Caileb/Checkpoint
1
0
Fork 0
Code Issues Pull requests Wiki Activity

Remove my TOML configs & minor bypass key fixes

Browse source
This commit is contained in:
Caileb 2025-05-29 14:05:20 -05:00
parent 9bcdc532bb
commit 9372fe8f02
6 changed files with 17 additions and 295 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.gitignore vendored
View file

@ -39,5 +39,7 @@ data
# DB Folder
db
# My Configs
# ignore all TOML files…
*.toml
# ...but dont ignore the example files
!*.toml.example

14
checkpoint.js
View file

@ -651,11 +651,23 @@ function CheckpointMiddleware() {
// 2) Bypass via header keys
for (const { Name, Value, Domains } of checkpointConfig.BypassHeaderKeys) {
const headerVal = request.headers.get(Name);
// Get header value case-insensitively by checking all headers
let headerVal = null;
const headersMap = Object.fromEntries([...request.headers.entries()].map(([k, v]) => [k.toLowerCase(), v]));
headerVal = headersMap[Name.toLowerCase()] || request.headers.get(Name);
console.log(`DEBUG - Checking header ${Name}: received="${headerVal}", expected="${Value}", domains=${JSON.stringify(Domains)}`);
if (headerVal === Value) {
console.log(`DEBUG - Header value matched for ${Name}`);
if (!Array.isArray(Domains) || Domains.length === 0 || Domains.includes(host)) {
console.log(`DEBUG - Domain check passed for ${host}`);
return next();
} else {
console.log(`DEBUG - Domain check failed: ${host} not in ${JSON.stringify(Domains)}`);
}
} else {
console.log(`DEBUG - Header value mismatch for ${Name}`);
}
}

114
config/checkpoint.toml
View file

@ -1,114 +0,0 @@
# =============================================================================
# CHECKPOINT SECURITY CONFIGURATION
# =============================================================================
# This configuration controls the checkpoint security middleware that protects
# your services with proof-of-work challenges and token-based authentication.
# =============================================================================
# -----------------------------------------------------------------------------
# CORE SETTINGS
# -----------------------------------------------------------------------------
[Core]
# Enable or disable the checkpoint system entirely
Enabled = true
# Cookie name for storing checkpoint tokens
CookieName = "checkpoint_token"
# Cookie domain (empty = host-only cookie for localhost)
# Set to ".yourdomain.com" for all subdomains
CookieDomain = ""
# Enable URL path sanitization to prevent path traversal attacks
SanitizeURLs = true
# -----------------------------------------------------------------------------
# PROOF OF WORK SETTINGS
# -----------------------------------------------------------------------------
[ProofOfWork]
# Number of leading zeros required in the SHA-256 hash
Difficulty = 4
# Random salt length in bytes
SaltLength = 16
# Time allowed to solve a challenge before it expires
ChallengeExpiration = "3m"
# Maximum attempts per IP address per hour
MaxAttemptsPerHour = 10
# -----------------------------------------------------------------------------
# PROOF OF SPACE-TIME SETTINGS (Optional additional verification)
# -----------------------------------------------------------------------------
[ProofOfSpaceTime]
# Enable consistency checks for PoS-Time verification
Enabled = true
# Maximum allowed ratio between slowest and fastest PoS runs
ConsistencyRatio = 1.35
# -----------------------------------------------------------------------------
# TOKEN SETTINGS
# -----------------------------------------------------------------------------
[Token]
# How long tokens remain valid
Expiration = "24h"
# Maximum age for used nonces before cleanup
MaxNonceAge = "24h"
# -----------------------------------------------------------------------------
# STORAGE PATHS
# -----------------------------------------------------------------------------
[Storage]
# HMAC secret storage location
SecretPath = "./data/checkpoint_secret.json"
# Token database directory
TokenDBPath = "./db/tokenstore"
# Interstitial page templates (in order of preference)
InterstitialTemplates = [
"/pages/interstitial/page.html",
"/pages/ipfilter/default.html"
]
# -----------------------------------------------------------------------------
# EXCLUSION RULES
# -----------------------------------------------------------------------------
# Define which requests should bypass the checkpoint system.
# Each rule can specify:
# - Path (required): URL path or prefix to match
# - Hosts (optional): Specific hostnames this rule applies to
# - UserAgents (optional): User-Agent patterns to match
# -----------------------------------------------------------------------------
[[Exclusion]]
# Skip checkpoint for all API endpoints (required for Immich and similar apps)
Path = "/api"
Hosts = ["gallery.caileb.com"] # Optional: only for specific hosts
[[Exclusion]]
# Allows Git pushes w/ ForgeJo
Path = "/info/refs"
Hosts = ["git.caileb.com"]
# -----------------------------------------------------------------------------
# BYPASS KEYS
# -----------------------------------------------------------------------------
# Special keys that can bypass the checkpoint when provided
[[BypassKeys]]
# Query parameter bypass
Type = "query"
Key = "bypass_key"
Value = "your-secret-key-here"
Hosts = ["music.caileb.com"] # Optional: restrict to specific hosts
[[BypassKeys]]
# Header bypass
Type = "header"
Key = "X-Bypass-Token"
Value = "another-secret-key"
# Hosts = [] # If empty or omitted, applies to all hosts

