search

maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
189 stars 8 forks source link

[BUG] CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile' ? #174

Open Pierre-ZACHARY opened 1 month ago

Pierre-ZACHARY commented 1 month ago

Describe the bug 🐛 Traefik is logging an error saying "CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'"

2024-06-09T02:07:06Z ERR error="CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'" entryPointName=web routerName=whoamiapp-whoami-ingress-whoami-pierre-zachary-fr@kubernetes

I've followed the examples/kubernetes setup

Expected behavior 👀 CrowdsecLapiScheme should be http or https

I've tested with recaptcha and the behaviour is the one expected; seems to only happen with cloudflare

Context 🔎 Middleware values : spec: plugin: bouncer: CrowdsecLapiKey: 40796d93c2958f9e58345514e67740e5 Enabled: "true" logLevel: DEBUG crowdsecMode: live crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080 crowdsecLapiScheme: http captchaHTMLFilePath: /html/captcha.html banHtmlFilePath: /html/ban.html captchaProvider: turnsite captchaGracePeriodSeconds: 1800 captchaSiteKey: ... captchaSecretKey: ...

Version (please complete the following information): Traefik 3.0.1 Crowdsec v1.6.1-2 crowdsec-bouncer-traefik-plugin1.3.1

To Reproduce Deploy whoami with above configurations and labels : traefik.ingress.kubernetes.io/router.middlewares: kube-system-bouncer@kubernetescrd traefik.ingress.kubernetes.io/router.entrypoints: web

mathieuHa commented 4 weeks ago

Hello,

Thank you for the report, I looked at the validation code and indead the error message you got was confusing:

        if !contains([]string{HTTP, HTTPS}, config.CrowdsecLapiScheme) {
        return errors.New("CrowdsecLapiScheme: must be one of 'http' or 'https'")
    }
    if !contains([]string{"", HcaptchaProvider, RecaptchaProvider, TurnstileProvider}, config.CaptchaProvider) {
        return errors.New("CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'")
    }

I will replace with CaptchaProvider : must be one of 'hcaptcha', 'recaptcha' or 'turnstile'

In your configuration, you have misspelled turnstile with turnsite.

To be transparent we haven't tested a lot the turnstile provider, and we would be thankfull if you could give us some feedback on it.

Pierre-ZACHARY commented 3 weeks ago

Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

mathieuHa commented 3 weeks ago

Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

Thanks for the feedback, we'll look into it @maxlerebourg

maxlerebourg commented 2 weeks ago

Hey @Pierre-ZACHARY, I just created a PR to fix the class name of the captcha element, thanks to notify us for that. But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?

Thanks to use our plugin 👍

mathieuHa commented 2 weeks ago

Hey @Pierre-ZACHARY, I just created a PR to fix the class name of the captcha element, thanks to notify us for that. But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?

Thanks to use our plugin 👍

We will keep testing in the upcoming days and release a new version afterwards.
Please feel free to share if that made your setup work, or if you think something is still wrong there.

Ivomola commented 2 weeks ago

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

Without looking at any of the issues, I did the same thing and reached the same outcome with turnstile: captcha passes, a post request is made, but the bouncer doesn't get the response. The logs in DEBUG mode state the following every time the captcha page is reloaded and the captcha passes:

CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request

EDIT: Here is a visual representation of what the user sees: Grabacin2024-06-20194016-ezgif com-video-to-gif-converter

I hope this helps debugging. Thank you for developing this plugin @mathieuHa @maxlerebourg!

mathieuHa commented 2 weeks ago

Hey @Ivomola, I've released v1.3.3-beta1 in the meantime to help test with non-dev instances.
This contains a first patch for Turstile.
We'll keep testing in the weekend.

Ivomola commented 2 weeks ago

Just deployed and tested it, I can confirm it works now and the loop is gone. Thank you!!