set $session_secret %ANTIBOT_SESSION_SECRET%;
set $session_check_addr on;

access_by_lua_block {

-- let's encrypt
local use_lets_encrypt		= %USE_LETS_ENCRYPT%

-- external blacklists
local use_user_agents		= %USE_USER_AGENTS%
local use_proxies		= %USE_PROXIES%
local use_abusers		= %USE_ABUSERS%
local use_tor_exit_nodes	= %USE_TOR_EXIT_NODES%
local use_referrers		= %USE_REFERRERS%

-- countries
local use_country		= %USE_COUNTRY%

-- crowdsec
local use_crowdsec		= %USE_CROWDSEC%

-- antibot
local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
local use_antibot_recaptcha	= %USE_ANTIBOT_RECAPTCHA%

-- resolvers
local dns_resolvers		= {%DNS_RESOLVERS%}

-- whitelist
local use_whitelist_ip		= %USE_WHITELIST_IP%
local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
local whitelist_ip_list		= {%WHITELIST_IP_LIST%}
local whitelist_reverse_list	= {%WHITELIST_REVERSE_LIST%}

-- blacklist
local use_blacklist_ip		= %USE_BLACKLIST_IP%
local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
local blacklist_ip_list		= {%BLACKLIST_IP_LIST%}
local blacklist_reverse_list	= {%BLACKLIST_REVERSE_LIST%}

-- dnsbl
local use_dnsbl			= %USE_DNSBL%
local dnsbl_list		= {%DNSBL_LIST%}

-- bad behavior
local use_bad_behavior		= %USE_BAD_BEHAVIOR%

-- include LUA code
local whitelist			= require "whitelist"
local blacklist			= require "blacklist"
local dnsbl			= require "dnsbl"
local cookie			= require "cookie"
local javascript		= require "javascript"
local captcha			= require "captcha"
local recaptcha			= require "recaptcha"
local iputils			= require "resty.iputils"
local behavior			= require "behavior"
local logger			= require "logger"

-- user variables
local antibot_uri		= "%ANTIBOT_URI%"
local whitelist_user_agent	= {%WHITELIST_USER_AGENT%}
local whitelist_uri		= {%WHITELIST_URI%}

-- check if already in whitelist cache
if use_whitelist_ip and whitelist.ip_cached_ok() then
	ngx.exit(ngx.OK)
end
if use_whitelist_reverse and whitelist.reverse_cached_ok() then
	ngx.exit(ngx.OK)
end

-- check if already in blacklist cache
if use_blacklist_ip and blacklist.ip_cached_ko() then
	ngx.exit(ngx.HTTP_FORBIDDEN)
end
if use_blacklist_reverse and blacklist.reverse_cached_ko() then
	ngx.exit(ngx.HTTP_FORBIDDEN)
end

-- check if already in dnsbl cache
if use_dnsbl and dnsbl.cached_ko() then
	ngx.exit(ngx.HTTP_FORBIDDEN)
end

-- check if IP is whitelisted (only if not in cache)
if use_whitelist_ip and not whitelist.ip_cached() then
	if whitelist.check_ip(whitelist_ip_list) then
		ngx.exit(ngx.OK)
	end
end

-- check if reverse is whitelisted (only if not in cache)
if use_whitelist_reverse and not whitelist.reverse_cached() then
	if whitelist.check_reverse(whitelist_reverse_list) then
		ngx.exit(ngx.OK)
	end
end

-- check if URI is whitelisted
for k, v in pairs(whitelist_uri) do
	if ngx.var.request_uri == v then
		logger.log(ngx.NOTICE, "WHITELIST", "URI " .. v .. " is whitelisted")
		ngx.exit(ngx.OK)
	end
end

-- check if it's certbot
if use_lets_encrypt and string.match(ngx.var.request_uri, "^/.well-known/acme-challenge/") then
	logger.log(ngx.INFO, "LETSENCRYPT", "got a visit from Let's Encrypt")
	ngx.exit(ngx.OK)
end

-- check if IP is blacklisted (only if not in cache)
if use_blacklist_ip and not blacklist.ip_cached() then
	if blacklist.check_ip(blacklist_ip_list) then
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- check if reverse is blacklisted (only if not in cache)
if use_blacklist_reverse and not blacklist.reverse_cached() then
	if blacklist.check_reverse(blacklist_reverse_list, dns_resolvers) then
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- check if IP is banned because of "bad behavior"
if use_bad_behavior and behavior.is_banned() then
	logger.log(ngx.WARN, "BEHAVIOR", "IP " .. ngx.var.remote_addr .. " is banned because of bad behavior")
	ngx.exit(ngx.HTTP_FORBIDDEN)
end

