anubis 1.24.0

[BrewTestBot]

Created by brew bump

---

Created with brew bump-formula-pr.

Details

release notes

Anubis is back and better than ever! Lots of minor fixes with some big ones interspersed.

Fix panic when validating challenges after privacy-mode browsers strip headers and the follow-up request matches an ALLOW threshold.
Expose WEIGHT rule matches as Prometheus metrics.
Allow more OCI registry clients based on feedback.
Expose services directory in the embedded (data) filesystem.
Add Ukrainian locale (#1044).
Allow Renovate as an OCI registry client.
Properly handle 4in6 addresses so that IP matching works with those addresses.
Add support to simple Valkey/Redis cluster mode
Open Graph passthrough now reuses the configured target Host/SNI/TLS settings, so metadata fetches succeed when the upstream certificate differs from the public domain. (1283)
Stabilize the CVE-2025-24369 regression test by always submitting an invalid proof instead of relying on random POW failures.
Refine the check that ensures the presence of the Accept header to avoid breaking docker clients.
Removed rules intended to reward actual browsers due to abuse in the wild.

Dataset poisoning
Anubis has the ability to engage in dataset poisoning attacks using the dataset poisoning subsystem. This allows every Anubis instance to be a honeypot to attract and flag abusive scrapers so that no administrator action is required to ban them.
There is much more information about this feature in the dataset poisoning subsystem documentation. Administrators that are interested in learning how this feature works should consult that documentation.
Deprecate report_as in challenge configuration
Previously Anubis let you lie to users about the difficulty of a challenge to interfere with operators of malicious scrapers as a psychological attack:
bots:
  # Punish any bot with "bot" in the user-agent string
  # This is known to have a high false-positive rate, use at your own risk
  - name: generic-bot-catchall
    user_agent_regex: (?i:bot|crawler)
    action: CHALLENGE
    challenge:
      difficulty: 16 # impossible
      report_as: 4 # lie to the operator
      algorithm: slow # intentionally waste CPU cycles and time
This has turned out to be a bad idea because it has caused massive user experience problems and has been removed. If you are using this setting, you will get a warning in your logs like this:
{
  "time": "2025-11-25T23:10:31.092201549-05:00",
  "level": "WARN",
  "source": {
    "function": "github.com/TecharoHQ/anubis/lib/policy.ParseConfig",
    "file": "/home/xe/code/TecharoHQ/anubis/lib/policy/policy.go",
    "line": 201
  },
  "msg": "use of deprecated report_as setting detected, please remove this from your policy file when possible",
  "at": "config-validate",
  "name": "mild-suspicion"
}
To remove this warning, remove this setting from your policy file.
Logging customization
Anubis now supports the ability to log to multiple backends ("sinks"). This allows you to have Anubis log to a file instead of just logging to standard out. You can also customize the logging level in the policy file:
logging:
  level: "warn" # much less verbose logging
  sink: file # log to a file
  parameters:
    file: "./var/anubis.log"
    maxBackups: 3 # keep at least 3 old copies
    maxBytes: 67108864 # each file can have up to 64 Mi of logs
    maxAge: 7 # rotate files out every n days
    oldFileTimeFormat: 2006-01-02T15-04-05 # RFC 3339-ish
    compress: true # gzip-compress old log files
    useLocalTime: false # timezone for rotated files is UTC
Additionally, information about how Anubis uses each logging level has been added to the documentation.
DNS Features

CEL expressions for:

FCrDNS checks
Forward DNS queries
Reverse DNS queries
arpaReverseIP to transform IPv4/6 addresses into ARPA reverse IP notation.
regexSafe to escape regex special characters (useful for including remoteAddress or headers in regular expressions).


DNS cache and other optimizations to minimize unnecessary DNS queries.

The DNS cache TTL can be changed in the bots config like this:
dns_ttl:
  forward: 600
  reverse: 600
The default value for both forward and reverse queries is 300 seconds.
The verifyFCrDNS CEL function has two overloads:

(addr)

Simply verifies that the remote side has PTR records pointing to the target address.
(addr, ptrPattern)

Verifies that the remote side refers to a specific domain and that this domain points to the target IP.

