reCAPTCHA Server-Wide Protection

March 18th, 2019 by Security 2 Comments

reCAPTCHA Server-Wide Protection: Verifying that you are not a robot

We are very excited to introduce a new feature to the LiteSpeed family: reCAPTCHA!

reCAPTCHA is yet another form of DDoS Server-Wide Protection that we provide in order to maintain excellent performance and reduce downtime. You can find out more about our DDoS Protection features here.

What is reCAPTCHA?

Most people use the reCAPTCHA system to detect whether a visitor is a human or a robot. When a visitor accesses a site or wants to submit a form, they must complete a challenge. The challenge makes a request to Google’s reCAPTCHA server for validation. Google responds to the challenge with a success or failure message. If successful, the site considers the visitor human, and permits form submission.

Most often, sites implement reCAPTCHA in the middle of a page, to ensure humans are the only submission sources. While this can help with data validation, by this point the visitor has already loaded the page. If the site is fully featured, it likely uses some backend technology – PHP, Ruby, Python, etc. If the site is under attack, a reCAPTCHA plugin will only help with validating results, but the server will still be bogged down with requests to the backend.

However, LiteSpeed recognizes a higher potential to be had with reCAPTCHA. reCAPTCHA provides more control when compared to most DDoS protection solutions. Good actors will be able to access the site and bad actors will be stopped, providing a powerful tool to mitigate resource usage if we avoid triggering backend engines.

The LiteSpeed Advantage

LiteSpeed provides flexibility and scalability with our reCAPTCHA implementation. For starters, our reCAPTCHA page uses SSI. It is essentially a static page. When a visitor completes the challenge, LiteSpeed adds the IP to a whitelist. Once on the whitelist, we do not need to verify the visitor again in the future. This means that the only cost to the server for visitors redirecting to our reCAPTCHA page is equivalent to serving a small resource. On a website that runs, for example, WordPress, this means handling over 10x more requests than an NGINX server with FCGI Cache, assuming the attacker is visiting a cached page.

Another advantage for LiteSpeed: reCAPTCHA doesn’t always have to be enabled. The LiteSpeed implementation uses a sensitivity scale. reCAPTCHA is activated automatically when the server undergoes heavy load.. When the load eases up, we deactivate reCAPTCHA, leaving a frictionless experience for the visitors. In addition to the sensitivity scale, you can also use rewrite rules to enable reCAPTCHA. With rewrite rules, you can better control where reCAPTCHA activates down to a page-by-page basis

How does it work?

reCAPTCHA Server-Wide Protection: ScreenShot

LiteSpeed redirects non trusted visitors to a static page when the server detects high load. The static page generates a challenge for the visitor. Upon completion, the verification runs through LiteSpeed. LiteSpeed comes bundled with an executable that takes the challenge response and forwards the request to Google. If successful, Google replies with a response header that indicates success to LiteSpeed. Future visits by the same client will not be subjected to further reCAPTCHA checks.

LiteSpeed denies clients that fail by dropping the connection or returning a 403 error.

We permit access to a predefined list of “good bots”. Admins can add to this list via configuration options. In addition, good bots are not completely unlimited – if they visit the server too frequently (another configurable option), we redirect them to reCAPTCHA. This denies access in case a bad actor attempts to bypass verification by impersonating a good bot.

How to Configure LiteSpeed Products to Use reCAPTCHA:

You can find the server level reCAPTCHA settings in the Web Admin under Configuration > Server > Security after CGI Settings. At minimum, Enable reCAPTCHA and Trigger Sensitivity** should be set.

  • Enable reCAPTCHA enables it server wide.
  • Trigger Sensitivity** is a scale to configure the server “busy-ness” sensitivity level. Set to 0 to disable reCAPTCHA, and 100 to always trigger reCAPTCHA.

Other options

  • Site Key & Secret Key are keys that you can generate yourself for Google’s reCAPTCHA. LiteSpeed has a default set of keys, so this is not required, but is available if you prefer to use your own set of keys.
  • reCAPTCHA Type indicates to the static page which type of reCAPTCHA to use. Currently, reCAPTCHA v2 Invisible and reCAPTCHA v2 Checkbox are available. Invisible will attempt to submit a reCAPTCHA challenge without user input, but it is still possible for the user to need to complete a challenge. Checkbox requires the visitor to check a box before the challenge is issued.
  • Max Tries is the number of attempts the visitor is allowed before LiteSpeed blocks the IP. Sometimes, reCAPTCHA may not show up properly for the visitor, so we recommend setting a low number greater than 1. 3 is the default.
  • Allowed Robot Hits is the number of visits allowed by a bot to the server per 10 seconds. Each visit by the bot that triggers the reCAPTCHA logic (most every request that is “normal”) will increment the count. The default is 3, but if your sites have some bots that crawl the sites, we recommend that you have a higher count.
  • Bot White List is a Regex-supported list of user agents to count as a “Good Bot”. Some bots such as Googlebot are considered good by default (Googlebot is unlimited if we can confirm that the visitor is in fact Googlebot.), but this is provided for a customized list, if needed.

**Trigger Sensitivity is a LSWS configuration only. The ADC (and soon, OLS) use a concurrent HTTP connection count and a concurrent HTTPS connection count.

Tips and Tricks

reCAPTCHA Server-Wide Protection: Setup

You can configure reCAPTCHA on a per-vhost basis. However, you must enable reCAPTCHA at the server level in order for it to take effect at all. If you prefer to disable it server wide and only enable it on certain VHosts, you can set the Trigger Sensitivity to 0 at the server level.

As mentioned, LiteSpeed only redirects non-trusted visitors. Check the Access Control Settings to configure trusted IPs.

LiteSpeed redirects to reCAPTCHA once every few seconds (up to 10 seconds), and throttles all other requests. This is to prevent triggering reCAPTCHA too often, which would result in an extremely difficult challenge.

Sometimes, the reCAPTCHA static page hangs. This may be because a resource (.css, .js) has triggered reCAPTCHA. Wait a few seconds and try again. The page should redirect properly.

The default static page is located at `$SERVER_ROOT/lsrecaptcha/_recaptcha.shtml`. If you want to customize it, you can create a `$SERVER_ROOT/lsrecaptcha/_recaptcha_custom.shtml` page. If LiteSpeed finds the custom page, we use that one instead. Take care to keep the required fields. See our wiki for more information.

reCAPTCHA is currently available on LiteSpeed Web Server v5.4RC1 and later, and LiteSpeed Web ADC v2.4 and later. Coming soon to OpenLiteSpeed.


Related Posts