OpenResty Bot Protection Integration

OpenResty

Integrate BotBye bot protection into an OpenResty/nginx setup using the botbye-openresty Lua module. 1. Install the module on the server: sudo luarocks install botbye-openresty 2. In the nginx.conf http block, add BotBye configuration inside init_by_lua_block, a shared dict for the initRequest guard, and start the background request worker with init_worker_by_lua_block: http { resolver 8.8.8.8; lua_ssl_verify_depth 3; lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; // adjust path for your OS lua_shared_dict botbye_state 1m; init_by_lua_block { require("botbye").setConf({ botbye_server_key = '00000000-0000-0000-0000-000000000000' }) } init_worker_by_lua_block { require("botbye").initRequest() } } 3. The module provides three evaluation methods: - botbye.botValidation(token) — Level 1 edge-level bot check. Use in the access phase with the client-side token. - botbye.riskEvaluation(opts) — Level 2 domain-level risk scoring. Use when the backend knows the user and event context. opts: { ip, headers, user = { account_id, email?, username?, phone? }, event_type, event_status, botbye_result?, custom_fields? } - botbye.fullEvaluation(opts) — Combined Level 1 + Level 2 in a single call. opts: { token, ip, headers, request_method, request_uri, user = { account_id, email?, username?, phone? }, event_type, event_status, custom_fields? } Event statuses: "SUCCESSFUL", "FAILED", "ATTEMPTED", "UNKNOWN". response.decision returns "ALLOW", "CHALLENGE", or "BLOCK". response also contains risk_score, signals, and scores. 4. Example using botValidation in access_by_lua_block: location / { access_by_lua_block { if ngx.req.is_internal() == false then local botbye = require("botbye") local token = ngx.var.arg_botbye_token or "" local response, _, raw_body = botbye.botValidation(token) if response.decision == "BLOCK" then ngx.exit(403) end botbye.propagateResult(response, raw_body) end } } ngx.req.is_internal() prevents sending sub-requests (internal redirects) to BotBye. 5. After saving the config, reload OpenResty gracefully: sudo service openresty reload Available config keys in setConf: botbye_server_key (required), botbye_endpoint (default: https://verify.botbye.com), botbye_connection_timeout (default: 1000 ms). Full integration guide: https://botbye.com/docs/server-side/open-resty.md When the integration is complete, ask for the keys and replace the placeholder in the appropriate places.

Installation

On your server run the following command:

sudo luarocks install botbye-openresty

Configuration

Add the BotBye configuration below to the http block.

server-key available inside your Project.

By default, the configuration is located /usr/local/openresty/nginx/conf/nginx.conf

http {
    # ...
    resolver 8.8.8.8;
    lua_ssl_verify_depth 3;
    lua_ssl_trusted_certificate /path/to/certs/ca-certificates.crt;

    lua_shared_dict botbye_state 1m;

    init_by_lua_block {
        require("botbye").setConf({
            # Use your project server-key
            botbye_server_key = '00000000-0000-0000-0000-000000000000';
        });
    }

    init_worker_by_lua_block {
        require("botbye").initRequest()
    }
}

Make sure to replace the lua_ssl_trusted_certificate. For example, Ubuntu certificate path: /etc/ssl/certs/ca-certificates.crt

Usage

1. Add the following BotBye logic to a location block.

For some OpenResty distributions, this part is NOT located inside nginx.conf but in /usr/nginx/conf.d/default.conf

server {
    # ...
    location / {
        access_by_lua_block {
            if ngx.req.is_internal() == false then
                local botbye = require("botbye")

                -- Extract the token from wherever you pass it: query param, header, body, etc.
                local token = ngx.var.arg_botbye_token or ""
                local response, _, raw_body = botbye.botValidation(token)

                if response.decision == "BLOCK" then
                    ngx.exit(403)
                end

                -- Propagate result to Level 2
                botbye.propagateResult(response, raw_body)
            end
        }
    }
}

Using ngx.req.is_internal() avoids sending requests to BotBye when the calls are internal.

