documentation new haproxy spoa configuration for captcha redirect (#888)

LaurenceJJones · web-flow · commit 3c52dfe680d8 · 2025-10-16T15:40:27.000+01:00
* Implement native HAProxy redirect for CAPTCHA validation

- Replace Lua-based redirect with native HAProxy 302 redirect for allow decisions
- Add performance optimization by calling Lua only for ban and captcha remediations
- Update both HAProxy configuration examples with the new approach
- Add dedicated section explaining the performance benefits
- Reduce overhead and improve scalability by minimizing Lua processing

* Remove dedicated section, keep only updated configuration examples

- Remove the standalone Native HAProxy Redirect section
- Keep the updated configuration examples with native redirects and performance optimizations
diff --git a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx
@@ -169,7 +169,13 @@ frontend http-in
     bind *:80
     filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
     http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)]
-    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }
+    
+    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
+    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
+    
+    ## Call lua script only for ban and captcha remediations (performance optimization)
+    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
+    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
     
     ## Handle captcha cookie management via HAProxy (new approach)
     ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
@@ -399,7 +405,13 @@ frontend test
 
     http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
     http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
-    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }
+    
+    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
+    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
+    
+    ## Call lua script only for ban and captcha remediations (performance optimization)
+    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
+    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
 
     ## Handle captcha cookie management via HAProxy (new approach)
     ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
