core

package

v0.4.7 Latest Latest Go to latest Published: Feb 5, 2026 License: MIT Imports: 19 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sjtug/cerberus

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func LoadEd25519Key(data []byte) (ed25519.PrivateKey, error)
type Config
type Instance
- func GetInstance(config Config, logger *zap.Logger) (*Instance, error)
- func (i *Instance) UpdateWithConfig(c Config, logger *zap.Logger) error
type InstanceState
- func NewInstanceState(config Config) (*InstanceState, int64, int64, int64, error)

Constants ¶

View Source

const (
	DefaultCookieName        = "cerberus-auth"
	DefaultHeaderName        = "X-Cerberus-Status"
	DefaultDifficulty        = 4
	DefaultMaxPending        = 128
	DefaultAccessPerApproval = 8
	DefaultBlockTTL          = time.Hour * 24 // 1 day
	DefaultPendingTTL        = time.Hour      // 1 hour
	DefaultApprovalTTL       = time.Hour      // 1 hour
	DefaultMaxMemUsage       = 1 << 29        // 512MB
	DefaultTitle             = "Cerberus Challenge"
	DefaultDescription       = "Making sure you're not a bot!"
	DefaultIPV4Prefix        = 32
	DefaultIPV6Prefix        = 64
)

View Source

const (
	AppName    = "cerberus"
	VarIPBlock = "cerberus-block"
	VarReqID   = "cerberus-request-id"
	Version    = "v0.4.7"
	NonceTTL   = 2 * time.Minute
)

View Source

const (
	FreeLRUInternalCost = 20
	PendingItemCost     = FreeLRUInternalCost + int64(unsafe.Sizeof(ipblock.IPBlock{})) + int64(unsafe.Sizeof(&atomic.Int32{})) + int64(unsafe.Sizeof(atomic.Int32{}))
	BlocklistItemCost   = FreeLRUInternalCost + int64(unsafe.Sizeof(ipblock.IPBlock{}))
	ApprovalItemCost    = FreeLRUInternalCost + int64(unsafe.Sizeof(uuid.UUID{})) + int64(unsafe.Sizeof(&atomic.Int32{})) + int64(unsafe.Sizeof(atomic.Int32{}))
)

Variables ¶

This section is empty.

Functions ¶

func LoadEd25519Key ¶ added in v0.4.0

func LoadEd25519Key(data []byte) (ed25519.PrivateKey, error)

Types ¶

type Config ¶

type Config struct {
	// Challenge difficulty (number of leading zeroes in the hash).
	Difficulty int `json:"difficulty,omitempty"`
	// When set to true, the handler will drop the connection instead of returning a 403 if the IP is blocked.
	Drop bool `json:"drop,omitempty"`
	// Ed25519 signing key file path. If not provided, a new key will be generated.
	Ed25519KeyFile string `json:"ed25519_key_file,omitempty"`
	// Ed25519 signing key content. If not provided, a new key will be generated.
	Ed25519Key string `json:"ed25519_key,omitempty"`
	// MaxPending is the maximum number of pending (and failed) requests.
	// Any IP block (prefix configured in prefix_cfg) with more than this number of pending requests will be blocked.
	MaxPending int32 `json:"max_pending,omitempty"`
	// AccessPerApproval is the number of requests allowed per successful challenge.
	AccessPerApproval int32 `json:"access_per_approval,omitempty"`
	// BlockTTL is the time to live for blocked IPs.
	BlockTTL time.Duration `json:"block_ttl,omitempty"`
	// PendingTTL is the time to live for pending requests when considering whether to block an IP.
	PendingTTL time.Duration `json:"pending_ttl,omitempty"`
	// ApprovalTTL is the time to live for approved requests.
	ApprovalTTL time.Duration `json:"approval_ttl,omitempty"`
	// MaxMemUsage is the maximum memory usage for the pending and blocklist caches.
	MaxMemUsage int64 `json:"max_mem_usage,omitempty"`
	// CookieName is the name of the cookie used to store signed certificate.
	CookieName string `json:"cookie_name,omitempty"`
	// HeaderName is the name of the header used to store cerberus status ("PASS", "CHALLENGE", "FAIL", "BLOCKED", "DISABLED").
	HeaderName string `json:"header_name,omitempty"`
	// Title is the title of the challenge page.
	Title string `json:"title,omitempty"`
	// Mail is the email address to contact for support.
	Mail string `json:"mail,omitempty"`
	// PrefixCfg is to configure prefixes used to block users in these IP prefix blocks, e.g., /24 /64.
	PrefixCfg ipblock.Config `json:"prefix_cfg,omitempty"`
	// contains filtered or unexported fields
}

