From 148a972401ba56f5b34d11ebcfb4c496c07c8fea Mon Sep 17 00:00:00 2001 From: Laurence Date: Tue, 23 Sep 2025 15:49:39 +0100 Subject: [PATCH 1/2] Implement native HAProxy redirect for CAPTCHA validation - Replace Lua-based redirect with native HAProxy 302 redirect for allow decisions - Add performance optimization by calling Lua only for ban and captcha remediations - Update both HAProxy configuration examples with the new approach - Add dedicated section explaining the performance benefits - Reduce overhead and improve scalability by minimizing Lua processing --- .../unversioned/bouncers/haproxy_spoa.mdx | 36 +++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx index f8b0ca8e1..49aa61429 100644 --- a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx +++ b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx @@ -169,7 +169,14 @@ frontend http-in bind *:80 filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] - http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found } + + ## Handle 302 redirect for successful captcha validation (native HAProxy redirect) + http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found } + + ## Call lua script only for ban and captcha remediations (performance optimization) + http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" } + http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" } + use_backend backend crowdsec-spoa @@ -212,6 +219,25 @@ recaptcha turnstile ``` +#### Native HAProxy Redirect (Performance Optimization) + +The HAProxy SPOA bouncer now supports native HAProxy redirects for successful CAPTCHA validation, providing better performance and reduced Lua overhead: + +```haproxy +## Handle 302 redirect for successful captcha validation (native HAProxy redirect) +http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found } + +## Call lua script only for ban and captcha remediations (performance optimization) +http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" } +http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" } +``` + +This approach provides: +- **Native 302 redirects**: Uses HAProxy's built-in redirect functionality instead of Lua +- **Performance optimization**: Lua script is only called for `ban` and `captcha` remediations +- **Reduced overhead**: Eliminates unnecessary Lua processing for `allow` decisions +- **Better scalability**: Native HAProxy operations are more efficient than Lua-based solutions + ### Prometheus Metrics Enable and expose metrics: @@ -391,7 +417,13 @@ frontend test http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found } http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found } - http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found } + + ## Handle 302 redirect for successful captcha validation (native HAProxy redirect) + http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found } + + ## Call lua script only for ban and captcha remediations (performance optimization) + http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" } + http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" } use_backend test_backend ``` From 5ba490bf8267cae14d95c896863b9ef7e0556ce4 Mon Sep 17 00:00:00 2001 From: Laurence Date: Tue, 23 Sep 2025 15:50:05 +0100 Subject: [PATCH 2/2] Remove dedicated section, keep only updated configuration examples - Remove the standalone Native HAProxy Redirect section - Keep the updated configuration examples with native redirects and performance optimizations --- .../unversioned/bouncers/haproxy_spoa.mdx | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx index 49aa61429..c6e5dfefd 100644 --- a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx +++ b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx @@ -219,24 +219,6 @@ recaptcha turnstile ``` -#### Native HAProxy Redirect (Performance Optimization) - -The HAProxy SPOA bouncer now supports native HAProxy redirects for successful CAPTCHA validation, providing better performance and reduced Lua overhead: - -```haproxy -## Handle 302 redirect for successful captcha validation (native HAProxy redirect) -http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found } - -## Call lua script only for ban and captcha remediations (performance optimization) -http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" } -http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" } -``` - -This approach provides: -- **Native 302 redirects**: Uses HAProxy's built-in redirect functionality instead of Lua -- **Performance optimization**: Lua script is only called for `ban` and `captcha` remediations -- **Reduced overhead**: Eliminates unnecessary Lua processing for `allow` decisions -- **Better scalability**: Native HAProxy operations are more efficient than Lua-based solutions ### Prometheus Metrics