📝 Fix example and makefile and doc for wicketkeeper

2025-11-08 15:15:05 +01:00 · 2025-08-11 19:47:55 +02:00
parent 00b3e3e6c1
commit 5b217e272a
6 changed files with 73 additions and 59 deletions
--- a/5
+++ b/5
@@ -44,7 +44,7 @@ run_appsec:
 	docker compose -f examples/appsec-enabled/docker-compose.yml up -d --remove-orphans

 run_custom_captcha:
-	docker compose -f examples/custo-captcha/docker-compose.yml up -d --remove-orphans
+	docker compose -f examples/custom-captcha/docker-compose.yml up -d --remove-orphans

 run_captcha:
 	docker compose -f examples/captcha/docker-compose.yml up -d --remove-orphans
@@ -99,8 +99,9 @@ clean_all_docker:
 	docker compose -f examples/redis-cache/docker-compose.yml down --remove-orphans
 	docker compose -f examples/trusted-ips/docker-compose.yml down --remove-orphans
 	docker compose -f examples/tls-auth/docker-compose.yml down --remove-orphans
-	docker compose -f examples/appsec-enabled/docker-compose.yml down --remove-orphans
+	docker compose -f examples/appsec-enabled/docker-compose.appsec-enabled.yml down --remove-orphans
 	docker compose -f examples/captcha/docker-compose.yml down --remove-orphans
+	docker compose -f examples/custom-captcha/docker-compose.yml down --remove-orphans
 	docker compose -f examples/custom-ban-page/docker-compose.yml down --remove-orphans
 	docker compose -f docker-compose.local.yml down --remove-orphans
 	docker compose -f docker-compose.yml down --remove-orphans
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@ The following captcha providers are supported now:
 - [hcaptcha](https://www.hcaptcha.com/)
 - [recaptcha](https://www.google.com/recaptcha/about/)
 - [turnstile](https://www.cloudflare.com/products/turnstile/)
+- [custom/wicketkeeper](https://github.com/a-ve/wicketkeeper)

 There are 5 operating modes (CrowdsecMode) for this plugin:

@@ -702,6 +703,8 @@ docker exec crowdsec cscli decisions remove --ip 10.0.0.10 -t captcha

 #### 10. Using Traefik with Custom Ban HTML Page [examples/custom-ban-page/README.md](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/examples/custom-ban-page/README.md)

+#### 11. Using Traefik with Custom Captcha Whiketkeeper[examples/custom-captcha/README.md](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/examples/custom-captcha/README.md)
+
 ### Local Mode

 Traefik also offers a developer mode that can be used for temporary testing of plugins not hosted on GitHub.
--- a/bouncer.go
+++ b/bouncer.go
@@ -252,6 +252,7 @@ func New(_ context.Context, next http.Handler, config *configuration.Config, nam
 		config.CaptchaGracePeriodSeconds,
 	)
 	if err != nil {
+		log.Error("CaptchaClient not valid " + err.Error())
 		return nil, err
 	}

--- a/examples/appsec-enabled/docker-compose.appsec-enabled.yml
+++ b/examples/appsec-enabled/docker-compose.appsec-enabled.yml
@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
  traefik:
    image: "traefik:v3.0.0"
@@ -36,7 +34,7 @@ services:
      # Definition of the router
      - "traefik.http.routers.router-foo.rule=PathPrefix(`/foo`)"
      - "traefik.http.routers.router-foo.entrypoints=web"
-      - "traefik.http.routers.router-foo.middlewares=crowdsec@docker" 
+      - "traefik.http.routers.router-foo.middlewares=crowdsec@docker"
      # Definition of the service
      - "traefik.http.services.service-foo.loadbalancer.server.port=80"
      # Definition of the middleware
@@ -48,8 +46,6 @@ services:
      # Define AppSec host and port informations
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsechost=crowdsec:7422"

