I have installed the haproxy bouncer and configured the captcha to use Cloudflare Turnstile. It works fine so far that it’s correctly issuing a captcha, after I added a captcha decision in order to test with my own ip address. However, the problem is that the ip address does not get added to the stick table. For every http request I make a captcha is issued. I checked the stick-table and it was empty.
I then added my ip address manually to the stick-table (through the haproxy cli), after that I did not encounter any captchas, as expected. I wonder if anyone else has encountered this? Maybe it is a known problem with a known solution?
My environment:
HAProxy version 3.0.9
crowdsec-haproxy-bouncer/jammy,now 0.0.5 all [installed]
crowdsec/jammy,now 1.6.8 amd64 [installed]
OS: Ubuntu 22.04.5 LTS
I also checked the Cloudflare Turnstile dashboard, and I could verify that the captcha challenges i encountered were solved. So that works fine as far as I can tell.
Another test I did was to add this row to the haproxy config: http-request track-sc0 src
Then I did a http request and my ip adress was added to the stick-table, no problem.
But this does not work: http-request track-sc0 src if { var(req.remediation) -m str “captcha-allow” } # cache captcha allow decision
Here is an update to this post. I have now tested also with hcaptcha. Same problem as earlier. I tried to look into the issue, but since I’m not a developer I can’t deduce what the cause of the problem is. But maybe somebody else can.
Haproxy logs when testing with hcaptcha:
Apr 22 11:50:52 myserver haproxy[50641]: Active decision captcha for 1.2.3.4
Apr 22 11:50:52 myserver haproxy[50641]: error verifying captcha: 403,<html>..<head><title>403 Forbidden</title></head>..<body>..<center><h1>403 Forbidden</h1></center>..<hr><center>cloudflare</center>..</body>..</html>..; verifier: 104.19.230.21:443
Apr 22 11:50:52 myserver haproxy[50641]: [ALERT] (50641) : Lua function 'crowdsec_allow': [state-id 0] runtime error: /usr/lib/crowdsec/lua/haproxy/crowdsec.lua:178: attempt to index a nil value (field 'captcha_verifier') from /usr/lib/crowdsec/lua/haproxy/crowdsec.lua:178: in function line 122.
Apr 22 11:50:52 myserver haproxy[50641]: error verifying captcha: 403,<html>..<head><title>403 Forbidden</title></head>..<body>..<center><h1>403 Forbidden</h1></center>..<hr><center>cloudflare</center>..</body>..</html>..; verifier: 104.19.230.21:443
Apr 22 11:50:52 myserver haproxy[50641]: Lua function 'crowdsec_allow': [state-id 0] runtime error: /usr/lib/crowdsec/lua/haproxy/crowdsec.lua:178: attempt to index a nil value (field 'captcha_verifier') from /usr/lib/crowdsec/lua/haproxy/crowdsec.lua:178: in function line 122.
Apr 22 11:50:52 myserver haproxy[50641]: Lua function 'crowdsec_allow': [state-id 0] runtime error: /usr/lib/crowdsec/lua/haproxy/crowdsec.lua:178: attempt to index a nil value (field 'captcha_verifier') from /usr/lib/crowdsec/lua/haproxy/crowdsec.lua:178: in function line 122.
I started to suspect that it might have something to do with the Lua version which is built into Haproxy. The Crowdsec instructions for the haproxy bouncer says that Haproxy must be at least version 2.5. So, I figured I’ll downgrade to 2.6. Lo and behold, now it works!
Hopefully this will be of help to others who want to use the haproxy bouncer. I think it should be mentioned in the CrowdSec installation instructions that later versions of Haproxy might not work correct because of the Lua version.
In conclusion:
Not working correctly:
HAProxy version 3.0
Built with Lua version : Lua 5.4.4
Working correctly:
HAProxy version 2.6
Built with Lua version : Lua 5.3.6
Note: I have tested with hcaptcha. That works fine now. I have not tested the other captchas. But I would guess they too work now.
Hi timor,
i made some test using the version of haproxy and lua you proposed but without success.
Tried with hcaptcha and even cloudflair turnstile.
What OS did you used? Actually i’m running with Ubuntu 24.04, i don’t thinks it is the matter but just to know.
many thanks
Giuliano
Looked inside the haproxy.log but not found anythings strange. I made even another attemps running haproxy in foreground with the “-d” flag but even in that case there are not messages with any kind of evidence of the fault. Just to recap, i inject in the decision list my IP and the cloudflare captcha comes out . After flagging the “are you uman?” box i expect to find my IP inside the Sticky table but it never happen… Anyway, many thanks for you help, probally only the SPOA version can solve the problem. Thanks again Giuliano
