From 3aed336a3c66711d57315a569fd41fdf8e3a5b0f Mon Sep 17 00:00:00 2001
From: simon987 <me@simon987.net>
Date: Mon, 2 Mar 2020 15:47:34 -0500
Subject: [PATCH] Configuration options, tweak challenge, update readme

---
 LICENSE                 |   4 +-
 README.md               |  67 +++++++++-
 build.sh                |  18 +--
 ngx_http_js_challenge.c | 288 ++++++++++++++++++++++++++++------------
 4 files changed, 270 insertions(+), 107 deletions(-)

diff --git a/LICENSE b/LICENSE
index f288702..af4eaf7 100644
--- a/LICENSE
+++ b/LICENSE
@@ -123,7 +123,7 @@ is widely used among developers working in that language.
   The "System Libraries" of an executable work include anything, other
 than the work as a whole, that (a) is included in the normal form of
 packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
+Component, and (b) serves only to enabled use of the work with that
 Major Component, or to implement a Standard Interface for which an
 implementation is available to the public in source code form.  A
 "Major Component", in this context, means a major essential component
@@ -671,4 +671,4 @@ into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
-<https://www.gnu.org/licenses/why-not-lgpl.html>.
+<https://www.gnu.org/licenses/why-not-lgpl.html_path>.
diff --git a/README.md b/README.md
index c2f97ce..8785b08 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,6 @@
 
 ![GitHub](https://img.shields.io/github/license/simon987/ngx_http_js_challenge_module.svg)
 [![CodeFactor](https://www.codefactor.io/repository/github/simon987/ngx_http_js_challenge_module/badge)](https://www.codefactor.io/repository/github/simon987/ngx_http_js_challenge_module)
-[![Development snapshots](https://ci.simon987.net/app/rest/builds/buildType(JsChallenge_Build)/statusIcon)](https://files.simon987.net/artifacts/JsChallenge/Build/)
 
 Simple javascript proof-of-work based access for Nginx with virtually no overhead.
 
@@ -16,13 +15,69 @@ Easy installation: just add `load_module /path/to/ngx_http_js_challenge_module.s
 
 ### Configuration
 
-//todo
+**Simple configuration**
+```nginx
+server {
+    js_challenge on;
+    js_challenge_secret "change me!";
 
+    # ...
+}
+```
+
+
+**Advanced configuration**
+```nginx
+server {
+    js_challenge on;
+    js_challenge_secret "change me!";
+    js_challenge_html /path/to/body.html;
+    js_challenge_bucket_duration 3600;
+    js_challenge_title "Verifying your browser...";
+
+    location /static {
+        js_challenge off;
+        alias /static_files/;
+    }
+
+    location /sensitive {
+        js_challenge_bucket_duration 600;
+        #...
+    }
+
+    #...
+}
+```
+
+* `js_challenge on|off` Toggle javascript challenges for this config block
+* `js_challenge_secret "secret"` Secret for generating the challenges. DEFAULT: "changeme"
+* `js_challenge_html "/path/to/file.html"` Path to html file to be inserted in the `<body>` tag of the interstitial page
+* `js_challenge_title "title"` Will be inserted in the `<title>` tag of the interstitial page. DEFAULT "Verifying your browser..."
+* `js_challenge_bucket_duration time` Interval to prompt js challenge, in seconds. DEFAULT: 3600
+
+### Installation
+
+1. Add `load_module ngx_http_js_challenge_module.so;` to `/etc/nginx/nginx.conf`
+1. Reload `nginx -s reload`
 
 ### Build from source
 
-//todo
+These steps have to be performed on machine with compatible configuration (same nginx, glibc, openssl version etc.)
 
