Anubis Blocking My Gentoo Browsers

[Hu]

This failed for me for 4 weeks straight (hence why I have been completely absent from the forums), then today, it mysteriously started working. I was blocked from the forums since Anubis was first activated on the weekend of August 10th. Anubis always picked the JavaScript challenge, then failed because NoScript quite rightly blocked it. This domain has worked properly for (at least) 18 years without JavaScript, and I'm not going to enable something as expensive as Anubis's proof-of-work JavaScript, especially when it appears without warning and there is no mention anywhere else that it is even supposed to be here. Even now, 4 weeks later, I can't find anything outside forums.gentoo.org (which was entirely blocked) that even mentions that Anubis might be used on forums.gentoo.org. No posts on any of the archived Gentoo mailing lists. No bug reports. No news posts on www.gentoo.org.

I'd suspect that then the crawler/spammer blocker (anubis) itself would become the target of spammers.

That depends on how the report is done. If the report just produces right in the page an easy-to-copy summary, but the user is still responsible for conveying it, then there is no increased spam risk relative to today. This would be similar to how we ask users to run emerge --info to produce an easy-to-copy summary of Portage state, but that does not, on its own, go anywhere. Users then pick what pastebin/bug/forum post to send the output to. Providing an in-page summary of what the Anubis author (or other support/triage people) will request, in a structured form, should improve the quality of problem reports, relative to the current situation where users start with "Anubis is blocking me", then support needs to ask about browser, version, cookies, etc., and hope the user collects all that in one go. Speaking from long experience on the forums, it's annoyingly common for users to answer some, but not all, of the mandatory questions, and then support needs to remind the reporter to answer the rest of the questions. It's also quite common for users to lack the background to collect all the answers without some extra help. Automating that collection will simplify the reporting process for those users.

For the record, for *most* users with Gentoo's chosen settings, Anubis "should" be giving a non-javascript challenge using metarefresh and still work even if you block javascript -- but it may force the javascript one only if it thinks something is suspicious and is more likely to be a AI crawler -- Edit: changing your user agent from default or using outdated browsers can potentially cause this for example.

I had not done anything to make myself suspicious, and Anubis always went straight to the JavaScript challenge.

If anyone that is having issues has blocked metarefresh somehow that may be your problem though (I don't use librewolf/firefox but I think there's some about:config accessibility setting blockautorefresh or something similar that can disable it, I vaguely recall it may have per-site settings too).

That setting merely disables automatic refresh. When the Anubis guarding gcc's bugzilla was upgraded to offer metarefresh[1], I had to hit Allow on the refresh for Firefox to follow it, and then it worked. ([1]: gcc started out using an Anubis that could only do the JavaScript challenge, so I was blocked from it for a while. Eventually, Anubis released, and gcc upgraded to, a version that supported metarefresh.)

Try with a clean profile without special settings or extensions to be sure it's not due to your settings rather than the browser itself anyhow.

This is decent advice, and would be even better if posted somewhere that people blocked by Anubis could see it.

How long should the the anubis challenge take? My PC is low-end and passively cooled, and the challenge usually takes anywhere between 15 en 30 seconds. Since i'm quite aggressive with deleting cookies it's becoming really annoying.

Zucca answered one half of "should". I want to answer the other. From what I recall of user interface guidance (from back before it was called "user experience"), if a task needs more than 0.1 seconds, then the task needs to provide feedback assuring the user that it is doing something. If the task needs more than 1.0 seconds, the user feels like they are being forced to wait for the computer. If the task needs more than 10 seconds, then the user's attention wanders, and getting back on track when the task finally finishes is harder. https://stackoverflow.com/a/4210173 recounts this; a comment to that answer asserts those times are generous, and some users are even less patient than that. Putting those times into the context from pa4wdh's question, it seems that low-end system is being given a challenge well beyond its capability to solve within the user's patience limit. A cynical interpretation of this data would be that users on low-end systems are not welcome on Anubis-protected sites.

It takes as long as your PC has "mined" the correct sha answer, unless you disable javascript, then it should just use html meta redirect/refresh if I'm not mistaken.

Not quite. Anubis uses some opaque decision function to pick whether to use metarefresh or JavaScript proof-of-work. If Anubis picks JavaScript proof-of-work, and the client has JavaScript disabled, then Anubis does not fall back to metarefresh. It simply fails, and the client goes nowhere. Confusingly, the failure claims that a no-JS version is "a work in progress", when the reality is that the no-JS version is functional, but this particular challenge from this particular Anubis has chosen not to use it.

[sam_]

This failed for me for 4 weeks straight (hence why I have been completely absent from the forums), then today, it mysteriously started working. I was blocked from the forums since Anubis was first activated on the weekend of August 10th. Anubis always picked the JavaScript challenge, then failed because NoScript quite rightly blocked it. This domain has worked properly for (at least) 18 years without JavaScript, and I'm not going to enable something as expensive as Anubis's proof-of-work JavaScript, especially when it appears without warning and there is no mention anywhere else that it is even supposed to be here. Even now, 4 weeks later, I can't find anything outside forums.gentoo.org (which was entirely blocked) that even mentions that Anubis might be used on forums.gentoo.org. No posts on any of the archived Gentoo mailing lists. No bug reports. No news posts on www.gentoo.org.

On the infra side, we had communicated a few times that we may employ Anubis on the forums, and I was hoping or expecting that the forums people (who were communicated with) would pass that on as required. We also deliberately did not employ Anubis until we had an option (a non-JS challenge) for you and others, but you were a particular consideration.

I had noticed your absence and someone did try to reach out to debug what wasn't working for you but apparently the email bounced.

I think it's a fair point that it wasn't announced on the ML, though I'm also not sure what difference it would've made (or perhaps we'd be having the same discussion but with someone saying the phrasing wasn't open enough to accommodations or something like that, dunno). That's not to say I think it would've been a bad idea, just I'm not sure how it would've actually solved anything here.

We'll keep this in mind if and when Anubis is deployed on any other services. Another factor here was that it was sort of done on an experimental basis to see if it would help rather than being deployed as if it definitely would, so the point at which the experiment was "over" wasn't really clear.

As for the rest, will speak to Xe about how we can handle some of it and may need some details from you to see why metarefresh wasn't behaving as we'd like.

[Hu]

The hard block from the JavaScript challenge was the first I had seen of anything Anubis-related on anything Gentoo-related. I never saw any mention from anyone that it was even being contemplated, and then one day, it was just there. An announcement on a resource not blocked by Anubis, even belatedly, stating the position of the infrastructure team about Anubis, could have helped. For example, it could address:

• Whether infrastructure considered the JavaScript proof-of-work a hard requirement, or if the metarefresh was supposed to work. Old versions of Anubis couldn't even do metarefresh, and it's my understanding that even those versions which can do implement metarefresh offer a server-side knob of whether to allow it, so without any policy statement, it looked to me like the administrator had decided to force the proof-of-work version.
• What to do if the user is blocked: just go away? Get on IRC? File a bug? E-mail somebody? (If so, who?) Some of those questions are actually answered in this thread - which was unreachable for affected users due to Anubis.
• What is the expected level of expense for the proof-of-work in user seconds wasted waiting, and has the infrastructure team decided whether that level is the minimum acceptable for the protection that Gentoo requires? Per pa4wdh's post, some people access the forums from hardware which seriously struggles to complete the proof-of-work difficulty that Anubis was picking. I don't know how much of that is because Anubis was picking something hard and how much of it is a commentary on just how expensive the "easy" challenges are for systems designed to be low-power.

Yes, when Anubis stopped blocking me, I found a private message from someone who mentioned having tried (and failed) to reach me via e-mail. That account doesn't get much mail, and the provider seems to lock it if I go too long without reading it. That account is also completely unlisted. I don't use it for anything other than receiving mail from automated systems, like the forums. I don't publish it anywhere. Non-administrators can't even see the address I have for this account, as far as I know. (As a corollary, I would appreciate if those who can see it would refrain from posting it where it can be seen by unprivileged users.) As a result of its generally minimal usage, it tends to go long periods without needing attention, since I mainly read it when I know I am about to, or just did, receive mail.

[XeIaso]

Hi, please forgive me in advance. I tried to format this in BBCode but gave up and will be using Markdown to format this instead. Apologies for the non-native formatting. I am trying.

> That depends on how the report is done. If the report just produces right in the page an easy-to-copy summary, but the user is still responsible for conveying it, then there is no increased spam risk relative to today. This would be similar to how we ask users to run emerge --info to produce an easy-to-copy summary of Portage state, but that does not, on its own, go anywhere.

I have been working on something like this, but I have also been getting a lot of abuse and hate recently and something that opens the door to getting more of it is really not on the front burner. If there is a false negative or false positive, the correct way to report it is to open an issue on GitHub (https://github.com/TecharoHQ/anubis/issues). I currently don't self host the Anubis repo or bug tracker on my own infrastructure to avoid the bootstrapping paradox of needing to use something like Anubis to protect the way that you use to report issues with Anubis.

> Providing an in-page summary of what the Anubis author (or other support/triage people) will request, in a structured form, should improve the quality of problem reports, relative to the current situation where users start with "Anubis is blocking me", then support needs to ask about browser, version, cookies, etc., and hope the user collects all that in one go.

I am working on a GitHub issue template for getting that information, which will include visiting a URL on https://halone.within.lgbt so that the server-side-observed metadata can be recorded and compared against.

> I had not done anything to make myself suspicious, and Anubis always went straight to the JavaScript challenge.

Can you make a complete list of every single thing you have done to your browser from the unmodified out of the box defaults including extensions, settings changed, and other things? I mainly test against the default out of the box configuration because I am a single person working on this and my test matrix is already impossibly large as it is. Extensions like NoScript, JShelter, whatever cookie blocker, etc cause me to have to exponentially increase the size of that testing matrix and I haven't had the time to make a proper integration jungle like I've wanted.

To give you an idea of how crazy this testing matrix is, here is a detailed writeup of bizarre and hard to replicate issues with a mobile phone that had an odd number of CPU cores: https://anubis.techaro.lol/blog/2025/cpu-core-odd.

> That setting merely disables automatic refresh. When the Anubis guarding gcc's bugzilla was upgraded to offer metarefresh[1], I had to hit Allow on the refresh for Firefox to follow it, and then it worked. ([1]: gcc started out using an Anubis that could only do the JavaScript challenge, so I was blocked from it for a while. Eventually, Anubis released, and gcc upgraded to, a version that supported metarefresh.)

What extension does that behaviour? Why are you using this extension in general? I'd like to know so I can adjust my testing matrix appropriately.

> A cynical interpretation of this data would be that users on low-end systems are not welcome on Anubis-protected sites.

My intent behind working on Anubis is to keep websites online. Websites that are offline cannot teach anyone anything. I have been working on lighter weight challenge methods using JavaScript such as the "proof of React" challenge (https://anubis.techaro.lol/docs/admin/c ... ges/preact, which is mostly based on time more than anything). I am actively trying to obviate the proof of work from the equation, but it takes a lot of time to reverse engineer browser behaviour.

> Not quite. Anubis uses some opaque decision function to pick whether to use metarefresh or JavaScript proof-of-work. If Anubis picks JavaScript proof-of-work, and the client has JavaScript disabled, then Anubis does not fall back to metarefresh. It simply fails, and the client goes nowhere. Confusingly, the failure claims that a no-JS version is "a work in progress", when the reality is that the no-JS version is functional, but this particular challenge from this particular Anubis has chosen not to use it.

Anubis uses a combination of risk score and thresholds (https://anubis.techaro.lol/docs/admin/c ... thresholds) to decide how to handle clients. This is fairly opaque to the client by design to avoid "leaking" details of how the administrator configured it. The meta refresh challenge is a work in progress because the abusive scrapers are starting to learn how to handle it, meaning that more time is being spent trying to reverse engineer their behaviour akin to figuring out plays based on shadows cast onto the cave walls.

I can look into a way to make sure that people can "fall back" to the meta refresh challenge, but this would be something that would be off by default and administrators would need to choose to enable it.

This project is a work in progress and I do want to make it better. I do actually care about making it less visible and have been doing active research into how to make sure that legitimate clients can get through without issues. It is just slow going because this is frankly a difficult problem.

I hope this gave some context into the situation.

Be well,

[NeddySeagoon]

XeIaso,

You wanted to write

Not quite. Anubis uses some opaque decision function to pick whether to use metarefresh or JavaScript proof-of-work. If Anubis picks JavaScript proof-of-work, and the client has JavaScript disabled, then Anubis does not fall back to metarefresh. It simply fails, and the client goes nowhere. Confusingly, the failure claims that a no-JS version is "a work in progress", when the reality is that the no-JS version is functional, but this particular challenge from this particular Anubis has chosen not to use it.

That's [ quote="Hu" ]at the start of the quote and [ /quote ] at the end. Spaces added by me as a BBC spoiler.

If you select the text an click the quote button the forums will wrap the text in quote tags.
Yous need to add the ="attribution" inside the opening quofe tag.

[pa4wdh]

How long should the the anubis challenge take? My PC is low-end and passively cooled, and the challenge usually takes anywhere between 15 en 30 seconds. Since i'm quite aggressive with deleting cookies it's becoming really annoying.

Zucca answered one half of "should". I want to answer the other. From what I recall of user interface guidance (from back before it was called "user experience"), if a task needs more than 0.1 seconds, then the task needs to provide feedback assuring the user that it is doing something. If the task needs more than 1.0 seconds, the user feels like they are being forced to wait for the computer. If the task needs more than 10 seconds, then the user's attention wanders, and getting back on track when the task finally finishes is harder. https://stackoverflow.com/a/4210173 recounts this; a comment to that answer asserts those times are generous, and some users are even less patient than that. Putting those times into the context from pa4wdh's question, it seems that low-end system is being given a challenge well beyond its capability to solve within the user's patience limit. A cynical interpretation of this data would be that users on low-end systems are not welcome on Anubis-protected sites.

It actually does display a progress bar, but of course it can't know upfront how long it's going to take, so sometimes it's done when the progress indicator is halfway, sometimes it sticks for ages at "almost done". In that sense it seems to be worthless in actually displaying progress .
What i actually did is to open the gentoo forums, immediately open a second tab, visit another forum, and since that forum is not very active i was usually done with that forum before anubis was ready, so that certainly fits your description "If the task needs more than 10 seconds, then the user's attention wanders" .

[Hu]

Hi, please forgive me in advance. I tried to format this in BBCode but gave up and will be using Markdown to format this instead.

Neddy gave good advice on how to do this by hand. The easiest approach though is just to choose to reply-with-quote, and let the forum prepopulate the response with the appropriate quote tags.

I have been working on something like this, but I have also been getting a lot of abuse and hate recently and something that opens the door to getting more of it is really not on the front burner.

I am not proposing making it easier for people to submit reports. I only propose making it easy for them to gather information so that, if they choose to manually submit a report, it is a good one. Your reference in the next paragraph (not quoted) to the lgbt server would satisfy this nicely.

As for abuse, I'm not surprised. The user experience on a false-positive is terrible. The block page advertises Anubis and CELPHASE, but does not direct users how to contact the operator who actually installed the misbehaving Anubis instance. Lacking any other directions, I'd expect users to come straight to you, even though you cannot help them. At least some sites that use Anubis will be used by people who are inclined to shoot first and ask questions later. This is further exacerbated by the fact that users hit this block page when they're trying to do useful work, and Anubis steps in and smacks them down without adequate explanation. It took very few false positives with Anubis for me to come to despise it.

Maybe CELPHASE asked to be credited on the block page, but personally, I wouldn't want my name and contact information advertised on the page shown to users who just got blocked, and are now upset that they can't get the document they requested. That seems like setting up for CELPHASE to catch some unjustified collateral abuse.

If there is a false negative or false positive, the correct way to report it is to open an issue on GitHub (https://github.com/TecharoHQ/anubis/issues).

This is good to know. However, (1) it requires a GitHub account (which in turn has quite a long Terms of Service document to read) and (2) from what I recall of the Anubis failure page, there is no mention in that page about this. Anyone who was blocked is thus left with no way to learn what they should do to get unblocked. This goes to a more general problem with the block pages. They should direct people how to contact the guilty operator, not encourage people to go directly to you.

> I had not done anything to make myself suspicious, and Anubis always went straight to the JavaScript challenge.

Can you make a complete list of every single thing you have done to your browser from the unmodified out of the box defaults including extensions, settings changed, and other things?

No. I don't keep my browser profile under source control, and I've had it long enough that I cannot tell you from memory everything I've ever needed to change. However, I can refer you back to the original post of this thread. As I understood that poster, an out-of-the-box firefox-bin on Gentoo in a VM was blocked by Anubis. I will caution that it sounds like that was actually a harder block than I hit. My problem was "only" that Anubis was insisting on a CPU-wasting proof-of-work that NoScript correctly blocked. OP's problem reads more like he was dropped into a dead end from which there was no exit, even if he did run expensive script.

I mainly test against the default out of the box configuration because I am a single person working on this and my test matrix is already impossibly large as it is. Extensions like NoScript, JShelter, whatever cookie blocker, etc cause me to have to exponentially increase the size of that testing matrix and I haven't had the time to make a proper integration jungle like I've wanted.

I am a devoted NoScript user from way back, and believe the world would be a better place if browser vendors had shipped, as a standard feature, at least a basic version of NoScript twenty years ago, before the current generation of site authors developed the mindset of just assuming every browser will run every crazy script referenced in the page. If the site authors had to stop and think about whether the page would work for a first-time user who hasn't yet been convinced to allow scripts, maybe the experience with scripts blocked would not be quite so bad.