-- check if IP is in proxies list
if use_proxies then
	local value, flags = ngx.shared.proxies_data:get(iputils.ip2bin(ngx.var.remote_addr))
	if value ~= nil then
		logger.log(ngx.WARN, "PROXIES", "IP " .. ngx.var.remote_addr .. " is in proxies list")
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- check if IP is in abusers list
if use_abusers then
	local value, flags = ngx.shared.abusers_data:get(iputils.ip2bin(ngx.var.remote_addr))
	if value ~= nil then
		logger.log(ngx.WARN, "ABUSERS", "IP " .. ngx.var.remote_addr .. " is in abusers list")
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- check if IP is in TOR exit nodes list
if use_tor_exit_nodes then
	local value, flags = ngx.shared.tor_exit_nodes_data:get(iputils.ip2bin(ngx.var.remote_addr))
	if value ~= nil then
		logger.log(ngx.WARN, "TOR", "IP " .. ngx.var.remote_addr .. " is in TOR exit nodes list")
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- check if user-agent is allowed
if use_user_agents and ngx.var.http_user_agent ~= nil then
	local whitelisted = false
	for k, v in pairs(whitelist_user_agent) do
		if string.match(ngx.var.http_user_agent, v) then
			logger.log(ngx.NOTICE, "WHITELIST", "User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
			whitelisted = true
			break
		end
	end
	if not whitelisted then
		local value, flags = ngx.shared.user_agents_cache:get(ngx.var.http_user_agent)
		if value == nil then
			local patterns = ngx.shared.user_agents_data:get_keys(0)
			for i, pattern in ipairs(patterns) do
				if string.match(ngx.var.http_user_agent, pattern) then
					value = "ko"
					ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ko", 86400)
					break
				end
			end
			if value == nil then
				value = "ok"
				ngx.shared.user_agents_cache:set(ngx.var.http_user_agent, "ok", 86400)
			end
		end
		if value == "ko" then
			logger.log(ngx.WARN, "USER-AGENT", "User-Agent " .. ngx.var.http_user_agent .. " is blacklisted")
			ngx.exit(ngx.HTTP_FORBIDDEN)
		end
	end
end

-- check if referrer is allowed
if use_referrer and ngx.var.http_referer ~= nil then
	local value, flags = ngx.shared.referrers_cache:get(ngx.var.http_referer)
	if value == nil then
		local patterns = ngx.shared.referrers_data:get_keys(0)
		for i, pattern in ipairs(patterns) do
			if string.match(ngx.var.http_referer, pattern) then
				value = "ko"
				ngx.shared.referrers_cache:set(ngx.var.http_referer, "ko", 86400)
				break
			end
		end
		if value == nil then
			value = "ok"
			ngx.shared.referrers_cache:set(ngx.var.http_referer, "ok", 86400)
		end
	end
	if value == "ko" then
		logger.log(ngx.WARN, "REFERRER", "Referrer " .. ngx.var.http_referer .. " is blacklisted")
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- check if country is allowed
if use_country and ngx.var.allowed_country == "no" then
	logger.log(ngx.WARN, "COUNTRY", "Country of " .. ngx.var.remote_addr .. " is blacklisted")
	ngx.exit(ngx.HTTP_FORBIDDEN)
end

-- check if IP is in DNSBLs (only if not in cache)
if use_dnsbl and not dnsbl.cached() then
	if dnsbl.check(dnsbl_list, dns_resolvers) then
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- check if IP is in CrowdSec DB
if use_crowdsec then
	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
	if ok == nil then
		logger.log(ngx.ERR, "CROWDSEC", err)
	end
	if not ok then
		logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
		ngx.exit(ngx.HTTP_FORBIDDEN)
	end
end

-- cookie check
if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
	if not cookie.is_set("uri") then
		if ngx.var.request_uri ~= antibot_uri then
			cookie.set({uri = ngx.var.request_uri})
			return ngx.redirect(antibot_uri)
		end
		logger.log(ngx.WARN, "ANTIBOT", "cookie fail for " .. ngx.var.remote_addr)
		return ngx.exit(ngx.HTTP_FORBIDDEN)
	else
		if ngx.var.request_uri == antibot_uri then
			return ngx.redirect(cookie.get("uri"))
		end
	end
end

-- javascript check
if use_antibot_javascript and ngx.var.uri ~= "/favicon.ico" then
	if not cookie.is_set("javascript") then
		if ngx.var.request_uri ~= antibot_uri then
			cookie.set({uri = ngx.var.request_uri, challenge = javascript.get_challenge()})
			return ngx.redirect(antibot_uri)
		end
	end
end

-- captcha check
if use_antibot_captcha and ngx.var.uri ~= "/favicon.ico" then
	if not cookie.is_set("captcha") then
		if ngx.var.request_uri ~= antibot_uri then
			cookie.set({uri = ngx.var.request_uri})
			return ngx.redirect(antibot_uri)
		end
	end
end

-- recaptcha check
if use_antibot_recaptcha and ngx.var.uri ~= "/favicon.ico" then
	if not cookie.is_set("recaptcha") then
		if ngx.var.request_uri ~= antibot_uri then
			cookie.set({uri = ngx.var.request_uri})
			return ngx.redirect(antibot_uri)
		end
	end
end

ngx.exit(ngx.OK)

}

%INCLUDE_ANTIBOT_JAVASCRIPT%

%INCLUDE_ANTIBOT_CAPTCHA%

%INCLUDE_ANTIBOT_RECAPTCHA%