-```bash
-apt install libperl-dev libgeoip-dev libgd-dev libxslt1-dev
-```
+1. Install dependencies
+    ```bash
+    apt install libperl-dev libgeoip-dev libgd-dev libxslt1-dev
+    ```
+2. Download nginx tarball corresponding to your current version (Check with `nginx -v`)
+    ```bash
+   wget https://nginx.org/download/nginx-1.16.1.tar.gz
+   tar -xzf nginx-1.16.1.tar.gz
+   export NGINX_PATH=$(pwd)/nginx-1.16.1/
+    ```
+3. Compile the module
+    ```bash
+    git clone https://github.com/simon987/ngx_http_js_challenge_module
+    cd ngx_http_js_challenge_module
+    ./build.sh
+    ```
+4. The dynamic module can be found at `${NGINX_PATH}/objs/ngx_http_js_challenge_module.so`
diff --git a/build.sh b/build.sh
index 7e7fc64..5a426b4 100755
--- a/build.sh
+++ b/build.sh
@@ -1,20 +1,16 @@
-NGINX_PATH=/home/simon/Downloads/nginx-1.16.1/
+if [ -z ${NGINX_PATH+x} ]; then
+  echo "Please set the NGINX_PATH variable";
+  exit
+fi
 
 MODULE_PATH=$(pwd)/
 CONFIG_ARGS=$(nginx -V 2>&1 | tail -n 1 | cut -c 21- | sed 's/--add-dynamic-module=.*//g')
-
 CONFIG_ARGS="${CONFIG_ARGS} --add-dynamic-module=${MODULE_PATH}"
-
 echo $CONFIG_ARGS
 
 (
-cd ${NGINX_PATH}
-#bash -c "./configure ${CONFIG_ARGS}"
-make modules
-#cp objs/ "${WD}"
+  cd ${NGINX_PATH} || exit
+  bash -c "./configure ${CONFIG_ARGS}"
+  make modules -j "$(nproc)"
 )
 
-rm /test/*.so
-mv /home/simon/Downloads/nginx-1.16.1/objs/ngx_http_js_challenge_module.so /test/module.so
-chown -R www-data /test/
-systemctl restart nginx
diff --git a/ngx_http_js_challenge.c b/ngx_http_js_challenge.c
index 7b992c9..d94e5e4 100644
--- a/ngx_http_js_challenge.c
+++ b/ngx_http_js_challenge.c
@@ -1,25 +1,98 @@
 #include <stdio.h>
 #include "ngx_http.c"
 
+#define DEFAULT_SECRET "changeme"
+#define SHA1_MD_LEN 20
+#define SHA1_STR_LEN 40
+
+#define JS_SOLVER_TEMPLATE \
+        "<!DOCTYPE html>" \
+        "<html>" \
+        "<head>" \
+        "<meta charset='UTF-8'>" \
+        "<title>%s</title>" \
+        "</head>" \
+        "<body>" \
+        "<iframe style='display:none'></iframe>" \
+        "<script>document.querySelector('iframe').contentWindow.document.write(`" \
+        "<script>" \
+        "!function(){function t(t){t?(f[0]=f[16]=f[1]=f[2]=f[3]=f[4]=f[5]=f[6]=f[7]=f[8]=f[9]=f[10]=f[11]=f[12]=f[13]=f[14]=f[15]=0,this.blocks=f):this.blocks=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],this.h0=1732584193,this.h1=4023233417,this.h2=2562383102,this.h3=271733878,this.h4=3285377520,this.block=this.start=this.bytes=this.hBytes=0,this.finalized=this.hashed=!1,this.first=!0}var h=\"object\"==typeof window?window:{},s=!h.JS_SHA1_NO_NODE_JS&&\"object\"==typeof process&&process.versions&&process.versions.node;s&&(h=global);var i=!h.JS_SHA1_NO_COMMON_JS&&\"object\"==typeof module&&module.exports,e=\"function\"==typeof define&&define.amd,r=\"0123456789abcdef\".split(\"\"),o=[-2147483648,8388608,32768,128],n=[24,16,8,0],a=[\"hex\",\"array\",\"digest\",\"arrayBuffer\"],f=[],u=function(h){return function(s){return new t(!0).update(s)[h]()}},c=function(){var h=u(\"hex\");s&&(h=p(h)),h.create=function(){return new t},h.update=function(t){return h.create().update(t)};for(var i=0;i<a.length;++i){var e=a[i];h[e]=u(e)}return h},p=function(t){var h=eval(\"require('crypto')\"),s=eval(\"require('buffer').Buffer\"),i=function(i){if(\"string\"==typeof i)return h.createHash(\"s1\").update(i,\"utf8\").digest(\"hex\");if(i.constructor===ArrayBuffer)i=new Uint8Array(i);else if(void 0===i.length)return t(i);return h.createHash(\"s1\").update(new s(i)).digest(\"hex\")};return i};t.prototype.update=function(t){if(!this.finalized){var s=\"string\"!=typeof t;s&&t.constructor===h.ArrayBuffer&&(t=new Uint8Array(t));for(var i,e,r=0,o=t.length||0,a=this.blocks;r<o;){if(this.hashed&&(this.hashed=!1,a[0]=this.block,a[16]=a[1]=a[2]=a[3]=a[4]=a[5]=a[6]=a[7]=a[8]=a[9]=a[10]=a[11]=a[12]=a[13]=a[14]=a[15]=0),s)for(e=this.start;r<o&&e<64;++r)a[e>>2]|=t[r]<<n[3&e++];else for(e=this.start;r<o&&e<64;++r)(i=t.charCodeAt(r))<128?a[e>>2]|=i<<n[3&e++]:i<2048?(a[e>>2]|=(192|i>>6)<<n[3&e++],a[e>>2]|=(128|63&i)<<n[3&e++]):i<55296||i>=57344?(a[e>>2]|=(224|i>>12)<<n[3&e++],a[e>>2]|=(128|i>>6&63)<<n[3&e++],a[e>>2]|=(128|63&i)<<n[3&e++]):(i=65536+((1023&i)<<10|1023&t.charCodeAt(++r)),a[e>>2]|=(240|i>>18)<<n[3&e++],a[e>>2]|=(128|i>>12&63)<<n[3&e++],a[e>>2]|=(128|i>>6&63)<<n[3&e++],a[e>>2]|=(128|63&i)<<n[3&e++]);this.lastByteIndex=e,this.bytes+=e-this.start,e>=64?(this.block=a[16],this.start=e-64,this.hash(),this.hashed=!0):this.start=e}return this.bytes>4294967295&&(this.hBytes+=this.bytes/4294967296<<0,this.bytes=this.bytes%%4294967296),this}},t.prototype.finalize=function(){if(!this.finalized){this.finalized=!0;var t=this.blocks,h=this.lastByteIndex;t[16]=this.block,t[h>>2]|=o[3&h],this.block=t[16],h>=56&&(this.hashed||this.hash(),t[0]=this.block,t[16]=t[1]=t[2]=t[3]=t[4]=t[5]=t[6]=t[7]=t[8]=t[9]=t[10]=t[11]=t[12]=t[13]=t[14]=t[15]=0),t[14]=this.hBytes<<3|this.bytes>>>29,t[15]=this.bytes<<3,this.hash()}},t.prototype.hash=function(){var