To give you an idea of how crazy this testing matrix is, here is a detailed writeup of bizarre and hard to replicate issues with a mobile phone that had an odd number of CPU cores: https://anubis.techaro.lol/blog/2025/cpu-core-odd.

Yes, I read that post a few weeks ago. I spent a fair bit of time reading up on Anubis when I realized what a problem it was becoming.

> That setting merely disables automatic refresh. When the Anubis guarding gcc's bugzilla was upgraded to offer metarefresh[1], I had to hit Allow on the refresh for Firefox to follow it, and then it worked.

What extension does that behaviour? Why are you using this extension in general? I'd like to know so I can adjust my testing matrix appropriately.

There probably is some extension to slap a nice GUI on this, but I likely flipped it right in about:config. I set this a long time ago because I don't like the user experience of being bounced through multiple pages without warning. I don't think there is anything Anubis can or should do with regard to this setting. Anubis sent a meta-refresh redirect. Firefox obeyed my preference to ask for permission before following it. I granted that permission. Firefox followed the redirect, and Anubis allowed me to access the requested content. This was a substantial improvement over the earlier Anubis version that dumped me into a proof-of-work challenge when trying to read any gcc bug reports.

> A cynical interpretation of this data would be that users on low-end systems are not welcome on Anubis-protected sites.

My intent behind working on Anubis is to keep websites online. Websites that are offline cannot teach anyone anything.

Sites that indefinitely block someone with no explanation cannot be used by affected users, either.

I have been working on lighter weight challenge methods using JavaScript such as the "proof of React" challenge (https://anubis.techaro.lol/docs/admin/c ... ges/preact, which is mostly based on time more than anything).

Proof of React is an interesting idea to cut down on the CPU load, but it still has the critical flaw that it requires users to run JavaScript. As long as you cling to solutions that require JavaScript, you will continue to have problems with NoScript users. Further, since Anubis has built up a reputation for its JavaScript being very expensive (such as what keeps happening to pa4wdh with needing 30 seconds(!) to complete one challenge), I expect that people who use NoScript will not be eager to go around granting Anubis permission to run any scripts. On the bright side, perhaps the repeated CPU abuse from Anubis will encourage more people to install NoScript.

This is fairly opaque to the client by design to avoid "leaking" details of how the administrator configured it.

Yes, this is one place where security through obscurity is worth at least a small amount.

The meta refresh challenge is a work in progress because the abusive scrapers are starting to learn how to handle it

Although unfortunate, that is entirely expected.

I can look into a way to make sure that people can "fall back" to the meta refresh challenge, but this would be something that would be off by default and administrators would need to choose to enable it.

I thought Anubis preferred meta-refresh for any clients it deemed sufficiently low risk, in which case anyone who doesn't get meta-refresh now is by definition too risky to allow them to use it even as a manually initiated fallback.

It is just slow going because this is frankly a difficult problem.

Yes. I think that you will never be able to build a system that the scrapers cannot solve if they care to try. At best, you will build a system like the JavaScript proof-of-work, where you antagonize everyone equally with busy work, and then hope that the scrapers aren't willing to do enough busy work to get all the content they want. At some point, the scrapers may switch to running a full browser under Xvfb and driving it via an extension, at which point Anubis will conclude the scraper is a "real browser" and let it through. Yes, it's expensive CPU wise, but I expect anyone who has the CPU capacity to run the LLM on the backend after training can afford the CPU time to solve proof-of-work challenges during the training collection phase.

[Chiitoo]

It would be nice to get back to testing this out, so that no real users get left out.

This, or some other solution.

Currently the best we can do, is a few infra people whack-a-scraper game playing daily. Manually.

I'm especially curious about the big CPU time the tests have taken for some with Anubis encounters.

For me it has always been less than a second.

Most will be using the JavaScript version though, which we didn't.

In any case, a very belated big thanks to sam_ for the work he did on this, and more!

[szatox]

Currently the best we can do, is a few infra people whack-a-scraper game playing daily. Manually.

Isn't it a perfect job for stuff like fail2ban? It should be capable of counting entries in access log.

I personally use iptabables with hashlimit on NEW connections for throttling ssh bruteforce attempts, but it could as well count all packets and rate limit or disconnect clients which exceed burst size instead of only preventing reconnects. This should work fine for a HTTP server (a bunch of short-lived connections transferring small amount of data followed by a long pause).
This one has the advantage of being done completely in kernel, without any need for the protected application to cooperate, so it's lightweight and bans kick in instantly.