2. Reload OpenResty.

The command below will gracefully reload the configuration and apply any changes while serving existing connections.

sudo service openresty reload

There are three evaluation types — botValidation, riskEvaluation, and fullEvaluation — each suited for a different layer of your infrastructure.

botValidation — edge-level bot check

Use at the edge (OpenResty access phase) when you only need to decide whether the visitor is a bot. The token comes from the client-side SDK.

local botbye = require('botbye')
local token = ngx.var.arg_botbye_token or ''
local response, _, raw_body = botbye.botValidation(token)

if response.decision == 'BLOCK' then
    ngx.exit(403)
end

-- Propagate result to Level 2
botbye.propagateResult(response, raw_body)

riskEvaluation — domain-level risk scoring

Use when the backend already knows the user and wants to evaluate a specific business event (login, payment, registration, etc.) without a client-side token.

local botbye = require('botbye')
local response = botbye.riskEvaluation({
    ip = ngx.var.remote_addr,
    headers = ngx.req.get_headers(),
    user = {
        account_id = '12345',
        email = 'user@example.com',
        username = 'johndoe',
        phone = '+1234567890'
    },
    event_type = 'login',
    event_status = 'SUCCESSFUL',
    botbye_result = nil, -- if a botValidation call was made earlier, pass response.botbye_result here to link the requests; omit if there was no prior botValidation
    custom_fields = {
        region = 'EU'
    }
})

if response.decision == 'BLOCK' then
    ngx.exit(403)
end

Event statuses: SUCCESSFUL, FAILED, ATTEMPTED, UNKNOWN.

Linking botValidation and riskEvaluation events

When the same request is evaluated at two layers — for example, once at the edge (botValidation) and then again inside a backend service (riskEvaluation) — BotBye can link both events and display them as a single event in the dashboard.

Step 1 — edge layer (OpenResty access_by_lua_block): run botValidation and capture the result:

-- e.g. in access_by_lua_block
local botbye = require('botbye')
local token = ngx.var.arg_botbye_token or ''
local edgeResponse, _, raw_body = botbye.botValidation(token)

if edgeResponse.decision == 'BLOCK' then
    ngx.exit(403)
end

local edgeBotbyeResult = edgeResponse.botbye_result
-- Pass edgeBotbyeResult downstream — an ngx variable, shared dict, upstream header, etc.

Step 2 — domain service (auth, payment, account management): pass it as botbye_result in the riskEvaluation call:

-- e.g. in a content_by_lua_block handling login
local botbye = require('botbye')
local riskResponse = botbye.riskEvaluation({
    ip = ngx.var.remote_addr,
    headers = ngx.req.get_headers(),
    user = { account_id = userId, email = email },
    event_type = 'login',
    event_status = loginSucceeded and 'SUCCESSFUL' or 'FAILED',
    botbye_result = edgeBotbyeResult,
})

if riskResponse.decision == 'BLOCK' then
    ngx.exit(403)
end

botbye_result is nil when absent — in that case, omit or pass nil and the events will be recorded independently.

fullEvaluation — edge check and domain scoring in one call

Use when you have both the client-side token and the user/event context available at the same point and want to run Level 1 bot validation and Level 2 risk scoring in a single request.

local botbye = require('botbye')
local token = ngx.var.arg_botbye_token or ''
local response = botbye.fullEvaluation({
    token = token,
    ip = ngx.var.remote_addr,
    headers = ngx.req.get_headers(),
    request_method = ngx.req.get_method(),
    request_uri = ngx.var.request_uri,
    user = {
        account_id = '12345',
        email = 'user@example.com',
        username = 'johndoe',
        phone = '+1234567890'
    },
    event_type = 'login',
    event_status = 'SUCCESSFUL',
    custom_fields = {
        region = 'EU'
    }
})

if response.decision == 'BLOCK' then
    ngx.exit(403)
end

Settings

Setting	Description	Required	Default Value
botbye_server_key	Your BotBye server side key	yes	-
botbye_endpoint	Host of the API Server	no	https://verify.botbye.com
botbye_connection_timeout	Timeout for regular API calls	no	1000 (in milliseconds)

Demo

Dockerfile with the set up and the configuration to help you to integrate BotBye.

Examples of BotBye API responses

Blocked (bot detected):

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "BLOCK",
  "risk_score": 0.95,
  "scores": { "bot": 0.95 },
  "signals": ["AutomationTool"]
}

Allowed:

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "ALLOW",
  "risk_score": 0.05,
  "scores": { "bot": 0.05, "ato": 0.02 },
  "signals": []
}

Challenge:

{
  "request_id": "f77b2abd-c5d7-44f0-be4f-174b04876583",
  "decision": "CHALLENGE",
  "risk_score": 0.65,
  "scores": { "bot": 0.65 },
  "signals": ["SuspiciousFingerprint"],
  "challenge": { "type": "captcha", "token": "..." }
}

Invalid server-key:

{
  "decision": "ALLOW",
  "error": { "message": "[BotBye] Bad Request: Invalid Server Key" }
}