-  
-
  crowdsec:
    image: crowdsecurity/crowdsec:v1.6.1-2
    container_name: "crowdsec"
@@ -65,7 +61,7 @@ services:
      - crowdsec-config-appsec-enabled:/etc/crowdsec/
    labels:
      - "traefik.enable=false"
-  
+
 volumes:
  logs-appsec-enabled:
  crowdsec-db-appsec-enabled:
--- a/examples/custom-captcha/README.md
+++ b/examples/custom-captcha/README.md
@@ -5,9 +5,10 @@ Read the example captcha before this, to better understand what is done here.
 ### Traefik configuration

 The minimal configuration is defined below to implement custom captcha.  
-This documentation use https://github.com/a-ve/wicketpeeker, a self-hosted captcha provider that have a similar API than big providers.  
+This documentation use https://github.com/a-ve/wicketpeeker, a self-hosted captcha provider that have a similar API than big providers.

 Minimal API requirement:
+
 - the JS file URL to load the captcha on the served `captcha.html`
 - the HTML className to tell to the JS where to display the challenge
 - the verify URL endpoint to send the response from the captcha
@@ -21,41 +22,45 @@ Minimal API requirement:
    labels:
      # Choose captcha provider
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaProvider=custom"
-      # Define captcha grade period seconds
+      # Define captcha grace period seconds
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaGracePeriodSeconds=1800"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://captcha.localhost:8000/fast.js"
+      # Inside Traefik container the plugin must be able to reach wicketkeeper service so we can go through a Traefik localhost
+      # domain which would resolve traefik itself and the port for the dashboard
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://wicketkeeper:8080/v0/siteverify"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketkeeper"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=wicketkeeper_solution"
      # Define captcha HTML file path
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaHTMLFilePath=/captcha.html"
-      # 
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://localhost:8080/fast.js"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://localhost:8080/v0/siteverify"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketpeeker"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=response"
 ```

-```yaml 
-  wicketkeeper:
-    image: ghcr.io/a-ve/wicketkeeper:latest
-    ports:
-      - "8080:8080"
-    environment:
-      - ROOT_URL=http://localhost:8080
-      - LISTEN_PORT=8080
-      - REDIS_ADDR=redis:6379
-      - DIFFICULTY=4
-      - ALLOWED_ORIGINS=*
-      - PRIVATE_KEY_PATH=/data/wicketkeeper.key
-    volumes:
-      - ./data:/data
-    depends_on:
-      - redis
-  redis:
-    image: redis/redis-stack-server:latest
+```yaml
+wicketkeeper:
+  image: ghcr.io/a-ve/wicketkeeper:latest
+  user: root
+  ports:
+    - "8080:8080"
+  environment:
+    - ROOT_URL=http://localhost:8080
+    - LISTEN_PORT=8080
+    - REDIS_ADDR=redis:6379
+    - DIFFICULTY=4
+    - ALLOWED_ORIGINS=*
+    - PRIVATE_KEY_PATH=/data/wicketkeeper.key
+  volumes:
+    - ./data:/data
+  depends_on:
+    - redis
+redis:
+  image: redis/redis-stack-server:latest
 ```

 ## Exemple navigation
+
 We can try to query normally the whoami server:
+
 ```bash
-curl http://localhost:8000
+curl http://localhost:8000/foo
 ```

 We can try to ban ourself and retry.
@@ -65,6 +70,7 @@ docker exec crowdsec cscli decisions add --ip 10.0.0.20 -d 10m --type captcha
 ```

 To play the demo environment run:
+
 ```bash
 make run_custom_captcha
-```
+```
--- a/examples/custom-captcha/docker-compose.yml
+++ b/examples/custom-captcha/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
  traefik:
-    image: "traefik:v3.0.0"
+    image: "traefik:v3.5.0"
    container_name: "traefik"
    restart: unless-stopped
    command:
@@ -11,14 +11,15 @@ services:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.forwardedheaders.trustedips=172.18.0.0/24"

      - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      - "--experimental.plugins.bouncer.version=v1.4.5"
      # - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - logs-captcha-enabled:/var/log/traefik
-      - './captcha.html:/captcha.html'
+      - logs-custom-captcha-enabled:/var/log/traefik
+      - "./captcha.html:/captcha.html"
      # - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
    ports:
      - 8000:80
@@ -26,14 +27,14 @@ services:
    depends_on:
      - crowdsec

-  whoami:
+  whoami-foo:
    image: traefik/whoami
-    container_name: "whoaami"
+    container_name: "simple-service-custom-captcha-foo"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      # Definition of the router
-      - "traefik.http.routers.router-foo.rule=Host(`localhost`)"
+      - "traefik.http.routers.router-foo.rule=PathPrefix(`/foo`)"
      - "traefik.http.routers.router-foo.entrypoints=web"
      - "traefik.http.routers.router-foo.middlewares=crowdsec@docker"
      # Definition of the service
@@ -42,19 +43,20 @@ services:
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
-     
+
      # Choose captcha provider
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaProvider=custom"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://captcha.localhost:8080/fast.js"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://captcha.localhost:8080/v0/siteverify"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketpeeker"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=response"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://captcha.localhost:8000/fast.js"
+      # Inside Traefik container the plugin must be able to reach wicketkeeper service so we can go through a Traefik localhost
+      # domain which would resolve traefik itself and the port for the dashboard
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://wicketkeeper:8080/v0/siteverify"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketkeeper"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=wicketkeeper_solution"
      # Define captcha grade period seconds
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaGracePeriodSeconds=20"
      # Define captcha HTML file path
      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaHTMLFilePath=/captcha.html"

-
  crowdsec:
    image: crowdsecurity/crowdsec:v1.6.1-2
    container_name: "crowdsec"
@@ -65,39 +67,44 @@ services:
      BOUNCER_KEY_TRAEFIK_DEV: 40796d93c2958f9e58345514e67740e5
    volumes:
      # For captcha and ban mixed decision
-      - './profiles.yaml:/etc/crowdsec/profiles.yaml:ro' 
+      - "./profiles.yaml:/etc/crowdsec/profiles.yaml:ro"
      # For captcha only remediation
      # - './profiles_captcha_only.yaml:/etc/crowdsec/profiles.yaml:ro'
-      - './acquis.yaml:/etc/crowdsec/acquis.yaml:ro'
-      - logs-captcha-enabled:/var/log/traefik:ro
-      - crowdsec-db-captcha-enabled:/var/lib/crowdsec/data/
-      - crowdsec-config-captcha-enabled:/etc/crowdsec/
+      - "./acquis.yaml:/etc/crowdsec/acquis.yaml:ro"
+      - logs-custom-captcha-enabled:/var/log/traefik:ro
+      - crowdsec-db-custom-captcha-enabled:/var/lib/crowdsec/data/
+      - crowdsec-config-custom-captcha-enabled:/etc/crowdsec/
    labels:
      - "traefik.enable=false"

  wicketkeeper:
-    image: ghcr.io/a-ve/wicketkeeper:latest
+    image: ghcr.io/maxlerebourg/wicketkeeper:latest
    container_name: "wicketkeeper"
    environment:
-      - ROOT_URL=http://localhost:8080
+      - ROOT_URL=http://captcha.localhost:8000
      - LISTEN_PORT=8080
      - REDIS_ADDR=redis:6379
      - DIFFICULTY=4
      - ALLOWED_ORIGINS=*
+      - PRIVATE_KEY_PATH=/data/wicketkeeper.key
+    volumes:
+      - wicketkeeper-custom-captcha-enabled:/data
+    user: root
    labels:
      - "traefik.enable=true"
      # Definition of the router
      - "traefik.http.routers.router-wicketpeeker.rule=Host(`captcha.localhost`)"
      - "traefik.http.routers.router-wicketpeeker.entrypoints=web"
      # Definition of the service
-      - "traefik.http.services.service-foo.loadbalancer.server.port=8080"
+      - "traefik.http.services.service-whitekeeper.loadbalancer.server.port=8080"
    depends_on:
      - redis

  redis:
    image: redis/redis-stack-server:latest
-  
+
 volumes:
-  logs-captcha-enabled:
-  crowdsec-db-captcha-enabled:
-  crowdsec-config-captcha-enabled:
+  logs-custom-captcha-enabled:
+  wicketkeeper-custom-captcha-enabled:
+  crowdsec-db-custom-captcha-enabled:
+  crowdsec-config-custom-captcha-enabled: