forked from yaoweibin/nginx_http_recaptcha_module
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
219 lines (156 loc) · 7.55 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
Name
nginx_http_recaptcha_module - support google's reCAPTCHA with Nginx
Description
This module can be deployed in spam or DDOS attack protection for Nginx.
It's used the reCAPTCHA to distinguish between human and auto script.
The module works with these steps below:
* First, the request comes from client. If the request contains the
correct secure cookie, it will do the normal action. If not, the
request will redirect to the recaptcha page.
* Second, the client inputs the captcha letters.
* Third, Nginx sends this input letters to recaptcha server for
verification.
* Forth, the correct answer from reccaptcha server with beginning of
"true...", else it's beginning with "false...".
* Fifth, add the secure cookie for the correct verified client,
redirect the client to the page which he wants to view.
HOW TO
* Install this module.
* Get a pair of recaptcha key from google
(<https://www.google.com/recaptcha/admin/create>)
* Copy the template recaptcha page from captcha_html/captcha.html to
your web directory.
* Replace the public key in the recaptcha page.
* Replace the private key in the config file.
* Change the secure_cookie_md5's private key in the config file.
* Change the domain of yourhost.com to your real domain.
Examples
location / {
secure_cookie $cookie_CAPTCHA_SESSION,$cookie_CAPTCHA_EXPIRES;
secure_cookie_md5 private_key$binary_remote_addr$cookie_CAPTCHA_EXPIRES;
if ($cookie_CAPTCHA_SESSION = "") {
rewrite ^.*$ /captcha.html redirect;
}
if ($cookie_CAPTCHA_EXPIRES = "") {
rewrite ^.*$ /captcha.html redirect;
}
if ($secure_cookie = "0") {
rewrite ^.*$ /captcha.html redirect;
}
if ($secure_cookie = "") {
return 403;
}
proxy_pass http://your_backend;
}
location = /captcha.html {
root html;
}
location = /verify {
eval_inherit_body on;
eval_override_content_type 'text/plain';
eval $verify_content {
recaptcha_challenge_name $recaptcha_challenge_field;
recaptcha_response_name $recaptcha_response_field;
proxy_method POST;
proxy_set_header Accept-Encoding "";
proxy_set_body "privatekey=your_privatekey_from_google&remoteip=$remote_addr&challenge=$recaptcha_challenge_field&response=$recaptcha_response_field";
rewrite .* /recaptcha/api/verify break;
proxy_pass 'http://www.google.com';
}
if ($verify_content ~* ^true[\s\R]*(.*)) {
set $error_code $1;
rewrite .* /set_secure_cookie last;
}
if ($verify_content ~* ^false[\s\R]*(.*)) {
set $error_code $1;
return 403;
}
return 404;
}
location = /set_secure_cookie {
internal;
secure_cookie_expires 1h;
secure_cookie_md5 private_key$binary_remote_addr$secure_cookie_set_expires_base64;
add_header Set-Cookie "CAPTCHA_SESSION=$secure_cookie_set_md5; expires=$secure_cookie_set_expires; path=/; domain=.yourhost.com";
add_header Set-Cookie "CAPTCHA_EXPIRES=$secure_cookie_set_expires_base64; expires=$secure_cookie_set_expires; path=/; domain=.yourhost.com";
rewrite ^.*$ http://www.yourhost.com redirect;
return 302;
}
Directives
recaptcha_challenge_name
syntax: *recaptcha_challenge_name
$variable_stored_content_of_recaptcha_challenge_field;*
default: *none*
context: *http, server, location*
description: The name should equal to the name of challenge input form.
This directive will add the specific variable. This variable is used
only in the directive of proxy_set_body. It will get the value of the
challenge input form. It's equal to "$recaptcha_challenge_field"
generally.
recaptcha_response_name
syntax: *recaptcha_response_name
$variable_stored_content_of_recaptcha_response_field;*
default: *none*
context: *http, server, location*
description: The name should equal to the name of response input form.
This directive will add the specific variable. This variable is used
only in the directive of proxy_set_body. It will get the value of the
response input form. It's equal to "$recaptcha_response_field"
generally.
Installation
Download the latest version of the release tarball of nginx_eval_module
from github (<https://github.com/yaoweibin/nginx-eval-module>).
Download the latest version of the release tarball of
nginx_secure_cookie_module from github
(<https://github.com/yaoweibin/nginx_secure_cookie_module>).
Download the latest version of the release tarball of this module from
github (<https://github.com/yaoweibin/nginx_http_recaptcha_module>).
Grab the nginx source code from nginx.org (<http://nginx.org/>), for
example, the version 0.8.54 (see nginx compatibility), and then build
the source with this module:
$ wget 'http://nginx.org/download/nginx-0.8.54.tar.gz'
$ tar -xzvf nginx-0.8.54.tar.gz
$ cd nginx-0.8.54/
$ ./configure --add-module=/path/to/nginx_http_recaptcha_module \
--add-module=/path/to/nginx_secure_cookie_module \
--add-module=/path/to/nginx_eval_module
$ make
$ make install
Compatibility
* My test bed is 0.8.54.
TODO
Known Issues
* Developing
* Google limits 1 million reCAPTCHA requests per day for each key. see
faq (<http://www.google.com/recaptcha/faq>).
* If you use the global key for many sites, you should not add the
domain field in the Set-Cookie header.
Changelogs
v0.1
* first release
Authors
Weibin Yao(姚伟斌) *yaoweibin at gmail dot com*
Copyright & License
This README template copy from agentzh (<http://github.com/agentzh>).
This module is licensed under the BSD license.
Copyright (C) 2010 by Weibin Yao <[email protected]>.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.