haproxy.conf

global
  # For normalize-uri
  expose-experimental-directives

frontend www
  mode http
  # 2 general purpose tags in this stick-table, we're using the second one here
  # (index 1).
  stick-table type ipv6 size 1m expire 2d store gpt(2)
  http-request track-sc0 src
  http-request normalize-uri path-merge-slashes
  http-request normalize-uri path-strip-dot
  http-request normalize-uri path-strip-dotdot

  # Adjust these to the paths you want to protect.
  acl protected_path path -m reg /(some-expensive/thing|another/).*
  # Matches the default config of anubis of triggering on "Mozilla"
  acl protected_ua hdr(User-Agent) -m beg Mozilla/
  acl protected acl(protected_path,protected_ua)

  acl accepted sc_get_gpt(1,0) gt 0
  http-request return status 200 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0, no-cache" lf-file /etc/haproxy/challenge.html if protected !accepted
  use_backend challenge if { path /_challenge }

# This should not need changing except the name of the stick table to use
# (matches the frontend name by default).
backend challenge
  mode http
  option http-buffer-request
  # The parameter to table must match the stick table used in the frontend.
  http-request track-sc0 src table www
  acl challenge_req method POST
  http-request set-var(txn.tries) req.body_param(tries)
  http-request set-var(txn.ts) req.body_param(ts)
  http-request set-var(txn.host) hdr(Host),host_only
  http-request set-var(txn.hash) src,concat(;,txn.host,),concat(;,txn.ts,),concat(;,txn.tries),sha2,hex
  acl ts_recent date,neg,add(txn.ts) ge -60
  # 4 is the difficulty, should match "diff" in challenge.html.
  acl hash_good var(txn.hash) -m reg 0{4}.*
  http-request sc-set-gpt(1,0) 1 if challenge_req ts_recent hash_good
  http-request return status 200 if challenge_req hash_good
  http-request return status 400 content-type "text/html; charset=UTF-8" hdr "Cache-control" "max-age=0" string "Bad request" if !challenge_req OR !hash_good