Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile' ? #174

Closed
Pierre-ZACHARY opened this issue Jun 9, 2024 · 9 comments · Fixed by #176 or #178
Closed

[BUG] CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile' ? #174

Pierre-ZACHARY opened this issue Jun 9, 2024 · 9 comments · Fixed by #176 or #178
Assignees
@mathieuHa
Labels
bug Something isn't working

Comments

@Pierre-ZACHARY
Copy link

Pierre-ZACHARY commented Jun 9, 2024
edited
Loading

Describe the bug 🐛
Traefik is logging an error saying "CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'"

2024-06-09T02:07:06Z ERR error="CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'" entryPointName=web routerName=whoamiapp-whoami-ingress-whoami-pierre-zachary-fr@kubernetes

I've followed the examples/kubernetes setup

Expected behavior 👀
CrowdsecLapiScheme should be http or https

I've tested with recaptcha and the behaviour is the one expected; seems to only happen with cloudflare

Context 🔎
Middleware values :
spec:
plugin:
bouncer:
CrowdsecLapiKey: 40796d93c2958f9e58345514e67740e5
Enabled: "true"
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
crowdsecLapiScheme: http
captchaHTMLFilePath: /html/captcha.html
banHtmlFilePath: /html/ban.html
captchaProvider: turnsite
captchaGracePeriodSeconds: 1800
captchaSiteKey: ...
captchaSecretKey: ...

Version (please complete the following information):
Traefik 3.0.1
Crowdsec v1.6.1-2
crowdsec-bouncer-traefik-plugin1.3.1

To Reproduce
Deploy whoami with above configurations and labels :
traefik.ingress.kubernetes.io/router.middlewares: kube-system-bouncer@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: web
@mathieuHa mathieuHa added the bug Something isn't working label Jun 9, 2024
@mathieuHa
Copy link
Collaborator

mathieuHa commented Jun 9, 2024
edited
Loading

Hello,

Thank you for the report, I looked at the validation code and indead the error message you got was confusing:

        if !contains([]string{HTTP, HTTPS}, config.CrowdsecLapiScheme) {
		return errors.New("CrowdsecLapiScheme: must be one of 'http' or 'https'")
	}
	if !contains([]string{"", HcaptchaProvider, RecaptchaProvider, TurnstileProvider}, config.CaptchaProvider) {
		return errors.New("CrowdsecLapiScheme: must be one of 'hcaptcha', 'recaptcha' or 'turnstile'")
	}

I will replace with CaptchaProvider : must be one of 'hcaptcha', 'recaptcha' or 'turnstile'

In your configuration, you have misspelled turnstile with turnsite.

To be transparent we haven't tested a lot the turnstile provider, and we would be thankfull if you could give us some feedback on it.

@mathieuHa mathieuHa self-assigned this Jun 9, 2024
@mathieuHa mathieuHa linked a pull request Jun 9, 2024 that will close this issue
✏️ fix(validation) Replace typo on CaptchaProvider config validation #176
Merged
@Pierre-ZACHARY
Copy link
Author

Pierre-ZACHARY commented Jun 12, 2024
edited
Loading

Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision
But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

@mathieuHa
Copy link
Collaborator

Oh right, my mistake, I though the errors came from CrowdsecLapiScheme because of what's the logs were giving, thanks for pointing out;

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

Thanks for the feedback, we'll look into it @maxlerebourg

@mathieuHa mathieuHa reopened this Jun 16, 2024
@maxlerebourg maxlerebourg linked a pull request Jun 19, 2024 that will close this issue
174 fix classname for Turnstile #178
Merged
@maxlerebourg
Copy link
Owner

maxlerebourg commented Jun 19, 2024
edited
Loading

Hey @Pierre-ZACHARY,
I just created a PR to fix the class name of the captcha element, thanks to notify us for that.
But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?

Thanks to use our plugin 👍

@mathieuHa
Copy link
Collaborator

Hey @Pierre-ZACHARY, I just created a PR to fix the class name of the captcha element, thanks to notify us for that. But now, I just tested it with turnstile provider, and it's working like expected. Could you retry with the fix of the class name, when @mathieuHa will review+release it ?

Thanks to use our plugin 👍

We will keep testing in the upcoming days and release a new version afterwards.
Please feel free to share if that made your setup work, or if you think something is still wrong there.

@mathieuHa mathieuHa reopened this Jun 19, 2024
@Ivomola
Copy link

Ivomola commented Jun 20, 2024
edited
Loading

However when I tried with turnstile : first I had to edit the classname of the captcha container from cf-captcha to cf-turnstile, then it rendered the captcha and validated it but traefik didn't receive the token / didn't notify crowdsec that the captcha was valid and thus it keep refreshing the page with the captcha and never remove the crowdsec decision
But I do receive metrics of captcha completion on my cloudflare account so I don't think it's on their side

Without looking at any of the issues, I did the same thing and reached the same outcome with turnstile: captcha passes, a post request is made, but the bouncer doesn't get the response. The logs in DEBUG mode state the following every time the captcha page is reloaded and the captcha passes:

CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 ServeHTTP ip:REDACTED cache:hit isBanned:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 handleRemediationServeHTTP ip:REDACTED remediation:c
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 cache:Get key:REDACTED_captcha
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Check ip:REDACTED pass:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/06/20 17:24:11 captcha:Validate no captcha response found in request

EDIT:
Here is a visual representation of what the user sees:
Grabacin2024-06-20194016-ezgif com-video-to-gif-converter

I hope this helps debugging. Thank you for developing this plugin @mathieuHa @maxlerebourg!

@mathieuHa
Copy link
Collaborator

Hey @Ivomola, I've released v1.3.3-beta1 in the meantime to help test with non-dev instances.
This contains a first patch for Turstile.
We'll keep testing in the weekend.

@Ivomola
Copy link

Ivomola commented Jun 20, 2024

Just deployed and tested it, I can confirm it works now and the loop is gone. Thank you!!

@mathieuHa
Copy link
Collaborator

We've released v1.3.3 as latest release with this patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mathieuHa mathieuHa

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
4 participants
@mathieuHa @maxlerebourg @Ivomola @Pierre-ZACHARY