t,h,s=this.h0,i=this.h1,e=this.h2,r=this.h3,o=this.h4,n=this.blocks;for(t=16;t<80;++t)h=n[t-3]^n[t-8]^n[t-14]^n[t-16],n[t]=h<<1|h>>>31;for(t=0;t<20;t+=5)s=(h=(i=(h=(e=(h=(r=(h=(o=(h=s<<5|s>>>27)+(i&e|~i&r)+o+1518500249+n[t]<<0)<<5|o>>>27)+(s&(i=i<<30|i>>>2)|~s&e)+r+1518500249+n[t+1]<<0)<<5|r>>>27)+(o&(s=s<<30|s>>>2)|~o&i)+e+1518500249+n[t+2]<<0)<<5|e>>>27)+(r&(o=o<<30|o>>>2)|~r&s)+i+1518500249+n[t+3]<<0)<<5|i>>>27)+(e&(r=r<<30|r>>>2)|~e&o)+s+1518500249+n[t+4]<<0,e=e<<30|e>>>2;for(;t<40;t+=5)s=(h=(i=(h=(e=(h=(r=(h=(o=(h=s<<5|s>>>27)+(i^e^r)+o+1859775393+n[t]<<0)<<5|o>>>27)+(s^(i=i<<30|i>>>2)^e)+r+1859775393+n[t+1]<<0)<<5|r>>>27)+(o^(s=s<<30|s>>>2)^i)+e+1859775393+n[t+2]<<0)<<5|e>>>27)+(r^(o=o<<30|o>>>2)^s)+i+1859775393+n[t+3]<<0)<<5|i>>>27)+(e^(r=r<<30|r>>>2)^o)+s+1859775393+n[t+4]<<0,e=e<<30|e>>>2;for(;t<60;t+=5)s=(h=(i=(h=(e=(h=(r=(h=(o=(h=s<<5|s>>>27)+(i&e|i&r|e&r)+o-1894007588+n[t]<<0)<<5|o>>>27)+(s&(i=i<<30|i>>>2)|s&e|i&e)+r-1894007588+n[t+1]<<0)<<5|r>>>27)+(o&(s=s<<30|s>>>2)|o&i|s&i)+e-1894007588+n[t+2]<<0)<<5|e>>>27)+(r&(o=o<<30|o>>>2)|r&s|o&s)+i-1894007588+n[t+3]<<0)<<5|i>>>27)+(e&(r=r<<30|r>>>2)|e&o|r&o)+s-1894007588+n[t+4]<<0,e=e<<30|e>>>2;for(;t<80;t+=5)s=(h=(i=(h=(e=(h=(r=(h=(o=(h=s<<5|s>>>27)+(i^e^r)+o-899497514+n[t]<<0)<<5|o>>>27)+(s^(i=i<<30|i>>>2)^e)+r-899497514+n[t+1]<<0)<<5|r>>>27)+(o^(s=s<<30|s>>>2)^i)+e-899497514+n[t+2]<<0)<<5|e>>>27)+(r^(o=o<<30|o>>>2)^s)+i-899497514+n[t+3]<<0)<<5|i>>>27)+(e^(r=r<<30|r>>>2)^o)+s-899497514+n[t+4]<<0,e=e<<30|e>>>2;this.h0=this.h0+s<<0,this.h1=this.h1+i<<0,this.h2=this.h2+e<<0,this.h3=this.h3+r<<0,this.h4=this.h4+o<<0},t.prototype.hex=function(){this.finalize();var t=this.h0,h=this.h1,s=this.h2,i=this.h3,e=this.h4;return r[t>>28&15]+r[t>>24&15]+r[t>>20&15]+r[t>>16&15]+r[t>>12&15]+r[t>>8&15]+r[t>>4&15]+r[15&t]+r[h>>28&15]+r[h>>24&15]+r[h>>20&15]+r[h>>16&15]+r[h>>12&15]+r[h>>8&15]+r[h>>4&15]+r[15&h]+r[s>>28&15]+r[s>>24&15]+r[s>>20&15]+r[s>>16&15]+r[s>>12&15]+r[s>>8&15]+r[s>>4&15]+r[15&s]+r[i>>28&15]+r[i>>24&15]+r[i>>20&15]+r[i>>16&15]+r[i>>12&15]+r[i>>8&15]+r[i>>4&15]+r[15&i]+r[e>>28&15]+r[e>>24&15]+r[e>>20&15]+r[e>>16&15]+r[e>>12&15]+r[e>>8&15]+r[e>>4&15]+r[15&e]},t.prototype.toString=t.prototype.hex,t.prototype.digest=function(){this.finalize();var t=this.h0,h=this.h1,s=this.h2,i=this.h3,e=this.h4;return[t>>24&255,t>>16&255,t>>8&255,255&t,h>>24&255,h>>16&255,h>>8&255,255&h,s>>24&255,s>>16&255,s>>8&255,255&s,i>>24&255,i>>16&255,i>>8&255,255&i,e>>24&255,e>>16&255,e>>8&255,255&e]},t.prototype.array=t.prototype.digest,t.prototype.arrayBuffer=function(){this.finalize();var t=new ArrayBuffer(20),h=new DataView(t);return h.setUint32(0,this.h0),h.setUint32(4,this.h1),h.setUint32(8,this.h2),h.setUint32(12,this.h3),h.setUint32(16,this.h4),t};var y=c();i?module.exports=y:(h.s1=y,e&&define(function(){return y}))}();" \
+        "const a0_0x2a54=['%s','res=','array'];(function(_0x41abf3,_0x2a548e){const _0x4457dc=function(_0x804ad2){while(--_0x804ad2){_0x41abf3['push'](_0x41abf3['shift']());}};_0x4457dc(++_0x2a548e);}(a0_0x2a54,0x178));const a0_0x4457=function(_0x41abf3,_0x2a548e){_0x41abf3=_0x41abf3-0x0;let _0x4457dc=a0_0x2a54[_0x41abf3];return _0x4457dc;};let c=a0_0x4457('0x2');let i=0x0;let n1=parseInt('0x'+c[0x0]);while(!![]){let s=s1[a0_0x4457('0x1')](c+i);if(s[n1]===0xb0&&s[n1+0x1]===0xb){document['cookie']=a0_0x4457('0x0')+c+i+';';break;}i++;}" \
+        "<\\/script>`);window.setTimeout(function(){window.location.reload()}, 5000);</script>" \
+        "%s" \
+        "</body>" \
+        "</html>"
+
+#define DEFAULT_TITLE "Verifying your browser..."
+
+typedef struct {
+    ngx_flag_t enabled;
+    ngx_uint_t bucket_duration;
+    ngx_str_t secret;
+    ngx_str_t html_path;
+    ngx_str_t title;
+    char *html;
+} ngx_http_js_challenge_loc_conf_t;
+
 static ngx_int_t ngx_http_js_challenge(ngx_conf_t *cf);
 
-static char *setup1(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
+static void *ngx_http_js_challenge_create_loc_conf(ngx_conf_t *cf);
+
+static char *ngx_http_js_challenge_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child);
 
 static ngx_int_t ngx_http_js_challenge_handler(ngx_http_request_t *r);
 
 
 static ngx_command_t ngx_http_js_challenge_commands[] = {
 
-        {ngx_string("hello_world"),
-
-                // NGX_CONF_TAKE1, for 1 arg etc
-                // NGX_CONF_FLAG for boolean
-         NGX_HTTP_LOC_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_NOARGS,
-
-         setup1, /* configuration setup function */
-         0, /* No offset. Only one context is supported. */
-         0, /* No offset when storing the module configuration on struct. */
-         NULL},
+        {
+                ngx_string("js_challenge"),
+                NGX_HTTP_LOC_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_FLAG,
+                ngx_conf_set_flag_slot,
+                NGX_HTTP_LOC_CONF_OFFSET,
+                offsetof(ngx_http_js_challenge_loc_conf_t, enabled),
+                NULL
+        },
+        {
+                ngx_string("js_challenge_bucket_duration"),
+                NGX_HTTP_LOC_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_TAKE1,
+                ngx_conf_set_num_slot,
+                NGX_HTTP_LOC_CONF_OFFSET,
+                offsetof(ngx_http_js_challenge_loc_conf_t, bucket_duration),
+                NULL
+        },
+        {
+                ngx_string("js_challenge_secret"),
+                NGX_HTTP_LOC_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_TAKE1,
+                ngx_conf_set_str_slot,
+                NGX_HTTP_LOC_CONF_OFFSET,
+                offsetof(ngx_http_js_challenge_loc_conf_t, secret),
+                NULL
+        },
+        {
+                ngx_string("js_challenge_secret"),
+                NGX_HTTP_LOC_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_TAKE1,
+                ngx_conf_set_str_slot,
+                NGX_HTTP_LOC_CONF_OFFSET,
+                offsetof(ngx_http_js_challenge_loc_conf_t, secret),
+                NULL
+        },
+        {
+                ngx_string("js_challenge_html"),
+                NGX_HTTP_LOC_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_TAKE1,
+                ngx_conf_set_str_slot,
+                NGX_HTTP_LOC_CONF_OFFSET,
+                offsetof(ngx_http_js_challenge_loc_conf_t, html_path),
+                NULL
+        },
+        {
+                ngx_string("js_challenge_title"),
+                NGX_HTTP_LOC_CONF | NGX_HTTP_SRV_CONF | NGX_CONF_TAKE1,
+                ngx_conf_set_str_slot,
+                NGX_HTTP_LOC_CONF_OFFSET,
+                offsetof(ngx_http_js_challenge_loc_conf_t, title),
+                NULL
+        },
         ngx_null_command
 };
 
@@ -36,9 +109,8 @@ static ngx_http_module_t ngx_http_js_challenge_module_ctx = {
         NULL, /* create server configuration */
         NULL, /* merge server configuration */
 
-        //todo
-        NULL, /* create location configuration */
-        NULL /* merge location configuration */
+        ngx_http_js_challenge_create_loc_conf,
+        ngx_http_js_challenge_merge_loc_conf
 };
 
 /* Module definition. */
@@ -57,6 +129,68 @@ ngx_module_t ngx_http_js_challenge_module = {
         NGX_MODULE_V1_PADDING
 };
 
+
+static void *ngx_http_js_challenge_create_loc_conf(ngx_conf_t *cf) {
+    ngx_http_js_challenge_loc_conf_t *conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_js_challenge_loc_conf_t));
+    if (conf == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
+    conf->secret = (ngx_str_t) {0, NULL};
+    conf->bucket_duration = NGX_CONF_UNSET_UINT;
+    conf->enabled = NGX_CONF_UNSET;
+
+    return conf;
+}
+
+
+static char *ngx_http_js_challenge_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) {
+    ngx_http_js_challenge_loc_conf_t *prev = parent;
+    ngx_http_js_challenge_loc_conf_t *conf = child;
+
+    ngx_conf_merge_uint_value(conf->bucket_duration, prev->bucket_duration, 3600)
+    ngx_conf_merge_value(conf->enabled, prev->enabled, 0)
+    ngx_conf_merge_str_value(conf->secret, prev->secret, DEFAULT_SECRET)
+    ngx_conf_merge_str_value(conf->html_path, prev->html_path, NULL)
+    ngx_conf_merge_str_value(conf->title, prev->title, DEFAULT_TITLE)
+
+    if (conf->bucket_duration < 1) {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "bucket_duration must be equal or more than 1");
+        return NGX_CONF_ERROR;
+    }
+
+    if (conf->html_path.data == NULL) {
+        conf->html = NULL;
+    } else if (conf->enabled) {
+
+        // Read file in memory
+        char path[PATH_MAX];
+        memcpy(path, conf->html_path.data, conf->html_path.len);
+        *(path + conf->html_path.len) = '\0';
+
+        struct stat info;
+        stat(path, &info);
+
+        int fd = open(path, O_RDONLY, 0);
+        if (fd < 0) {
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "js_challenge_html: Could not open file '%s': %s", path,
+                               strerror(errno));
+            return NGX_CONF_ERROR;
+        }
+
+        conf->html = ngx_palloc(cf->pool, info.st_size);
+        int ret = read(fd, conf->html, info.st_size);
+        if (ret < 0) {
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "js_challenge_html: Could not read file '%s': %s", path,
+                               strerror(errno));
+            return NGX_CONF_ERROR;
+        }
+    }
+
+    return NGX_CONF_OK;
+}
+
+
 __always_inline
 static void buf2hex(const unsigned char *buf, size_t buflen, char *hex_string) {
     static const char hexdig[] = "0123456789ABCDEF";
@@ -71,79 +205,68 @@ static void buf2hex(const unsigned char *buf, size_t buflen, char *hex_string) {
     }
 }
 
-#define SHA1_MD_LEN 20
-#define SHA1_STR_LEN 40
 
-const int JS_SOLVER_CHALLENGE_OFFSET = 84 + 8 + 13;
-//static const u_char JS_SOLVER[] = "Hello, workd";
-static const u_char JS_SOLVER[] =
-        "<script src='https://cdn.jsdelivr.net/gh/emn178/js-sha1/build/sha1.min.js'></script>"
-        "<script>"
-        "    let c = '0000000000000000000000000000000000000000';"
-        "    let i = 0;"
-        "    let n1 = parseInt('0x' + c[0]);"
-        "    while (true) {"
-        "        let s = sha1.array(c + i);"
-        "        if (s[n1] === 0xB0 && s[n1 + 1] === 0x0B && (s[n1 + 2] & 0xF0) === 0x50) {"
-        "            document.cookie = 'res=' + c + i + ';';"
-        "            window.location.reload();"
-        "            break;"
-        "        }"
-        "        i++;"
-        "    }"
-        "</script>Hello";
-
-int serve_challenge(ngx_http_request_t *r, const char *challenge) {
+int serve_challenge(ngx_http_request_t *r, const char *challenge, const char *html, ngx_str_t title) {
 
     ngx_buf_t *b = ngx_pcalloc(r->pool, sizeof(ngx_buf_t));
     ngx_chain_t out;
 
-    unsigned char buf[9000];
-    memcpy(buf, JS_SOLVER, sizeof(JS_SOLVER));
-    memcpy(buf + JS_SOLVER_CHALLENGE_OFFSET, challenge, SHA1_STR_LEN);
+    char challenge_c_str[SHA1_STR_LEN + 1];
+    memcpy(challenge_c_str, challenge, SHA1_STR_LEN);
+    *(challenge_c_str + SHA1_STR_LEN) = '\0';
+
+    char title_c_str[4096];
+    memcpy(title_c_str, title.data, title.len);
+    *(title_c_str + title.len) = '\0';
+
+    unsigned char buf[32768];
+
+    if (html == NULL) {
+        html = "<h2>Set the <code>js_challenge_html /path/to/body.html;</code> directive to change this page.</h2>";
+    }
+
+    size_t size = snprintf((char *) buf, sizeof(buf), JS_SOLVER_TEMPLATE, title_c_str, challenge_c_str, html);
 
     out.buf = b;
     out.next = NULL;
 
     // TODO: is that stack buffer gonna cause problems?
     b->pos = buf;
-    b->last = buf + sizeof(JS_SOLVER) - 1;
+    b->last = buf + size;
     b->memory = 1;
     b->last_buf = 1;
 
     r->headers_out.status = NGX_HTTP_OK;
-    r->headers_out.content_length_n = sizeof(JS_SOLVER) - 1;
+    r->headers_out.content_length_n = size;
     ngx_http_send_header(r);
 
     return ngx_http_output_filter(r, &out);
 }
 
 /**
- * @param bucket
- * @param addr
- * @param secret
  * @param out 40 bytes long string!
  */
-void get_challenge_string(int32_t bucket, ngx_str_t addr, const char *secret, char *out) {
+void get_challenge_string(int32_t bucket, ngx_str_t addr, ngx_str_t secret, char *out) {
     char buf[4096];
     unsigned char md[SHA1_MD_LEN];
 
+    char * p = (char*)&bucket;
     /*
      * Challenge= hex( SHA1( concat(bucket, addr, secret) ) )
      */
-    *((int32_t *) buf) = bucket;
+    memcpy(buf, p, sizeof(bucket));
     memcpy((buf + sizeof(int32_t)), addr.data, addr.len);
-    memcpy((buf + sizeof(int32_t) + addr.len), secret, strlen(secret));
+    memcpy((buf + sizeof(int32_t) + addr.len), secret.data, secret.len);
 
-    SHA1((unsigned char *) buf, (size_t) (sizeof(int32_t) + addr.len + strlen(secret)), md);
+    SHA1((unsigned char *) buf, (size_t) (sizeof(int32_t) + addr.len + secret.len), md);
     buf2hex(md, SHA1_MD_LEN, out);
 }
 
-int verify_response(int32_t bucket, ngx_str_t addr, const char *secret, ngx_str_t response, char *challenge) {
+int verify_response(ngx_str_t response, char *challenge) {
 
     /*
      * Response is valid if it starts by the challenge, and
-     * its SHA1 hash contains the digits 0xB00B5 at the offset
+     * its SHA1 hash contains the digits 0xB00B at the offset
      * of the first digit
      *
      * e.g.
@@ -165,9 +288,14 @@ int verify_response(int32_t bucket, ngx_str_t addr, const char *secret, ngx_str_
     unsigned char md[SHA1_MD_LEN];
     SHA1((unsigned char *) response.data, response.len, md);
 
-    unsigned int nibble1 = challenge[0] & 0xF0;
+    unsigned int nibble1;
+    if (challenge[0] <= '9') {
+        nibble1 = challenge[0] - '0';
+    } else {
+        nibble1 = challenge[0] - 'A' + 10;
+    }
 
-    return md[nibble1] == 0 && md[nibble1 + 1] == 0;
+    return md[nibble1] == 0xB0 && md[nibble1 + 1] == 0x0B ? 0 : -1;
 }
 
 int get_cookie(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value) {
@@ -200,60 +328,44 @@ int get_cookie(ngx_http_request_t *r, ngx_str_t *name, ngx_str_t *value) {
 
 static ngx_int_t ngx_http_js_challenge_handler(ngx_http_request_t *r) {
 
-    //TODO: If the bucket is less than 5sec away from the next one, accept both current and latest bucket
+    ngx_http_js_challenge_loc_conf_t *conf = ngx_http_get_module_loc_conf(r, ngx_http_js_challenge_module);
 
-    //TODO: argument
-    const char *secret = "my secret";
+    if (!conf->enabled) {
+        return NGX_DECLINED;
+    }
 
-    //TODO: argument
-    const long bucketSize = 30;
-
-    long bucket = r->start_sec - (r->start_sec % bucketSize);
+    unsigned long bucket = r->start_sec - (r->start_sec % conf->bucket_duration);
     ngx_str_t addr = r->connection->addr_text;
 
-    // Use real-ip ?
     char challenge[SHA1_STR_LEN];
-    get_challenge_string(bucket, addr, secret, challenge);
+    get_challenge_string(bucket, addr, conf->secret, challenge);
 
     ngx_str_t response;
     int ret = get_cookie(r, &((ngx_str_t) ngx_string("res")), &response);
 
-    //TODO: remove debug msg
-    char msg[4096];
-
-    sprintf(msg, "TS=%lu BUCKET=%lu SECRET=%s CHALLENGE=%s RET=%d COOKIE=%s",
-            r->start_sec, bucket, secret, challenge, ret, response.data);
-    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, msg);
-
-    get_challenge_string(bucket, addr, secret, challenge);
-
-    if (ret == NGX_DECLINED || verify_response(bucket, addr, secret, response, challenge) != 0) {
-        //Serve challenge
-        return serve_challenge(r, challenge);
+    if (ret < 0) {
+        return serve_challenge(r, challenge, conf->html, conf->title);
     }
 
+    get_challenge_string(bucket, addr, conf->secret, challenge);
+
+    if (verify_response(response, challenge) != 0) {
+        return serve_challenge(r, challenge, conf->html, conf->title);
+    }
+
+    // Fallthrough next handler
     return NGX_DECLINED;
 }
 
-//ngx_conf_set_flag_slot: translates "on" or "off" to 1 or 0
-//ngx_conf_set_str_slot: saves a string as an ngx_str_t
-//ngx_conf_set_num_slot: parses a number and saves it to an int
-//ngx_conf_set_size_slot: parses a data size ("8k", "1m", etc.) and saves it to a size_t
-
-
-static char *setup1(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
-//    ngx_http_core_loc_conf_t *clcf; /* pointer to core location configuration */
-//    clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module);
-//    clcf->handler = ngx_http_js_challenge_handler;
-    return NGX_CONF_OK;
-}
-
+/**
+ * post configuration
+ */
 static ngx_int_t ngx_http_js_challenge(ngx_conf_t *cf) {
 
     ngx_http_handler_pt *h;
-    ngx_http_core_main_conf_t *cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
+    ngx_http_core_main_conf_t *main_conf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
 
-    h = ngx_array_push(&cmcf->phases[NGX_HTTP_CONTENT_PHASE].handlers);
+    h = ngx_array_push(&main_conf->phases[NGX_HTTP_PRECONTENT_PHASE].handlers);
     if (h == NULL) {
         ngx_log_error(NGX_LOG_ERR, cf->log, 0, "null");
         return NGX_ERROR;