Comment on Anubis is awesome and I want to talk aout it

• SmokeyDope@piefed.social ⁨3⁩ ⁨weeks⁩ ago

  Theres a compute option that doesnt require javascript. Its on site owners to configure IMO, though you can make the argument its not default I guess.

  https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh

  From docs on Meta Refresh Method

  Meta Refresh (No JavaScript)

  The metarefresh challenge sends a browser a much simpler challenge that makes it refresh the page after a set period of time. This enables clients to pass challenges without executing JavaScript.

  To use it in your Anubis configuration:

  # Generic catchall rule
  - name: generic-browser
    user_agent_regex: >-
      Mozilla|Opera
    action: CHALLENGE
    challenge:
      difficulty: 1 # Number of seconds to wait before refreshing the page
      algorithm: metarefresh # Specify a non-JS challenge method
  

  This is not enabled by default while this method is tested and its false positive rate is ascertained. Many modern scrapers use headless Google Chrome, so this will have a much higher false positive rate.
  

  source

  • z3rOR0ne@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

    Yeah I actually use the noscript extension and i refuse to just whitelist certain sites unless I’m very certain I trust them.

    I run into Anubis checks all the time and while I appreciate the software, having to consistently temporarily whitelist these sites does get cumbersome at times. I hope they make this noJS implementation the default soon.

    source

    • Prathas@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

      Wait, you keep temporarily allowing then over and over again? Why temporary?

      source

      • z3rOR0ne@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

        Most of the Anubis encounters I have are to redlib instances that are shuffled around, go down all the time, and generally are more ephemeral than other sites. Because I use another extension called Libredirect to shuffle which redlib instance I visit when clicking on a reddit link, I don’t bother whitelisting them permanently.

        I already have solved this on my desktop by self hosting my own redlib instance via localhost and using libredirect to just point there, but on my phone I still do the whole nojs temp unblock random redlib instance. Eventually I plan on using wireguard to host a private redlib instance on a vps so I can just not deal with this.

        This is a weird case I know, but its honestly not that bad.

        source
  • Dojan@pawb.social ⁨2⁩ ⁨weeks⁩ ago

    This is news to me! Thanks for enlightening me!

    source
• natecox@programming.dev ⁨3⁩ ⁨weeks⁩ ago

  I feel comfortable hating on Anubis for this. The compute cost per validation is vanishingly small to someone with the existing budget to run a cloud scraping farm, it’s just another cost of doing business.

  The cost to actual users though, particularly to lower income segments who may not have compute power to spare, is annoyingly large. There are plenty of complaints out there about Anubis being painfully slow on old or underpowered devices.

  Some of us do actually prefer to use the internet minus JS, too.

  Plus the minor irritation of having anime catgirls suddenly be a part of my daily browsing.

  source

  • bitcrafter@programming.dev ⁨3⁩ ⁨weeks⁩ ago

    What would you propose as an alternative?

    source

    • natecox@programming.dev ⁨3⁩ ⁨weeks⁩ ago

      There’s a caddy config out there that works as well as Anubis without the catgirls and mining: fxgn.dev/blog/anubis/

      source

      • Axolotl_cpp@feddit.it ⁨3⁩ ⁨weeks⁩ ago

        Not having catgirls is def a con

        source
      • rtxn@lemmy.world ⁨3⁩ ⁨weeks⁩ ago

        No numbers, no testimonials, or even anecdotes… “It works, trust me bro” is not exactly convincing.

        source
      • poVoq@slrpnk.net ⁨3⁩ ⁨weeks⁩ ago

        That blog post is fundamentally misunderstanding what Anubis actually does.

        source
  • url@feddit.fr ⁨2⁩ ⁨weeks⁩ ago

    Imagine friends seeing catgirl on your browser and now you have to explain it to them who has zero knowledge in it 

    source
• cecilkorik@piefed.ca ⁨3⁩ ⁨weeks⁩ ago

  if you are a creator and you’d prefer to not make use of JS (there’s dozens of us) then forcing people to go through a JS “security check” feels kind of shit. The alternative is to just take the hammering, and that feels just as bad.

  I’m with you here. I come from an older time on the Internet. I’m not much of a creator, but I do have websites, and unlike many self-hosters I think, in the spirit of the internet, they should be open to the public as a matter of principle, not cowering away for my own private use behind some encrypted VPN. I want it to be shared. Sometimes that means taking a hammering. It’s fine. It’s nothing that’s going to end the world if it goes down or goes away, and I try not to make a habit of being so irritating that anyone would have much legitimate reason to target me.

  I don’t like any of these sort of protections that put the burden onto legitimate users. I get that’s the reality we live in, but I reject that reality, and substitute my own. I understand that some people need to be able to block that sort of traffic to be able to limit and justify the very real costs of providing services for free on the Internet and Anubis does its job for that. But I’m not one of those people. It has yet to cost me a cent above what I have already decided to pay, and until it does, I have the freedom to adhere to my principles on this.

  To paraphrase another great movie: Why should any legitimate user be inconvenienced when the bots are the ones who suck. I refuse to punish the wrong party.

  source
• quick_snail@feddit.nl ⁨2⁩ ⁨weeks⁩ ago

  This is why we need these sites to have .onions. Tor Browser has a PoW that doesn’t require js

  source