This is called a VCL Module. They plug into the main VCL code that drives the caching engine via a leading include"" statement. 8chan's network frontends use about 24 of these that I've written over the years, so this is just one more. But you can see some of what we need to handle:
First we scrub all custom header values from the client's side, to make sure he can neither spoof nor see any of the headers or values that we're using. Then we parse the user's Cookies looking for POW, and if it exists we ping the Redis storage for the user's IP address to see if there's a stored value. If both exist, and match, the user is let into the site. If they don't match, we run the rest of the POW subroutine, which:
>Generates an X-Pow header with a random 8 character session token
>Sends the token to the Redis store keyed to the user's IP address
>Sets the magic header
>Switches the backend from the 8chan main CDN gateway to the POWBlock server
>Saves the URL the user was coming in on and sends it in a header
>Connects the user to POWBlock with all necessary information supplied
What isn't shown: Forward rate limits, DoS throttling, URL locking, request sanitizing, header normalizing, and a bunch of other shit the main VCL code will do for security before it even gets to this spot. I'm sure it'll need to be tweaked for an actual deploy, but I'll cross that bridge when I get to it. And I need to write a nullification module so that if a user gets past this and fucks around, it will null the value of their key in the shared store and force them back to the POW or even ban them entirely.
>Why bother with all this shit and why make a Lua server instead of just putting it on the site, maybe with the splash disclaimer?
Because it can take upwards of 60% of the load off the frontends in the case of a major attack. POWBlock can run on its own shitbox server (and even have DDoS protection there) and if the site is getting hammered like hell, then its POWBlock taking most of the assraping instead of the servers we actually care about. And these things are so cheap and easy to set up (install Lua, install 3 Lua modules, stick the script in systemd, fucking done) that the servers it would run on can be wholly disposable. You could have 50 of em, each running a forking instance, and divide a big attack up between them.
Its also expandable. Right now its just going to be a POW, but I can add simple user agent checks, non-invasive fingerprinting (click speed, mouse speed), dummy fields to catch the stupidest bots, and maybe a custom captcha similar to what Stephen uses in Lynxchan. It's not going to replace Cuckflare's massive CDN network and Terabit pipes, but I think this could become a super useful tool for all of us little guys out here.
If anyone cares about this thread I'll post updates as I work on deploying the actual system and doing a real feasibility test. I have some free time over the next couple of weeks and have plenty of site work to do, but I'm gonna try to squeeze this in too.
Auf wiedersehen!