func (*Config) GetPrivateKey ¶ added in v0.4.0

func (c *Config) GetPrivateKey() ed25519.PrivateKey

func (*Config) GetPublicKey ¶ added in v0.4.0

func (c *Config) GetPublicKey() ed25519.PublicKey

func (*Config) Provision ¶

func (c *Config) Provision(logger *zap.Logger) error

func (*Config) StateCompatible ¶

func (c *Config) StateCompatible(other *Config) bool

func (*Config) Validate ¶

func (c *Config) Validate() error

type Instance ¶

type Instance struct {
	*InstanceState
	Config
}

Instance is the shared core of the cerberus module. There's only one instance of this struct in the entire Caddy runtime.

func GetInstance ¶

func GetInstance(config Config, logger *zap.Logger) (*Instance, error)

GetInstance returns an instance of given config. If there already exists an instance (during server reload), it will be updated with the new config. Otherwise, a new instance will be created. User can pass in an optional logger to log basic metrics about the initialized state.

func (*Instance) UpdateWithConfig ¶

func (i *Instance) UpdateWithConfig(c Config, logger *zap.Logger) error

UpdateWithConfig updates the instance with a new config. If the config is incompatible with the current config, its internal state will be reset. User can pass in an optional logger to log basic metrics about the initialized state.

type InstanceState ¶

type InstanceState struct {
	// contains filtered or unexported fields
}

func NewInstanceState ¶

func NewInstanceState(config Config) (*InstanceState, int64, int64, int64, error)

func (*InstanceState) Close ¶ added in v0.3.0

func (s *InstanceState) Close()

func (*InstanceState) ContainsBlocklist ¶ added in v0.3.0

func (s *InstanceState) ContainsBlocklist(ip ipblock.IPBlock) bool

func (*InstanceState) DecApproval ¶ added in v0.3.0

func (s *InstanceState) DecApproval(id uuid.UUID) bool

DecApproval decrements the counter of the approval ID and returns whether the ID is still valid

func (*InstanceState) DecPending ¶ added in v0.3.0

func (s *InstanceState) DecPending(ip ipblock.IPBlock) int32

func (*InstanceState) GetFingerprint ¶

func (s *InstanceState) GetFingerprint() string

func (*InstanceState) IncPending ¶ added in v0.3.0

func (s *InstanceState) IncPending(ip ipblock.IPBlock) int32

func (*InstanceState) InsertBlocklist ¶ added in v0.3.0

func (s *InstanceState) InsertBlocklist(ip ipblock.IPBlock)

func (*InstanceState) InsertUsedNonce ¶ added in v0.3.0

func (s *InstanceState) InsertUsedNonce(nonce uint32) bool

InsertUsedNonce inserts a nonce into the usedNonce map. Returns true if the nonce was inserted, false if it was already present.

func (*InstanceState) IssueApproval ¶ added in v0.3.0

func (s *InstanceState) IssueApproval(n int32) uuid.UUID

IssueApproval issues a new approval ID and returns it

func (*InstanceState) RemovePending ¶ added in v0.3.0

func (s *InstanceState) RemovePending(ip ipblock.IPBlock) bool

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL