[netsectoday]

I played with the HTTP/2.0 only protection a while back but had legit users complain that the site wouldn't load (they were running old browsers).

How did you set up LUA scripting to provide a JS hidden browser test with Nginx and HAProxy?

[LinuxBender]

To find the LUA scripts that do not depend on a centralized catcha service, search for "nginx lua ddos". [1][2] I do not have a live example at the moment as I took my hobby sites offline while the dust settles around the new California AB 2273 law.

Most of these give site-wide examples but one can run the LUA by locations or other ACL's to protect specific resources or exclude specific resources from protection. e.g. RSS feeds.

[1] - https://github.com/C0nw0nk/Nginx-Lua-Anti-DDoS

[2] - https://github.com/satrobit/lua-resty-ddos