New
v1.24.0: Y'shtola Rhul
Anubis is back and better than ever! Lots of minor fixes with some big ones interspersed.
- Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an
ALLOWthreshold. - Expose WEIGHT rule matches as Prometheus metrics.
- Allow more OCI registry clients based on feedback.
- Expose services directory in the embedded
(data)filesystem. - Add Ukrainian locale (#1044).
- Allow Renovate as an OCI registry client.
- Properly handle 4in6 addresses so that IP matching works with those addresses.
- Add support to simple Valkey/Redis cluster mode
- Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. (1283)
- Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
- Refine the check that ensures the presence of the Accept header to avoid breaking docker clients.
- Removed rules intended to reward actual browsers due to abuse in the wild.
Dataset poisoning
Anubis has the ability to engage in dataset poisoning attacks using the dataset poisoning subsystem. This allows every Anubis instance to be a honeypot to attract and flag abusive scrapers so that no administrator action is required to ban them.
There is much more information about this feature in the dataset poisoning subsystem documentation. Administrators that are interested in learning how this feature works should consult that documentation.
Deprecate report_as in challenge configuration
Previously Anubis let you lie to users about the difficulty of a challenge to interfere with operators of malicious scrapers as a psychological attack:
bots:
# Punish any bot with "bot" in the user-agent string
# This is known to have a high false-positive rate, use at your own risk
- name: generic-bot-catchall
user_agent_regex: (?i:bot|crawler)
action: CHALLENGE
challenge:
difficulty: 16 # impossible
report_as: 4 # lie to the operator
algorithm: slow # intentionally waste CPU cycles and time
This has turned out to be a bad idea because it has caused massive user experience problems and has been removed. If you are using this setting, you will get a warning in your logs like this:
{
"time": "2025-11-25T23:10:31.092201549-05:00",
"level": "WARN",
"source": {
"function": "github.com/TecharoHQ/anubis/lib/policy.ParseConfig",
"file": "/home/xe/code/TecharoHQ/anubis/lib/policy/policy.go",
"line": 201
},
"msg": "use of deprecated report_as setting detected, please remove this from your policy file when possible",
"at": "config-validate",
"name": "mild-suspicion"
}
To remove this warning, remove this setting from your policy file.
Logging customization
Anubis now supports the ability to log to multiple backends ("sinks"). This allows you to have Anubis log to a file instead of just logging to standard out. You can also customize the logging level in the policy file:
logging:
level: "warn" # much less verbose logging
sink: file # log to a file
parameters:
file: "./var/anubis.log"
maxBackups: 3 # keep at least 3 old copies
maxBytes: 67108864 # each file can have up to 64 Mi of logs
maxAge: 7 # rotate files out every n days
oldFileTimeFormat: 2006-01-02T15-04-05 # RFC 3339-ish
compress: true # gzip-compress old log files
useLocalTime: false # timezone for rotated files is UTC
Additionally, information about how Anubis uses each logging level has been added to the documentation.
DNS Features
- CEL expressions for:
- FCrDNS checks
- Forward DNS queries
- Reverse DNS queries
arpaReverseIPto transform IPv4/6 addresses into ARPA reverse IP notation.regexSafeto escape regex special characters (useful for includingremoteAddressor headers in regular expressions).
- DNS cache and other optimizations to minimize unnecessary DNS queries.
The DNS cache TTL can be changed in the bots config like this:
dns_ttl:
forward: 600
reverse: 600
The default value for both forward and reverse queries is 300 seconds.
The verifyFCrDNS CEL function has two overloads:
(addr)Simply verifies that the remote side has PTR records pointing to the target address.(addr, ptrPattern)Verifies that the remote side refers to a specific domain and that this domain points to the target IP.
What's Changed
- feat: Add thai language. by @karorogunso in https://github.com/TecharoHQ/anubis/pull/900
- Update is.json by @sveinki in https://github.com/TecharoHQ/anubis/pull/1241
- fix(data/docker-client): allow some more OCI clients through by @Xe in https://github.com/TecharoHQ/anubis/pull/1258
- fix(data): add services folder to embedded filesystem by @Xe in https://github.com/TecharoHQ/anubis/pull/1259
- feat(localization): Add Ukrainian language translation by @nykula in https://github.com/TecharoHQ/anubis/pull/1044
- build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in https://github.com/TecharoHQ/anubis/pull/1262
- Add Renovate to Docker clients by @DrJosh9000 in https://github.com/TecharoHQ/anubis/pull/1267
- fix(docs): use node:lts by @Xe in https://github.com/TecharoHQ/anubis/pull/1274
- fix(run): mark openrc service script as executable by @kouhaidev in https://github.com/TecharoHQ/anubis/pull/1272
- test: ipv4 in v6 address checking by @SlyEcho in https://github.com/TecharoHQ/anubis/pull/1271
- (feat) Add cluster support to redis/vaultkey store by @egimbernat in https://github.com/TecharoHQ/anubis/pull/1276
- feat(lib): expose WEIGH matches as prometheus metrics by @Xe in https://github.com/TecharoHQ/anubis/pull/1277
- Fix challenge validation panic when follow-up hits ALLOW by @JasonLovesDoggo in https://github.com/TecharoHQ/anubis/pull/1278
- feat(internal/headers): extend debug logging of X-Forwarded-For middlewares by @DerRockWolf in https://github.com/TecharoHQ/anubis/pull/1269
- test: Valkey test improvements for testcontainers by @SlyEcho in https://github.com/TecharoHQ/anubis/pull/1280
- docs: use nginx http2 directive instead of deprecated http2 listen parameter by @kouhaidev in https://github.com/TecharoHQ/anubis/pull/1251
- perf: field-align struct definitions to cut padding by @JasonLovesDoggo in https://github.com/TecharoHQ/anubis/pull/1284
- fix(tests): make CVE-2025-24369 regression deterministic by @JasonLovesDoggo in https://github.com/TecharoHQ/anubis/pull/1285
- build(deps): bump go deps by @JasonLovesDoggo in https://github.com/TecharoHQ/anubis/pull/1287
- build(deps): bump github.com/testcontainers/testcontainers-go from 0.39.0 to 0.40.0 in the gomod group across 1 directory by @dependabot[bot] in https://github.com/TecharoHQ/anubis/pull/1288
- test(deps): update dependencies to latest versions by @JasonLovesDoggo in https://github.com/TecharoHQ/anubis/pull/1289
- build(deps-dev): bump esbuild from 0.25.12 to 0.27.0 in the npm group by @dependabot[bot] in https://github.com/TecharoHQ/anubis/pull/1260
- fix(ogtags): respect target host/SNI/insecure flags in OG passthrough by @JasonLovesDoggo in https://github.com/TecharoHQ/anubis/pull/1283
New Contributors
- @karorogunso made their first contribution in https://github.com/TecharoHQ/anubis/pull/900
- @nykula made their first contribution in https://github.com/TecharoHQ/anubis/pull/1044
- @DrJosh9000 made their first contribution in https://github.com/TecharoHQ/anubis/pull/1267
- @kouhaidev made their first contribution in https://github.com/TecharoHQ/anubis/pull/1272
- @egimbernat made their first contribution in https://github.com/TecharoHQ/anubis/pull/1276
- @DerRockWolf made their first contribution in https://github.com/TecharoHQ/anubis/pull/1269
- @eXpl0it3r made their first contribution in https://github.com/TecharoHQ/anubis/pull/1298
- @bplajzer made their first contribution in https://github.com/TecharoHQ/anubis/pull/1309
- @btomaev made their first contribution in https://github.com/TecharoHQ/anubis/pull/1308
- @tbodt made their first contribution in https://github.com/TecharoHQ/anubis/pull/1312
- @michi-onl made their first contribution in https://github.com/TecharoHQ/anubis/pull/1348
Full Changelog: https://github.com/TecharoHQ/anubis/compare/v1.23.1...v1.24.0