What's Changed

feat: Add thai language. by @karorogunso in feat: Add thai language. TecharoHQ/anubis#900
Update is.json by @sveinki in Update is.json TecharoHQ/anubis#1241
fix(data/docker-client): allow some more OCI clients through by @Xe in fix(data/docker-client): allow some more OCI clients through TecharoHQ/anubis#1258
fix(data): add services folder to embedded filesystem by @Xe in fix(data): add services folder to embedded filesystem TecharoHQ/anubis#1259
feat(localization): Add Ukrainian language translation by @nykula in  feat(localization): Add Ukrainian language translation TecharoHQ/anubis#1044
build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in build(deps): bump the github-actions group with 3 updates TecharoHQ/anubis#1262
Add Renovate to Docker clients by @DrJosh9000 in Add Renovate to Docker clients TecharoHQ/anubis#1267
fix(docs): use node:lts by @Xe in fix(docs): use node:lts TecharoHQ/anubis#1274
fix(run): mark openrc service script as executable by @kouhaidev in fix(run): mark openrc service script as executable TecharoHQ/anubis#1272
test: ipv4 in v6 address checking by @SlyEcho in test: ipv4 in v6 address checking TecharoHQ/anubis#1271
(feat) Add cluster support to redis/vaultkey store by @egimbernat in (feat) Add cluster support to redis/vaultkey store TecharoHQ/anubis#1276
feat(lib): expose WEIGH matches as prometheus metrics by @Xe in feat(lib): expose WEIGH matches as prometheus metrics TecharoHQ/anubis#1277
Fix challenge validation panic when follow-up hits ALLOW by @JasonLovesDoggo in Fix challenge validation panic when follow-up hits ALLOW TecharoHQ/anubis#1278
feat(internal/headers): extend debug logging of X-Forwarded-For middlewares by @DerRockWolf in feat(internal/headers): extend debug logging of X-Forwarded-For middlewares TecharoHQ/anubis#1269
test: Valkey test improvements for testcontainers by @SlyEcho in test: Valkey test improvements for testcontainers TecharoHQ/anubis#1280
docs: use nginx http2 directive instead of deprecated http2 listen parameter by @kouhaidev in docs: use nginx http2 directive instead of deprecated http2 listen parameter TecharoHQ/anubis#1251
perf: field-align struct definitions to cut padding by @JasonLovesDoggo in perf: field-align struct definitions to cut padding TecharoHQ/anubis#1284
fix(tests): make CVE-2025-24369 regression deterministic by @JasonLovesDoggo in fix(tests): make CVE-2025-24369 regression deterministic TecharoHQ/anubis#1285
build(deps): bump go deps by @JasonLovesDoggo in build(deps): bump go deps TecharoHQ/anubis#1287
build(deps): bump github.com/testcontainers/testcontainers-go from 0.39.0 to 0.40.0 in the gomod group across 1 directory by @dependabot[bot] in build(deps): bump github.com/testcontainers/testcontainers-go from 0.39.0 to 0.40.0 in the gomod group across 1 directory TecharoHQ/anubis#1288
test(deps): update dependencies to latest versions by @JasonLovesDoggo in test(deps): update dependencies to latest versions TecharoHQ/anubis#1289
build(deps-dev): bump esbuild from 0.25.12 to 0.27.0 in the npm group by @dependabot[bot] in build(deps-dev): bump esbuild from 0.25.12 to 0.27.0 in the npm group TecharoHQ/anubis#1260
fix(ogtags): respect target host/SNI/insecure flags in OG passthrough by @JasonLovesDoggo in fix(ogtags): respect target host/SNI/insecure flags in OG passthrough TecharoHQ/anubis#1283
docs: clarify usage of PUBLIC_URL and REDIRECT_DOMAINS in installatio… by @JasonLovesDoggo in docs: clarify usage of PUBLIC_URL and REDIRECT_DOMAINS in installatio… TecharoHQ/anubis#1286
feat(store/valkey): Add Redis(R) Sentinel support by @Xe in feat(store/valkey): Add Redis(R) Sentinel support TecharoHQ/anubis#1294
Pass the remote IP to the proxied application by @eXpl0it3r in Pass the remote IP to the proxied application TecharoHQ/anubis#1298
ci: add go mod tidy check workflow by @Xe in ci: add go mod tidy check workflow TecharoHQ/anubis#1300
feat: writing logs to the filesystem with rotation support by @Xe in feat: writing logs to the filesystem with rotation support TecharoHQ/anubis#1299
chore: add dependabot cooldown by @Xe in chore: add dependabot cooldown TecharoHQ/anubis#1302
add Polish language translation by @bplajzer in add Polish language translation TecharoHQ/anubis#1309
fix(config): deprecate the report_as field for challenges by @Xe in fix(config): deprecate the report_as field for challenges TecharoHQ/anubis#1311
Implement FCrDNS and other DNS features by @btomaev in Implement FCrDNS and other DNS features TecharoHQ/anubis#1308
Show how to use subrequest auth with Caddy by @tbodt in Show how to use subrequest auth with Caddy TecharoHQ/anubis#1312
build(deps): bump actions-hub/kubectl from 1.34.1 to 1.34.2 in the github-actions group by @dependabot[bot] in build(deps): bump actions-hub/kubectl from 1.34.1 to 1.34.2 in the github-actions group TecharoHQ/anubis#1303
fix: pin Node.js and Go versions in CI configuration files by @JasonLovesDoggo in fix: pin Node.js and Go versions in CI configuration files TecharoHQ/anubis#1318
build(deps): bump the github-actions group with 3 updates by @dependabot[bot] in build(deps): bump the github-actions group with 3 updates TecharoHQ/anubis#1317
build(deps): bump the gomod group with 5 updates by @dependabot[bot] in build(deps): bump the gomod group with 5 updates TecharoHQ/anubis#1316
build(deps): bump the npm group with 2 updates by @dependabot[bot] in build(deps): bump the npm group with 2 updates TecharoHQ/anubis#1339
build(deps): bump the github-actions group across 1 directory with 4 updates by @dependabot[bot] in build(deps): bump the github-actions group across 1 directory with 4 updates TecharoHQ/anubis#1340
build(deps): bump the gomod group across 1 directory with 6 updates by @dependabot[bot] in build(deps): bump the gomod group across 1 directory with 6 updates TecharoHQ/anubis#1341
feat: first implementation of honeypot logic by @Xe in feat: first implementation of honeypot logic TecharoHQ/anubis#1342
i18n(de): improve consistency and wording by @michi-onl in i18n(de): improve consistency and wording TecharoHQ/anubis#1348
fix(default-config): must-accept-rule on browsers only by @Xe in fix(default-config): must-accept-rule on browsers only TecharoHQ/anubis#1350
fix(default-config): remove browser detection logic by @Xe in fix(default-config): remove browser detection logic TecharoHQ/anubis#1360

