Update HAProxy SPOA documentation with new cookie management approach

LaurenceJJones · LaurenceJJones · commit ce169c0a24e5 · 2025-09-23T15:05:26.000+01:00
- Add new cookie management section explaining the improved approach
- Update HAProxy configuration examples to include http-after-response directives
- Add automatic cookie setting/clearing based on captcha_status
- Improve documentation for CAPTCHA cookie handling
diff --git a/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx b/crowdsec-docs/unversioned/bouncers/haproxy_spoa.mdx
@@ -170,6 +170,13 @@ frontend http-in
     filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
     http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)]
     http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }
+    
+    ## Handle captcha cookie management via HAProxy (new approach)
+    ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
+    ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
+    
     use_backend <whatever>
 
 backend crowdsec-spoa
@@ -212,6 +219,23 @@ recaptcha
 turnstile
 ```
 
+#### Cookie Management (New Approach)
+
+The HAProxy SPOA bouncer now supports improved cookie management for CAPTCHA handling. This new approach uses `http-after-response` directives to manage CAPTCHA cookies more efficiently:
+
+```haproxy
+## Handle captcha cookie management via HAProxy (new approach)
+## Set captcha cookie when SPOA provides captcha_status (pending or valid)
+http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
+## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
+http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
+```
+
+This approach provides:
+- Automatic cookie setting when CAPTCHA status is pending or valid
+- Automatic cookie clearing when the decision is to allow (no CAPTCHA status)
+- More reliable cookie management compared to previous methods
+
 ### Prometheus Metrics
 
 Enable and expose metrics:
@@ -393,6 +417,12 @@ frontend test
     http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
     http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m found }
 
+    ## Handle captcha cookie management via HAProxy (new approach)
+    ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
+    ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
+    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
+
     use_backend test_backend
 ```
 
