Update HAProxy SPOA documentation with new cookie management approach (#887)

LaurenceJJones · web-flow · commit aca2a0e2bcab · 2025-10-16T15:37:58.000+01:00
* Update HAProxy SPOA documentation with new cookie management approach

- Add new cookie management section explaining the improved approach
- Update HAProxy configuration examples to include http-after-response directives
- Add automatic cookie setting/clearing based on captcha_status
- Improve documentation for CAPTCHA cookie handling

* Remove dedicated Cookie Management section

- Remove the standalone Cookie Management (New Approach) section
- Keep cookie management configuration examples in HAProxy config sections
diff --git a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx
@@ -170,6 +170,13 @@ frontend http-in
     filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
     http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)]
     http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }
+    
+    ## Handle captcha cookie management via HAProxy (new approach)
+    ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
+    ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
+    
     use_backend <whatever>
 
 backend crowdsec-spoa
@@ -212,6 +219,7 @@ recaptcha
 turnstile
 ```
 
+
 ### Prometheus Metrics
 
 Enable and expose metrics:
@@ -393,6 +401,12 @@ frontend test
     http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
     http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }
 
+    ## Handle captcha cookie management via HAProxy (new approach)
+    ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
+    ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
+
     use_backend test_backend
 ```
 