New Contributors

@karorogunso made their first contribution in feat: Add thai language. TecharoHQ/anubis#900
@nykula made their first contribution in  feat(localization): Add Ukrainian language translation TecharoHQ/anubis#1044
@DrJosh9000 made their first contribution in Add Renovate to Docker clients TecharoHQ/anubis#1267
@kouhaidev made their first contribution in fix(run): mark openrc service script as executable TecharoHQ/anubis#1272
@egimbernat made their first contribution in (feat) Add cluster support to redis/vaultkey store TecharoHQ/anubis#1276
@DerRockWolf made their first contribution in feat(internal/headers): extend debug logging of X-Forwarded-For middlewares TecharoHQ/anubis#1269
@eXpl0it3r made their first contribution in Pass the remote IP to the proxied application TecharoHQ/anubis#1298
@bplajzer made their first contribution in add Polish language translation TecharoHQ/anubis#1309
@btomaev made their first contribution in Implement FCrDNS and other DNS features TecharoHQ/anubis#1308
@tbodt made their first contribution in Show how to use subrequest auth with Caddy TecharoHQ/anubis#1312
@michi-onl made their first contribution in i18n(de): improve consistency and wording TecharoHQ/anubis#1348

Full Changelog: TecharoHQ/anubis@v1.23.1...v1.24.0

View the full release notes at https://github.com/TecharoHQ/anubis/releases/tag/v1.24.0.

---

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.