Closed Pierre-ZACHARY closed 4 months ago
Hello,
Thank you for the report, I looked at the validation code and indead the error message you got was confusing:
if !contains([]string{HTTP, HTTPS}, config.CrowdsecLapiScheme) {
return errors.New("CrowdsecLapiScheme: must be one of 'http' or 'https'")
}
if !contains([]string{"", HcaptchaProvider, RecaptchaProvider, TurnstileProvider}, config.CaptchaProvider) {
return errors.New("CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'")
}
I will replace with CaptchaProvider : must be one of 'hcaptcha', 'recaptcha' or 'turnstile'
In your configuration, you have misspelled turnstile
with turnsite
.
To be transparent we haven't tested a lot the turnstile provider, and we would be thankfull if you could give us some feedback on it.
Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;
However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side
Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;
However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side
Thanks for the feedback, we'll look into it @maxlerebourg
Hey @Pierre-ZACHARY, I just created a PR to fix the class name of the captcha element, thanks to notify us for that. But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?
Thanks to use our plugin 👍
Hey @Pierre-ZACHARY, I just created a PR to fix the class name of the captcha element, thanks to notify us for that. But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?
Thanks to use our plugin 👍
We will keep testing in the upcoming days and release a new version afterwards.
Please feel free to share if that made your setup work, or if you think something is still wrong there.
However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side
Without looking at any of the issues, I did the same thing and reached the same outcome with turnstile: captcha passes, a post request is made, but the bouncer doesn't get the response. The logs in DEBUG mode state the following every time the captcha page is reloaded and the captcha passes:
CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request
EDIT: Here is a visual representation of what the user sees:
I hope this helps debugging. Thank you for developing this plugin @mathieuHa @maxlerebourg!
Hey @Ivomola, I've released v1.3.3-beta1 in the meantime to help test with non-dev instances.
This contains a first patch for Turstile.
We'll keep testing in the weekend.
Just deployed and tested it, I can confirm it works now and the loop is gone. Thank you!!
Describe the bug 🐛 Traefik is logging an error saying "CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'"
2024-06-09T02:07:06Z ERR error="CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'" entryPointName=web routerName=whoamiapp-whoami-ingress-whoami-pierre-zachary-fr@kubernetes
I've followed the examples/kubernetes setup
Expected behavior 👀 CrowdsecLapiScheme should be http or https
I've tested with recaptcha and the behaviour is the one expected; seems to only happen with cloudflare
Context 🔎 Middleware values : spec: plugin: bouncer: CrowdsecLapiKey: 40796d93c2958f9e58345514e67740e5 Enabled: "true" logLevel: DEBUG crowdsecMode: live crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080 crowdsecLapiScheme: http captchaHTMLFilePath: /html/captcha.html banHtmlFilePath: /html/ban.html captchaProvider: turnsite captchaGracePeriodSeconds: 1800 captchaSiteKey: ... captchaSecretKey: ...
Version (please complete the following information): Traefik 3.0.1 Crowdsec v1.6.1-2 crowdsec-bouncer-traefik-plugin1.3.1
To Reproduce Deploy whoami with above configurations and labels : traefik.ingress.kubernetes.io/router.middlewares: kube-system-bouncer@kubernetescrd traefik.ingress.kubernetes.io/router.entrypoints: web