92
config/ipfilter.toml
View file

@ -1,92 +0,0 @@
# =============================================================================
# IP FILTER CONFIGURATION
# =============================================================================
# This configuration controls the IP filtering middleware that blocks requests
# based on geographic location (country/continent) and network (ASN) information.
# =============================================================================
# -----------------------------------------------------------------------------
# CORE SETTINGS
# -----------------------------------------------------------------------------
[Core]
# Enable or disable the IP filter entirely
Enabled = true
# MaxMind account ID for downloading GeoIP databases
# Can also be set via MAXMIND_ACCOUNT_ID environment variable or .env file
AccountID = ""
# MaxMind license key for downloading GeoIP databases
# Can also be set via MAXMIND_LICENSE_KEY environment variable or .env file
LicenseKey = ""
# How often to check for database updates (in hours)
DBUpdateIntervalHours = 12
# -----------------------------------------------------------------------------
# CACHING SETTINGS
# -----------------------------------------------------------------------------
[Cache]
# TTL for cached IP block decisions (in seconds)
# 0 = cache indefinitely until server restart
IPBlockCacheTTLSec = 300
# Maximum number of cached IP decisions
# 0 = unlimited
IPBlockCacheMaxEntries = 10000
# -----------------------------------------------------------------------------
# BLOCKING RULES
# -----------------------------------------------------------------------------
[Blocking]
# ISO country codes to block (2-letter codes)
CountryCodes = [
"IN", "BH", "AE", "OM", "QA", "KW", "SA", "YE", "IR", "IQ",
"LB", "PS", "CY", "TR", "AZ", "AM", "TM", "UZ", "KZ", "KG",
"TJ", "KE", "ET", "SO", "SD", "SS", "KP", "UA", "IL"
]
# Continent codes to block
ContinentCodes = ["AF", "SA", "AS", "AN"]
# Default block page when no specific page is configured
DefaultBlockPage = "/pages/ipfilter/default.html"
# -----------------------------------------------------------------------------
# ASN BLOCKING
# -----------------------------------------------------------------------------
# Block by Autonomous System Number (ASN)
# Group ASNs by category for different block pages
# [ASN.Example]
# Numbers = [12345, 67890]
# BlockPage = "pages/ipfilter/example.html"
# -----------------------------------------------------------------------------
# ASN NAME BLOCKING
# -----------------------------------------------------------------------------
# Block by ASN organization name patterns
[ASNNames.DataCenter]
# Block data center and cloud providers
Patterns = [
"Cloudflare", "GOOGLE-CLOUD-PLATFORM", "Microsoft", "Amazon", "AWS",
"Digitalocean", "OVH", "HUAWEI CLOUDS", "HWCLOUDS", "M247",
"Datacamp", "Datapacket", "Amanah", "Hern Labs"
]
BlockPage = "/pages/ipfilter/datacenter.html"
# -----------------------------------------------------------------------------
# COUNTRY-SPECIFIC BLOCK PAGES
# -----------------------------------------------------------------------------
[CountryBlockPages]
# Custom block pages for specific countries
IN = "/pages/ipfilter/india.html"
# -----------------------------------------------------------------------------
# CONTINENT-SPECIFIC BLOCK PAGES
# -----------------------------------------------------------------------------
[ContinentBlockPages]
# Custom block pages for specific continents
# AS = "pages/ipfilter/asia.html"
# AF = "pages/ipfilter/africa.html"

55
config/proxy.toml
View file

@ -1,55 +0,0 @@
# =============================================================================
# PROXY CONFIGURATION
# =============================================================================
# This configuration controls the reverse proxy middleware that forwards
# requests to backend services based on hostname mappings.
# =============================================================================
# -----------------------------------------------------------------------------
# CORE SETTINGS
# -----------------------------------------------------------------------------
[Core]
# Enable or disable the proxy middleware
Enabled = true
# -----------------------------------------------------------------------------
# TIMEOUT SETTINGS
# -----------------------------------------------------------------------------
[Timeouts]
# WebSocket connection timeout in milliseconds
WebSocketTimeoutMs = 60000
# Upstream HTTP request timeout in milliseconds
UpstreamTimeoutMs = 30000
# -----------------------------------------------------------------------------
# PROXY MAPPINGS
# -----------------------------------------------------------------------------
# Map hostnames to backend service URLs
# Format: "hostname" = "backend_url"
# -----------------------------------------------------------------------------
[[Mapping]]
# Immich
Host = "gallery.caileb.com"
Target = "http://192.168.0.2:2283"
[[Mapping]]
# Navidrome
Host = "music.caileb.com"
Target = "http://192.168.0.2:4533"
[[Mapping]]
# ForgeJo
Host = "git.caileb.com"
Target = "http://192.168.0.2:3053"
# [[Mapping]]
# Example: API service
# Host = "api.example.com"
# Target = "http://localhost:3001"
# [[Mapping]]
# Example: Admin panel
# Host = "admin.example.com"
# Target = "http://localhost:3002"

31
config/stats.toml
View file

@ -1,31 +0,0 @@
# =============================================================================
# STATS CONFIGURATION
# =============================================================================
# This configuration controls the statistics collection and visualization
# middleware that tracks events and provides a web UI for viewing metrics.
# =============================================================================
# -----------------------------------------------------------------------------
# CORE SETTINGS
# -----------------------------------------------------------------------------
[Core]
# Enable or disable the stats plugin
Enabled = true
# -----------------------------------------------------------------------------
# STORAGE SETTINGS
# -----------------------------------------------------------------------------
[Storage]
# TTL for stats entries
# Format: "30d", "24h", "1h", etc.
StatsTTL = "30d"
# -----------------------------------------------------------------------------
# WEB UI SETTINGS
# -----------------------------------------------------------------------------
[WebUI]
# Path for stats UI
StatsUIPath = "/stats"
# Path for stats API
StatsAPIPath = "/stats/api"