📝 Fix example and makefile and doc for wicketkeeper

Author: mathieuHa

Makefile

@@ -44,7 +44,7 @@ run_appsec:
 	docker compose -f examples/appsec-enabled/docker-compose.yml up -d --remove-orphans
 
 run_custom_captcha:
-	docker compose -f examples/custo-captcha/docker-compose.yml up -d --remove-orphans
+	docker compose -f examples/custom-captcha/docker-compose.yml up -d --remove-orphans
 
 run_captcha:
 	docker compose -f examples/captcha/docker-compose.yml up -d --remove-orphans
@@ -99,8 +99,9 @@ clean_all_docker:
 	docker compose -f examples/redis-cache/docker-compose.yml down --remove-orphans
 	docker compose -f examples/trusted-ips/docker-compose.yml down --remove-orphans
 	docker compose -f examples/tls-auth/docker-compose.yml down --remove-orphans
-	docker compose -f examples/appsec-enabled/docker-compose.yml down --remove-orphans
+	docker compose -f examples/appsec-enabled/docker-compose.appsec-enabled.yml down --remove-orphans
 	docker compose -f examples/captcha/docker-compose.yml down --remove-orphans
+	docker compose -f examples/custom-captcha/docker-compose.yml down --remove-orphans
 	docker compose -f examples/custom-ban-page/docker-compose.yml down --remove-orphans
 	docker compose -f docker-compose.local.yml down --remove-orphans
 	docker compose -f docker-compose.yml down --remove-orphans

README.md

@@ -39,6 +39,7 @@ The following captcha providers are supported now:
 - [hcaptcha](https://www.hcaptcha.com/)
 - [recaptcha](https://www.google.com/recaptcha/about/)
 - [turnstile](https://www.cloudflare.com/products/turnstile/)
+- [custom/wicketkeeper](https://github.com/a-ve/wicketkeeper)
 
 There are 5 operating modes (CrowdsecMode) for this plugin:
 
@@ -702,6 +703,8 @@ docker exec crowdsec cscli decisions remove --ip 10.0.0.10 -t captcha
 
 #### 10. Using Traefik with Custom Ban HTML Page [examples/custom-ban-page/README.md](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/examples/custom-ban-page/README.md)
 
+#### 11. Using Traefik with Custom Captcha Whiketkeeper[examples/custom-captcha/README.md](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/examples/custom-captcha/README.md)
+
 ### Local Mode
 
 Traefik also offers a developer mode that can be used for temporary testing of plugins not hosted on GitHub.

bouncer.go

@@ -252,6 +252,7 @@ func New(_ context.Context, next http.Handler, config *configuration.Config, nam
 		config.CaptchaGracePeriodSeconds,
 	)
 	if err != nil {
+		log.Error("CaptchaClient not valid " + err.Error())
 		return nil, err
 	}
 

examples/appsec-enabled/docker-compose.appsec-enabled.yml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
   traefik:
     image: "traefik:v3.0.0"
@@ -36,7 +34,7 @@ services:
       # Definition of the router
       - "traefik.http.routers.router-foo.rule=PathPrefix(`/foo`)"
       - "traefik.http.routers.router-foo.entrypoints=web"
-      - "traefik.http.routers.router-foo.middlewares=crowdsec@docker" 
+      - "traefik.http.routers.router-foo.middlewares=crowdsec@docker"
       # Definition of the service
       - "traefik.http.services.service-foo.loadbalancer.server.port=80"
       # Definition of the middleware
@@ -48,8 +46,6 @@ services:
       # Define AppSec host and port informations
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsechost=crowdsec:7422"
 
-  
-
   crowdsec:
     image: crowdsecurity/crowdsec:v1.6.1-2
     container_name: "crowdsec"
@@ -65,7 +61,7 @@ services:
       - crowdsec-config-appsec-enabled:/etc/crowdsec/
     labels:
       - "traefik.enable=false"
-  
+
 volumes:
   logs-appsec-enabled:
   crowdsec-db-appsec-enabled:

examples/custom-captcha/README.md

@@ -5,9 +5,10 @@ Read the example captcha before this, to better understand what is done here.
 ### Traefik configuration
 
 The minimal configuration is defined below to implement custom captcha.  
-This documentation use https://github.com/a-ve/wicketpeeker, a self-hosted captcha provider that have a similar API than big providers.  
+This documentation use https://github.com/a-ve/wicketpeeker, a self-hosted captcha provider that have a similar API than big providers.
 
 Minimal API requirement:
+
 - the JS file URL to load the captcha on the served `captcha.html`
 - the HTML className to tell to the JS where to display the challenge
 - the verify URL endpoint to send the response from the captcha
@@ -21,41 +22,45 @@ Minimal API requirement:
     labels:
       # Choose captcha provider
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaProvider=custom"
-      # Define captcha grade period seconds
+      # Define captcha grace period seconds
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaGracePeriodSeconds=1800"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://captcha.localhost:8000/fast.js"
+      # Inside Traefik container the plugin must be able to reach wicketkeeper service so we can go through a Traefik localhost
+      # domain which would resolve traefik itself and the port for the dashboard
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://wicketkeeper:8080/v0/siteverify"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketkeeper"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=wicketkeeper_solution"
       # Define captcha HTML file path
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaHTMLFilePath=/captcha.html"
-      # 
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://localhost:8080/fast.js"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://localhost:8080/v0/siteverify"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketpeeker"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=response"
 ```
 
-```yaml 
-  wicketkeeper:
-    image: ghcr.io/a-ve/wicketkeeper:latest
-    ports:
-      - "8080:8080"
-    environment:
-      - ROOT_URL=http://localhost:8080
-      - LISTEN_PORT=8080
-      - REDIS_ADDR=redis:6379
-      - DIFFICULTY=4
-      - ALLOWED_ORIGINS=*
-      - PRIVATE_KEY_PATH=/data/wicketkeeper.key
-    volumes:
-      - ./data:/data
-    depends_on:
-      - redis
-  redis:
-    image: redis/redis-stack-server:latest
+```yaml
+wicketkeeper:
+  image: ghcr.io/a-ve/wicketkeeper:latest
+  user: root
+  ports:
+    - "8080:8080"
+  environment:
+    - ROOT_URL=http://localhost:8080
+    - LISTEN_PORT=8080
+    - REDIS_ADDR=redis:6379
+    - DIFFICULTY=4
+    - ALLOWED_ORIGINS=*
+    - PRIVATE_KEY_PATH=/data/wicketkeeper.key
+  volumes:
+    - ./data:/data
+  depends_on:
+    - redis
+redis:
+  image: redis/redis-stack-server:latest
 ```
 
 ## Exemple navigation
+
 We can try to query normally the whoami server:
+
 ```bash
-curl http://localhost:8000
+curl http://localhost:8000/foo
 ```
 
 We can try to ban ourself and retry.
@@ -65,6 +70,7 @@ docker exec crowdsec cscli decisions add --ip 10.0.0.20 -d 10m --type captcha
 ```
 
 To play the demo environment run:
+
 ```bash
 make run_custom_captcha
-```
+```

examples/custom-captcha/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   traefik:
-    image: "traefik:v3.0.0"
+    image: "traefik:v3.5.0"
     container_name: "traefik"
     restart: unless-stopped
     command:
@@ -11,29 +11,30 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
+      - "--entrypoints.web.forwardedheaders.trustedips=172.18.0.0/24"
 
       - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
       - "--experimental.plugins.bouncer.version=v1.4.5"
       # - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - logs-captcha-enabled:/var/log/traefik
-      - './captcha.html:/captcha.html'
+      - logs-custom-captcha-enabled:/var/log/traefik
+      - "./captcha.html:/captcha.html"
       # - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
     ports:
       - 8000:80
       - 8080:8080
     depends_on:
       - crowdsec
 
-  whoami:
+  whoami-foo:
     image: traefik/whoami
-    container_name: "whoaami"
+    container_name: "simple-service-custom-captcha-foo"
     restart: unless-stopped
     labels:
       - "traefik.enable=true"
       # Definition of the router
-      - "traefik.http.routers.router-foo.rule=Host(`localhost`)"
+      - "traefik.http.routers.router-foo.rule=PathPrefix(`/foo`)"
       - "traefik.http.routers.router-foo.entrypoints=web"
       - "traefik.http.routers.router-foo.middlewares=crowdsec@docker"
       # Definition of the service
@@ -42,19 +43,20 @@ services:
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
-     
+
       # Choose captcha provider
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaProvider=custom"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://captcha.localhost:8080/fast.js"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://captcha.localhost:8080/v0/siteverify"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketpeeker"
-      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=response"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaCustomJsURL=http://captcha.localhost:8000/fast.js"
+      # Inside Traefik container the plugin must be able to reach wicketkeeper service so we can go through a Traefik localhost
+      # domain which would resolve traefik itself and the port for the dashboard
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomValidateURL=http://wicketkeeper:8080/v0/siteverify"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomKey=wicketkeeper"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.CaptchaCustomResponse=wicketkeeper_solution"
       # Define captcha grade period seconds
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaGracePeriodSeconds=20"
       # Define captcha HTML file path
       - "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaHTMLFilePath=/captcha.html"
 
-
   crowdsec:
     image: crowdsecurity/crowdsec:v1.6.1-2
     container_name: "crowdsec"
@@ -65,39 +67,44 @@ services:
       BOUNCER_KEY_TRAEFIK_DEV: 40796d93c2958f9e58345514e67740e5
     volumes:
       # For captcha and ban mixed decision
-      - './profiles.yaml:/etc/crowdsec/profiles.yaml:ro' 
+      - "./profiles.yaml:/etc/crowdsec/profiles.yaml:ro"
       # For captcha only remediation
       # - './profiles_captcha_only.yaml:/etc/crowdsec/profiles.yaml:ro'
-      - './acquis.yaml:/etc/crowdsec/acquis.yaml:ro'
-      - logs-captcha-enabled:/var/log/traefik:ro
-      - crowdsec-db-captcha-enabled:/var/lib/crowdsec/data/
-      - crowdsec-config-captcha-enabled:/etc/crowdsec/
+      - "./acquis.yaml:/etc/crowdsec/acquis.yaml:ro"
+      - logs-custom-captcha-enabled:/var/log/traefik:ro
+      - crowdsec-db-custom-captcha-enabled:/var/lib/crowdsec/data/
+      - crowdsec-config-custom-captcha-enabled:/etc/crowdsec/
     labels:
       - "traefik.enable=false"
 
   wicketkeeper:
-    image: ghcr.io/a-ve/wicketkeeper:latest
+    image: ghcr.io/maxlerebourg/wicketkeeper:latest
     container_name: "wicketkeeper"
     environment:
-      - ROOT_URL=http://localhost:8080
+      - ROOT_URL=http://captcha.localhost:8000
       - LISTEN_PORT=8080
       - REDIS_ADDR=redis:6379
       - DIFFICULTY=4
       - ALLOWED_ORIGINS=*
+      - PRIVATE_KEY_PATH=/data/wicketkeeper.key
+    volumes:
+      - wicketkeeper-custom-captcha-enabled:/data
+    user: root
     labels:
       - "traefik.enable=true"
       # Definition of the router
       - "traefik.http.routers.router-wicketpeeker.rule=Host(`captcha.localhost`)"
       - "traefik.http.routers.router-wicketpeeker.entrypoints=web"
       # Definition of the service
-      - "traefik.http.services.service-foo.loadbalancer.server.port=8080"
+      - "traefik.http.services.service-whitekeeper.loadbalancer.server.port=8080"
     depends_on:
       - redis
 
   redis:
     image: redis/redis-stack-server:latest
-  
+
 volumes:
-  logs-captcha-enabled:
-  crowdsec-db-captcha-enabled:
-  crowdsec-config-captcha-enabled:
+  logs-custom-captcha-enabled:
+  wicketkeeper-custom-captcha-enabled:
+  crowdsec-db-custom-captcha-enabled:
+  crowdsec-config-custom-captcha-enabled: