Anubis

A reverse proxy that challenges bots with a proof-of-work puzzle before allowing access to your upstream service. Blocks AI scrapers, content thieves, and abusive crawlers without CAPTCHAs or JavaScript fingerprinting.

What You Can Do After Deployment

Place Anubis in front of any web application. Legitimate users solve the challenge automatically in their browser (typically under 1 second). Bots that cannot execute JavaScript or complete the proof-of-work are blocked.

Bot protection: Serves a SHA-256 proof-of-work challenge page. Real browsers solve it transparently. Headless scrapers and AI crawlers that skip JavaScript are stopped.

Configurable difficulty: Adjust DIFFICULTY to control how hard the challenge is (higher = more CPU work for the client). Default of 4 is suitable for most use cases.

Transparent to users: Once the challenge is solved, a cookie is set and subsequent requests pass through without delay. Users experience a brief loading screen on first visit only.

Stateless: No database, no session storage. The challenge cookie is cryptographically verified. Deploy multiple instances without coordination.

Configuration

• Target URL: Set TARGET to the upstream service URL that Anubis should protect (e.g., http://my-app:3000)
• Difficulty: Set DIFFICULTY to control proof-of-work difficulty (default: 4). Higher values = harder challenge.
• Metrics: Prometheus metrics are available at the metrics endpoint when enabled

How It Works

1. Client requests a page through Anubis
2. Anubis serves a challenge page with a SHA-256 proof-of-work puzzle
3. The browser's JavaScript solves the puzzle and submits the solution
4. Anubis verifies the solution, sets a signed cookie, and proxies the request to the target
5. Subsequent requests with a valid cookie pass through directly

License

MIT — GitHub