = DNSBLResponse(255)
+)
+
+func (bl DNSBL) Lookup(ctx context.Context, ip net.IP) (DNSBLResponse, error) {
+	var target []byte
+	if ip4 := ip.To4(); ip4 != nil {
+		// max length preallocate
+		target = make([]byte, 0, len(bl.target)+1+len(ip4)*4)
+
+		for i := len(ip4) - 1; i >= 0; i-- {
+			target = strconv.AppendUint(target, uint64(ip4[i]), 10)
+			target = append(target, '.')
+		}
+	} else {
+		// IPv6
+		// max length preallocate
+		target = make([]byte, 0, len(bl.target)+1+len(ip)*4)
+
+		for i := len(ip) - 1; i >= 0; i-- {
+			target = append(target, nibbleTable[ip[i]&0xf], '.', ip[i]>>4, '.')
+		}
+	}
+
+	target = append(target, bl.target...)
+
+	ips, err := bl.resolver.LookupIP(ctx, "ip4", string(target))
+	if err != nil {
+		return ResponseUnknown, err
+	}
+
+	for _, ip := range ips {
+		ip4 := ip.To4()
+		return DNSBLResponse(ip4[len(ip4)-1]), nil
+	}
+
+	return ResponseUnknown, nil
+}
Author	SHA1	Message	Date
WeebDataHoarder	87c2845952	Send request data early	2025-04-11 06:22:48 +02:00
WeebDataHoarder	7829eece77	Added backend IP header support	2025-04-11 06:02:01 +02:00
WeebDataHoarder	0da12cfdab	Allow specifying PROXY via BIND network	2025-04-11 05:47:32 +02:00
WeebDataHoarder	3060188f44	Add PROXY support	2025-04-11 05:46:05 +02:00
WeebDataHoarder	031a8c5482	Actually load TLS	2025-04-10 07:00:43 +02:00
WeebDataHoarder	2eee5b20c2	Log when autocert is enabled	2025-04-10 06:43:24 +02:00
WeebDataHoarder	4744048a38	Add acme autocert configuration	2025-04-10 06:13:42 +02:00
WeebDataHoarder	ca4101df7c	Use self-redirect on cookie challenge	2025-04-10 05:27:44 +02:00
WeebDataHoarder	527f1342e8	Issue token then redirect to verify under cookie challenge	2025-04-10 05:15:48 +02:00
WeebDataHoarder	15472b00b8	Add older clients, change standard-tools challenge	2025-04-09 00:08:53 +02:00
WeebDataHoarder	ce111f6ae9	Add DNSBL querying in conditions	2025-04-08 22:11:58 +02:00
WeebDataHoarder	285090c9c1	Update, pin dependencies that require Go 1.22	2025-04-08 20:11:46 +02:00
WeebDataHoarder	153870acc0	Serve pprof server when debug mode is enabled	2025-04-08 20:06:28 +02:00
WeebDataHoarder	574cf71156	Update readme with examples	2025-04-08 18:10:37 +02:00
WeebDataHoarder	8c815ed808	Update readme with light instructions	2025-04-08 18:03:47 +02:00
WeebDataHoarder	6948027b57	Initial README	2025-04-08 17:57:24 +02:00
WeebDataHoarder	713db376b5	Add login/activate paths to forgejo example template	2025-04-08 17:50:41 +02:00
WeebDataHoarder	186904e020	Mark challenge keys with whether client was ipv4 or ipv6, allow retrying IPv4 -> IPv6 happy eyeballs automatically	2025-04-08 14:07:24 +02:00