Skip to content

Instantly share code, notes, and snippets.

@wen-long

wen-long/caddy_antibot_gzip_bomb.md

Last active September 28, 2024 18:13
Show Gist options
  • Save wen-long/0a05f0bf27dde1d80cee6a0a3a3c3d2a to your computer and use it in GitHub Desktop.
Save wen-long/0a05f0bf27dde1d80cee6a0a3a3c3d2a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
caddy_antibot_gzip_bomb.md

caddyfile:

example.com:443 {
    tls /home/cer /home/key
    log {
        output stdout
        format console
    }
    @http11 protocol http/1.1
    respond @http11 "leave me" 404

    @gzipUnSupported {
        not header Accept-Encoding *gzip*
    }
    @withoutStrings {
        not path */secret_path* */favicon.ico*
    }

    reverse_proxy 127.0.0.1:8080 {
        handle_response {
            handle @withoutStrings {
                handle @gzipUnSupported {
                    respond "leave me" 404
                }

                header content-encoding gzip
                header Content-Type text/html
                root * /home/
                rewrite *  /bomb.gzip
                file_server
            }
            copy_response
        }
    }
}

make bomb file

dd if=/dev/zero bs=1M count=20K | gzip -9  > bomb.gzip

test with curl

curl --http1.1 --compressed  -v https://example.com/secret_or_not -o - | pv > /dev/null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment