v1.24.0: Y'shtola Rhul

[Xe]

Anubis is back and better than ever! Lots of minor fixes with some big ones interspersed.

• Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an ALLOW threshold.
• Expose WEIGHT rule matches as Prometheus metrics.
• Allow more OCI registry clients based on feedback.
• Expose services directory in the embedded (data) filesystem.
• Add Ukrainian locale (#1044).
• Allow Renovate as an OCI registry client.
• Properly handle 4in6 addresses so that IP matching works with those addresses.
• Add support to simple Valkey/Redis cluster mode
• Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. (1283)
• Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
• Refine the check that ensures the presence of the Accept header to avoid breaking docker clients.
• Removed rules intended to reward actual browsers due to abuse in the wild.

Dataset poisoning

Anubis has the ability to engage in dataset poisoning attacks using the dataset poisoning subsystem. This allows every Anubis instance to be a honeypot to attract and flag abusive scrapers so that no administrator action is required to ban them.

There is much more information about this feature in the dataset poisoning subsystem documentation. Administrators that are interested in learning how this feature works should consult that documentation.

Deprecate report_as in challenge configuration

Previously Anubis let you lie to users about the difficulty of a challenge to interfere with operators of malicious scrapers as a psychological attack:

bots:
  # Punish any bot with "bot" in the user-agent string
  # This is known to have a high false-positive rate, use at your own risk
  - name: generic-bot-catchall
    user_agent_regex: (?i:bot|crawler)
    action: CHALLENGE
    challenge:
      difficulty: 16 # impossible
      report_as: 4 # lie to the operator
      algorithm: slow # intentionally waste CPU cycles and time

This has turned out to be a bad idea because it has caused massive user experience problems and has been removed. If you are using this setting, you will get a warning in your logs like this:

{
  "time": "2025-11-25T23:10:31.092201549-05:00",
  "level": "WARN",
  "source": {
    "function": "github.com/TecharoHQ/anubis/lib/policy.ParseConfig",
    "file": "/home/xe/code/TecharoHQ/anubis/lib/policy/policy.go",
    "line": 201
  },
  "msg": "use of deprecated report_as setting detected, please remove this from your policy file when possible",
  "at": "config-validate",
  "name": "mild-suspicion"
}

To remove this warning, remove this setting from your policy file.

Logging customization

Anubis now supports the ability to log to multiple backends ("sinks"). This allows you to have Anubis log to a file instead of just logging to standard out. You can also customize the logging level in the policy file:

logging:
  level: "warn" # much less verbose logging
  sink: file # log to a file
  parameters:
    file: "./var/anubis.log"
    maxBackups: 3 # keep at least 3 old copies
    maxBytes: 67108864 # each file can have up to 64 Mi of logs
    maxAge: 7 # rotate files out every n days
    oldFileTimeFormat: 2006-01-02T15-04-05 # RFC 3339-ish
    compress: true # gzip-compress old log files
    useLocalTime: false # timezone for rotated files is UTC

Additionally, information about how Anubis uses each logging level has been added to the documentation.

DNS Features

• CEL expressions for:
  • FCrDNS checks
  • Forward DNS queries
  • Reverse DNS queries
  • arpaReverseIP to transform IPv4/6 addresses into ARPA reverse IP notation.
  • regexSafe to escape regex special characters (useful for including remoteAddress or headers in regular expressions).
• DNS cache and other optimizations to minimize unnecessary DNS queries.

The DNS cache TTL can be changed in the bots config like this:

dns_ttl:
  forward: 600
  reverse: 600

The default value for both forward and reverse queries is 300 seconds.

The verifyFCrDNS CEL function has two overloads:

• (addr)
  Simply verifies that the remote side has PTR records pointing to the target address.
• (addr, ptrPattern)
  Verifies that the remote side refers to a specific domain and that this domain points to the target IP.

What's Changed

• feat: Add thai language. by @karorogunso in feat: Add thai language. #900
• Update is.json by @sveinki in Update is.json #1241
• fix(data/docker-client): allow some more OCI clients through by @Xe in fix(data/docker-client): allow some more OCI clients through #1258
• fix(data): add services folder to embedded filesystem by @Xe in fix(data): add services folder to embedded filesystem #1259
• feat(localization): Add Ukrainian language translation by @nykula in feat(localization): Add Ukrainian language translation #1044
• build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in build(deps): bump the github-actions group with 3 updates #1262
• Add Renovate to Docker clients by @DrJosh9000 in Add Renovate to Docker clients #1267
• fix(docs): use node:lts by @Xe in fix(docs): use node:lts #1274
• fix(run): mark openrc service script as executable by @kouhaidev in fix(run): mark openrc service script as executable #1272
• test: ipv4 in v6 address checking by @SlyEcho in test: ipv4 in v6 address checking #1271
• (feat) Add cluster support to redis/vaultkey store by @egimbernat in (feat) Add cluster support to redis/vaultkey store #1276
• feat(lib): expose WEIGH matches as prometheus metrics by @Xe in feat(lib): expose WEIGH matches as prometheus metrics #1277
• Fix challenge validation panic when follow-up hits ALLOW by @JasonLovesDoggo in Fix challenge validation panic when follow-up hits ALLOW #1278
• feat(internal/headers): extend debug logging of X-Forwarded-For middlewares by @DerRockWolf in feat(internal/headers): extend debug logging of X-Forwarded-For middlewares #1269
• test: Valkey test improvements for testcontainers by @SlyEcho in test: Valkey test improvements for testcontainers #1280
• docs: use nginx http2 directive instead of deprecated http2 listen parameter by @kouhaidev in docs: use nginx http2 directive instead of deprecated http2 listen parameter #1251
• perf: field-align struct definitions to cut padding by @JasonLovesDoggo in perf: field-align struct definitions to cut padding #1284
• fix(tests): make CVE-2025-24369 regression deterministic by @JasonLovesDoggo in fix(tests): make CVE-2025-24369 regression deterministic #1285
• build(deps): bump go deps by @JasonLovesDoggo in build(deps): bump go deps #1287
• build(deps): bump github.com/testcontainers/testcontainers-go from 0.39.0 to 0.40.0 in the gomod group across 1 directory by @dependabot[bot] in build(deps): bump github.com/testcontainers/testcontainers-go from 0.39.0 to 0.40.0 in the gomod group across 1 directory #1288
• test(deps): update dependencies to latest versions by @JasonLovesDoggo in test(deps): update dependencies to latest versions #1289
• build(deps-dev): bump esbuild from 0.25.12 to 0.27.0 in the npm group by @dependabot[bot] in build(deps-dev): bump esbuild from 0.25.12 to 0.27.0 in the npm group #1260
• fix(ogtags): respect target host/SNI/insecure flags in OG passthrough by @JasonLovesDoggo in fix(ogtags): respect target host/SNI/insecure flags in OG passthrough #1283
• docs: clarify usage of PUBLIC_URL and REDIRECT_DOMAINS in installatio… by @JasonLovesDoggo in docs: clarify usage of PUBLIC_URL and REDIRECT_DOMAINS in installatio… #1286
• feat(store/valkey): Add Redis(R) Sentinel support by @Xe in feat(store/valkey): Add Redis(R) Sentinel support #1294
• Pass the remote IP to the proxied application by @eXpl0it3r in Pass the remote IP to the proxied application #1298
• ci: add go mod tidy check workflow by @Xe in ci: add go mod tidy check workflow #1300
• feat: writing logs to the filesystem with rotation support by @Xe in feat: writing logs to the filesystem with rotation support #1299
• chore: add dependabot cooldown by @Xe in chore: add dependabot cooldown #1302
• add Polish language translation by @bplajzer in add Polish language translation #1309
• fix(config): deprecate the report_as field for challenges by @Xe in fix(config): deprecate the report_as field for challenges #1311
• Implement FCrDNS and other DNS features by @btomaev in Implement FCrDNS and other DNS features #1308
• Show how to use subrequest auth with Caddy by @tbodt in Show how to use subrequest auth with Caddy #1312
• build(deps): bump actions-hub/kubectl from 1.34.1 to 1.34.2 in the github-actions group by @dependabot[bot] in build(deps): bump actions-hub/kubectl from 1.34.1 to 1.34.2 in the github-actions group #1303
• fix: pin Node.js and Go versions in CI configuration files by @JasonLovesDoggo in fix: pin Node.js and Go versions in CI configuration files #1318
• build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in build(deps): bump the github-actions group with 3 updates #1317
• build(deps): bump the gomod group with 5 updates by @dependabot[bot] in build(deps): bump the gomod group with 5 updates #1316
• build(deps): bump the npm group with 2 updates by @dependabot[bot] in build(deps): bump the npm group with 2 updates #1339
• build(deps): bump the github-actions group across 1 directory with 4 updates by @dependabot[bot] in build(deps): bump the github-actions group across 1 directory with 4 updates #1340
• build(deps): bump the gomod group across 1 directory with 6 updates by @dependabot[bot] in build(deps): bump the gomod group across 1 directory with 6 updates #1341
• feat: first implementation of honeypot logic by @Xe in feat: first implementation of honeypot logic #1342
• i18n(de): improve consistency and wording by @michi-onl in i18n(de): improve consistency and wording #1348
• fix(default-config): must-accept-rule on browsers only by @Xe in fix(default-config): must-accept-rule on browsers only #1350
• fix(default-config): remove browser detection logic by @Xe in fix(default-config): remove browser detection logic #1360

New Contributors

• @karorogunso made their first contribution in feat: Add thai language. #900
• @nykula made their first contribution in feat(localization): Add Ukrainian language translation #1044
• @DrJosh9000 made their first contribution in Add Renovate to Docker clients #1267
• @kouhaidev made their first contribution in fix(run): mark openrc service script as executable #1272
• @egimbernat made their first contribution in (feat) Add cluster support to redis/vaultkey store #1276
• @DerRockWolf made their first contribution in feat(internal/headers): extend debug logging of X-Forwarded-For middlewares #1269
• @eXpl0it3r made their first contribution in Pass the remote IP to the proxied application #1298
• @bplajzer made their first contribution in add Polish language translation #1309
• @btomaev made their first contribution in Implement FCrDNS and other DNS features #1308
• @tbodt made their first contribution in Show how to use subrequest auth with Caddy #1312
• @michi-onl made their first contribution in i18n(de): improve consistency and wording #1348

Full Changelog: v1.23.1...v1.24.0

---

This discussion was created from the release v1.24.0: Y'shtola Rhul.

[joshsleeper]

just an FYI, your links to the dataset poisoning subsystem seem broken, I think because they're not rooted in /docs/docs/?

https://github.com/TecharoHQ/anubis/blob/v1.24.0/docs/docs/admin/honeypot/overview.mdx

broken links aside though, hell yea this is great stuff and I and others greatly appreciate your efforts!