this post was submitted on 21 Mar 2025
240 points (99.2% liked)

Selfhosted

44782 readers
860 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
240
Anubis - Weighs the soul of incoming HTTP requests using proof-of-work to stop AI crawlers (github.com)
submitted 1 day ago* (last edited 1 day ago) by zutto@lemmy.fedi.zutto.fi to c/selfhosted@lemmy.world
63 comments fedilink hide all child comments
 

I just started using this myself, seems pretty great so far!

Clearly doesn't stop all AI crawlers, but a significantly large chunk of them.

top 50 comments
sorted by: hot top controversial new old
[–] randomblock1@lemmy.world 22 points 1 day ago (1 children)

Why Sha256? Literally every processor has a crypto accelerator and will easily pass. And datacenter servers have beefy server CPUs. This is only effective against no-JS scrapers.

[–] poVoq@slrpnk.net 15 points 21 hours ago* (last edited 21 hours ago) (1 children)

It requires a bunch of browser features that non-user browsers don't have, and the proof-of-work part is like the least relevant piece in this that only gets invoked once a week or so to generate a unique cookie.

I sometimes have the feeling that as soon as some crypto-currency related features are mentioned people shut off part of their brain. Either because they hate crypto-currencies or because crypto-currency scammers have trained them to only look at some technical implementation details and fail to see the larger picture that they are being scammed.

[–] swelter_spark@reddthat.com 1 points 7 hours ago (1 children)

So if you try to access a website using this technology via terminal, what happens? The connection fails?

[–] crmsnbleyd@sopuli.xyz 2 points 7 hours ago

If your browser doesn't have a Mozilla user agent (I.e. like chrome or Firefox) it will pass directly. Most AI crawlers use these user agents to pretend to be human users

[–] merthyr1831@lemmy.ml 61 points 1 day ago* (last edited 1 day ago) (2 children)

It's a clever solution but I did see one recently that IMO was more elegant for noscript users. I can't remember the name but it would create a dummy link that human users won't touch, but webcrawlers will naturally navigate into, but then generates an infinitely deep tree of super basic HTML to force bots into endlessly trawling a cheap-to-serve portion of your webserver instead of something heavier. Might have even integrated with fail2ban to pick out obvious bots and keep them off your network for good.

[–] paperd@lemmy.zip 9 points 14 hours ago

That's a tarpit that you're describing, like iocaine or nepthasis. Those are to feed the crawler junk data to try and make their eventual output bad.

Anubis tries to not let the AI crawlers in at all.

[–] NeoNachtwaechter@lemmy.world 7 points 1 day ago (2 children)

generates an infinitely deep tree

Wouldn't the bot simply limit the depth of it's seek?

[–] nickwitha_k@lemmy.sdf.org 2 points 1 hour ago

That would be reasonable. The people running these things aren't reasonable. They ignore every established mechanism to communicate a lack of consent to their activity because they don't respect others' agency and want everything.

[–] Cethin@lemmy.zip 7 points 1 day ago

It could be infinitely wide too if they desired. It shouldn't be that hard to do I wouldn't think. I would suspect they limit the time a chain can use though to eventually escape out, though this still protects data because it obfuscates legitimate data that it wants. The goal isn't to trap them forever. It's to keep them from getting anything useful.

[–] computergeek125@lemmy.world 11 points 1 day ago (1 children)

Found the FF14 fan lol
The release names are hilarious

[–] Couldbealeotard@lemmy.world 8 points 19 hours ago (1 children)

What's the ffxiv reference here?

Anubis is from Egyptian mythology.

[–] PumaStoleMyBluff@lemmy.world 6 points 18 hours ago

The names of release versions are famous FFXIV Garleans

[–] Goretantath@lemm.ee 16 points 1 day ago (1 children)

I think the maze approach is better, this seems like it hurts valid users if the web more than a company would be.

[–] N0x0n@lemmy.ml 17 points 1 day ago* (last edited 20 hours ago) (1 children)

For those not aware, nepenthes is an example for the above mentioned approach !

[–] BackgrndNoize@lemmy.world 6 points 20 hours ago

This looks like it can can actually fuck up some models, but the unnecessary CPU load it will generate means most websites won't use it unfortunately

[–] lemonuri@lemmy.ml 17 points 1 day ago* (last edited 1 day ago) (3 children)

I did not find any instruction on the source page on how to actually deploy this. That would be a nice touch imho.

[–] SanndyTheManndy@lemmy.kya.moe 3 points 20 hours ago

The docker image page has it

[–] JustAnotherKay@lemmy.world 3 points 1 day ago

Or even a quick link to the relevant portion of the docs at least would be cool

[–] d0ntpan1c@lemmy.blahaj.zone 11 points 1 day ago

There are some detailed instructions on the docs site, tho I agree it'd be nice to have in the readme, too.

Sounds like the dev was not expecting this much interest for the project out of nowhere so there will def be gaps.

[–] enemenemu@lemm.ee 23 points 1 day ago (2 children)

Meaning it wastes time and power such that it gets expensive on a large scale? Or does it mine crypto?

[–] zutto@lemmy.fedi.zutto.fi 36 points 1 day ago* (last edited 1 day ago) (18 children)

Yes, Anubis uses proof of work, like some cryptocurrencies do as well, to slow down/mitigate mass scale crawling by making them do expensive computation.

https://lemmy.world/post/27101209 has a great article attached to it about this.

--

Edit: Just to be clear, this doesn't mine any cryptos, just uses same idea for slowing down the requests.

load more comments (18 replies)
load more comments (1 replies)
[–] danielquinn@lemmy.ca 13 points 1 day ago (1 children)

It's a rather brilliant idea really, but when you consider the environmental implications of forcing web requests to ensure proof of work to function, this effectively burns a more coal for every site that implements it.

[–] marauding_gibberish142@lemmy.dbzer0.com 10 points 1 day ago

I don't think AI companies care, and I wholeheartedly support any and all FOSS projects using PoW when serving their websites. I'd rather have that than have them go down

load more comments
view more: next ›