Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
litespeed_wiki:config:recaptcha [2019/06/13 20:12]
Lisa Clarke Copyediting
litespeed_wiki:config:recaptcha [2020/01/23 19:42]
George Wang [End-user can define reCAPTCHA Actions Through Rewrite Rules in .htaccess]
Line 21: Line 21:
  
  
-When a visitor accesses the website , they will need to go though reCAPTCHA validation ​to protect ​against ​a DDoS attack such as HTTP Flood.+When a visitor accesses the website, they will need to go though reCAPTCHA validation. This validation protects the server ​against HTTP Flood and other DDoS attacks. 
 + 
 +After passing the reCAPTCHA validation, the visitor is temporarily whitelisted as long as they continue to browse the site. This makes for a better user experience. Once the visitor has been inactive for more than 20 minutes, reCAPTCHA is once again enabled for that visitor'​s next request.
  
 {{:​litespeed_wiki:​config:​recaptcha3.jpg|}} {{:​litespeed_wiki:​config:​recaptcha3.jpg|}}
Line 32: Line 34:
  
  
-==== Override/​Disable for Control Panel Virtual Hosts ====+==== Override/​Disable for Apache ​Virtual Hosts ====
 As of LSWS v5.4RC4, you can configure vhost-level reCAPTCHA via the ''​LsRecaptcha''​ directive in the virtual host include configuration. As of LSWS v5.4RC4, you can configure vhost-level reCAPTCHA via the ''​LsRecaptcha''​ directive in the virtual host include configuration.
  
Line 52: Line 54:
  
  
-===== Advanced Configuration:​ Define ​reCAPTCHA ​Actions Through Rewrite Rules =====+===== Set "​Trusted <​ip>"​ in .htaccess to bypass ​reCAPTCHA ​check ====
  
-If you want to further define the reCAPTCHA action as ''​deny''​ or ''​drop''​, you can use one of the following rewrite rule directives ​in control panel virtual host document root .htaccess:+Since LSWS 5.4RC1, LSWS added virtual host trusted IP support, where you use ''​Trusted 1.2.3.4, 5.6.7.8'' ​for IPv4 or ''​Trusted [2001:​db8:​85a3:​8d3:​1319:​8a2e:​370:​7348]'' ​for IPv6 in Virtual Host document root .htaccess ​to bypass reCAPTCHA, it also unblock blocked IP and make that IP trusted for that vhost.
  
-''​[E=verifycaptcha]''​ or ''​[E=verifycaptcha:​ ACTION]''​ 
  
-''​[E=verifycaptcha]''​ will always redirect ​to reCAPTCHA ​until verified''​ACTION''​ can be ''​deny'' ​to return a 403 or ''​drop'' ​to drop the connection when **Max Tries** is reached. Until Max Tries is reached, the client will be redirected to reCAPTCHA.+===== End-user can define reCAPTCHA Actions Through Rewrite Rules in .htaccess ===== 
 +If Server System Admin would like the end-user ​to control/​enable ​reCAPTCHA ​through ​.htaccess, System Admin will need to enable reCAPTCHA from server level globally and set server sensitivity ​to ''​0'' ​first
  
-For example:+''​[E=verifycaptcha]''​ can be used to enable reCAPTCHA to override server-level ''​0''​ sensitivity.
  
-<​code>​RewriteCond SOME-CONDITIONAL-CHECK+For example:
  
-RewriteRule .* - [E=verifycaptcha]</​code>​+<​code>​ 
 +<​IfModule LiteSpeed>​ 
 +RewriteCond SOME-CONDITIONAL-CHECK 
 +RewriteRule .* - [E=verifycaptcha] 
 +</​IfModule>​ 
 +</​code>​
  
 (''​SOME-CONDITIONAL-CHECK''​ would be a suspicious UA, IP address, etc.) (''​SOME-CONDITIONAL-CHECK''​ would be a suspicious UA, IP address, etc.)
 +
 +The end user can even further define the reCAPTCHA action as ''​deny''​ or ''​drop''​ in .htaccess through ''​[E=verifycaptcha:​ ACTION]''​
 +
 +For example:
 +<​code>​
 +<​IfModule LiteSpeed>​
 +RewriteCond SOME-CONDITIONAL-CHECK
 +RewriteRule .* - [E=verifycaptcha:​ deny]
 +</​IfModule>​
 +</​code>​
 +
 +or 
 +
 +<​code>​
 +<​IfModule LiteSpeed>​
 +RewriteCond SOME-CONDITIONAL-CHECK
 +RewriteRule .* - [E=verifycaptcha:​ drop]
 +</​IfModule>​
 +</​code>​
 +
 +**NOTE1**''​[E=verifycaptcha]''​ will always redirect to reCAPTCHA until verified. ''​ACTION''​ can be ''​deny''​ to return a 403 or ''​drop''​ to drop the connection when **Max Tries** is reached. Until Max Tries is reached, the client will be redirected to reCAPTCHA.
 +
 +**NOTE2**: In most cases, rewrite rules will override the default server behavior. However, in cases where trigger sensitivity is high, visitors may be sent directly to reCAPTCHA before the rewrite rules can even be processed.
  
 ===== Customize the Good Bots List ===== ===== Customize the Good Bots List =====
Line 74: Line 104:
 {{:​litespeed_wiki:​config:​recaptcha5.png|}} {{:​litespeed_wiki:​config:​recaptcha5.png|}}
  
-Here, we have configured '​Edge'​ in the Bot Whitelist text area. Bot Whitelist is a '​contains'​ match, but regex may be used as well.+Here, we have configured ​''Edge'' in the Bot Whitelist text area. Bot Whitelist is a ''​contains'' match (case sensitive), but regex may be used as well.
  
 After restarting, browsers containing Edge in the user-agent header will bypass reCAPTCHA: After restarting, browsers containing Edge in the user-agent header will bypass reCAPTCHA:
Line 86: Line 116:
 The default reCAPTCHA page is generic. If you would like to customize the page, you may do so by creating a file at ''​$SERVER_ROOT/​lsrecaptcha/​_recaptcha_custom.shtml''​. The default reCAPTCHA page is generic. If you would like to customize the page, you may do so by creating a file at ''​$SERVER_ROOT/​lsrecaptcha/​_recaptcha_custom.shtml''​.
  
-There are two script tags that are required and it is strongly recommended to avoid changing the form and the recaptchadiv unless you know what you are doing. There are three echos within the page itself. Those are used by the web server to customize the reCAPTCHA type and keys and specify any query string used.+There are two script tags that are required and it is strongly recommended to avoid changing the form and the ''​recaptchadiv'' ​unless you know what you are doing. There are three echos within the page itself. Those are used by the web server to customize the reCAPTCHA type and keys and specify any query string used.
  
 Beyond those required attributes, everything else is customizable. As noted before, please ensure that you have backups of the default page and your customized page. Note that the ''​.shtml''​ extension is required in order to use the LSWS configured type and keys. Beyond those required attributes, everything else is customizable. As noted before, please ensure that you have backups of the default page and your customized page. Note that the ''​.shtml''​ extension is required in order to use the LSWS configured type and keys.
  
 ===== Apply Your Own Site Key ===== ===== Apply Your Own Site Key =====
-You can apply your own reCAPTCHA key and adjust the configuration as you like. Client verification is completely determined by Google'​s reCAPTCHA service. The invisible type may display a difficult puzzle.+You can apply your own reCAPTCHA key and adjust the configuration as you like from [[https://​developers.google.com/​recaptcha/​intro|here]]. Client verification is completely determined by Google'​s reCAPTCHA service. The invisible type may display a difficult puzzle.
  
-For server wide protection that needs to cover a lot of domains, make sure ''​Verify the origin of reCAPTCHA''​ solutions is unchecked. Otherwise, you may need to apply a key for each domain.+For server wide protection that needs to cover a lot of domains, make sure ''​Verify the origin of reCAPTCHA''​ solutions is unchecked. Otherwise, you may need to apply a key for each domain. Please refer to google doc [[https://​developers.google.com/​recaptcha/​docs/​domain_validation|here]].
  
 ===== Set Trigger Sensitivity ===== ===== Set Trigger Sensitivity =====
Line 107: Line 137:
  
 Active connections * 100 / **Max Connections** > (100 - **Trigger Sensitivity**) Active connections * 100 / **Max Connections** > (100 - **Trigger Sensitivity**)
 +
 +For example:
 +
 +If **Max Connections** = ''​1000'',​ **Trigger Sensitivity** = ''​20'',​ and you currently have 900 connections,​ the formula would be evaluated like so:
 +
 +900 * 100 / 1000 > 100 - 20
 +
 +90 > 80 
 +
 +The result is true, so the incoming connection //will// be given a reCAPTCHA test.
 +
 +Calculating backwards, you can see that when the number of connections drops to less than 800, reCAPTCHA will not be invoked.
 +
  
 ===== reCAPTCHA Returning 403 and Dropping Connection ===== ===== reCAPTCHA Returning 403 and Dropping Connection =====
  • Admin
  • Last modified: 2020/05/20 20:25
  • by Shivam Saluja