crowdsecurity
Recaptcha Remediation is Broken
I recently reconfigured everything and tested a recaptcha decision. It never seems to detect that the recaptcha has been remediated.
Hey 👋🏻
We have a pending patch that "kind of" fixes the issue https://github.com/crowdsecurity/cs-haproxy-bouncer/commit/6a61a8b6d4f31ef07b044e92ad4ceeb5f46fe591
HAProxy tries to go as fast as possible and sometime it does not wait for the whole post body before our lua code fires, the merge above basically waits for some MS. However, it might not scale well.... there is a option to provide haproxy to wait for full body, however, this can cause some DOS as if they upload a 1gb file then haproxy will load the file into memory
So it would be this https://docs.haproxy.org/2.8/configuration.html#4.2-http-request%20wait-for-body%20time and a condition to say less than your maximum upload
Hey @LaurenceJJones
I'm running 0.0.7 so the fix is there but the issue is still ongoing.
Did I understand right that this is in conjunction with using http-request wait-for-body time 1s at-least 1k if METH_POST?
I'm presuming at-least does not need to be a large value considering that the captcha response POST body should not be a lot data. It just needs to be the minimum to make sure the body is parsed correctly?
Did I understand right that this is in conjunction with using
http-request wait-for-body time 1s at-least 1k if METH_POST?
Hmm it should be used instead of the code, but we have very limited haproxy experience. So if you test it and finds it works any feedback you can provide will help us improve the example we provide.
I think I figured out why this isn't working for me because I noticed a few times I did a few captchas in a row and suddenly it started working.
I'm running a few instances of haproxy and... Well you probably can guess the rest. I probably did all the captchas to satisfy all haproxy instances 🤣
So, I need to research if there's a way to share the content of the stick table between multiple instances.
I think I figured out why this isn't working for me because I noticed a few times I did a few captchas in a row and suddenly it started working.
I'm running a few instances of haproxy and... Well you probably can guess the rest. I probably did all the captchas to satisfy all haproxy instances 🤣
So, I need to research if there's a way to share the content of the stick table between multiple instances.
Thank you for the update, makes sense now I think about it as once you solve for one node it wont be propagate to others as the decision is only held for that node. I be interested in knowing if it can be if not if a solution like redis or memcached would be needed to have a shared pool.
.
It can be done through stick table peering https://www.haproxy.com/blog/introduction-to-haproxy-stick-tables#peers
However, in Kubernetes, there's little to none support for that unfortunately. https://github.com/haproxytech/kubernetes-ingress/issues/32
@mateuszdrab I have recently configured Crowdsec and am still running into the same issues with the captcha loop. I am only running 1 haproxy instance, and was not able to fix it in the way you did. However, since your captcha is working, would you be able to provide your config file / any changes you made from the standard installation? Thanks!
If you are running one instance of HAProxy it most likely your defined body read and body timeout reads are being hit and the lua is not able to get the full post body hence the captcha cannot be verified hence the loop. As suggested above you must play around with HAProxy settings to find a balance between this as by default haproxy tries not to cause latency between itself and the end server.
Classing as "not planned" till users can provide exact details that show a bug or error in code that doesnt rely on client / server networking