Merge main into refactor-captcha-stateless

Resolved conflicts while maintaining stateless captcha design:
- Adopted new dropmorepackets/haproxy-go SPOP library from main
- Kept stateless JWT-based captcha tokens (CaptchaToken)
- Removed session-based captcha handling
- Integrated duration metrics (CaptchaValidationDuration, GeoLookupDuration)
- Updated captcha handling to use encoding.ActionWriter API
- Kept CookieGenerator.GenerateUnsetCookie for clearing cookies on Allow

Author: LaurenceJJones

Dockerfile

@@ -4,43 +4,53 @@ FROM golang:${GOVERSION}-alpine AS build
 
 WORKDIR /go/src/cs-spoa-bouncer
 
-RUN apk add --update --no-cache make git
+RUN apk add --update --no-cache make git ca-certificates
 COPY . .
 
 RUN make build DOCKER_BUILD=1
 
-FROM alpine:latest
-COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /usr/local/bin/crowdsec-spoa-bouncer
-COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
-COPY --from=build /go/src/cs-spoa-bouncer/docker/docker_start.sh /docker_start.sh
+# Create directory structure for scratch image (with .keep files so COPY works)
+RUN mkdir -p /run/crowdsec-spoa /var/log/crowdsec-spoa && \
+    touch /run/crowdsec-spoa/.keep /var/log/crowdsec-spoa/.keep
 
-# Set permissions for config file and binary
-RUN chmod 644 /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml && \
-    chmod 755 /usr/local/bin/crowdsec-spoa-bouncer
+# Final minimal image
+FROM scratch
 
-## Add the same haproxy user as the official haproxy image
-RUN addgroup -g 99 -S haproxy && adduser -S -D -H -u 99 -h /var/lib/haproxy -s /sbin/nologin -G haproxy -g haproxy haproxy
-## Add worker user
-RUN addgroup -S crowdsec-spoa && adduser -S -D -H -s /sbin/nologin -g crowdsec-spoa crowdsec-spoa
+# Default environment variables (can be overridden at runtime)
+ENV LOG_MODE=stdout \
+    LOG_LEVEL=info \
+    CROWDSEC_URL=http://crowdsec:8080/ \
+    UPDATE_FREQUENCY=10s \
+    INSECURE_SKIP_VERIFY=false \
+    LISTEN_TCP=0.0.0.0:9000 \
+    PROMETHEUS_ENABLED=true \
+    PROMETHEUS_ADDR=0.0.0.0 \
+    PROMETHEUS_PORT=6060
 
-## Create a socket for the spoa to inherit crowdsec-spoa:haproxy user from official haproxy image
-RUN mkdir -p /run/crowdsec-spoa/ && chown crowdsec-spoa:haproxy /run/crowdsec-spoa/ && chmod 770 /run/crowdsec-spoa/
+# Copy CA certificates for HTTPS connections to LAPI
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-## Copy Lua files (matching Debian/RPM paths)
-RUN mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua
-COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
+# Copy the static binary
+COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /crowdsec-spoa-bouncer
 
-## Copy templates (matching Debian/RPM paths)
-RUN mkdir -p /var/lib/crowdsec-haproxy-spoa-bouncer/html
-COPY --from=build /go/src/cs-spoa-bouncer/templates/* /var/lib/crowdsec-haproxy-spoa-bouncer/html/
+# Copy Docker-optimized config file
+COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.docker.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
 
-RUN chown -R root:haproxy /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+# Copy Lua files for HAProxy integration
+COPY --from=build /go/src/cs-spoa-bouncer/lua/ /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
 
-VOLUME [ "/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/", "/var/lib/crowdsec-haproxy-spoa-bouncer/html/" ]
+# Copy HTML templates for ban/captcha pages
+COPY --from=build /go/src/cs-spoa-bouncer/templates/ /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-RUN chmod +x /docker_start.sh
+# Copy runtime directories (required for Unix socket and logs)
+COPY --from=build /run/crowdsec-spoa/ /run/crowdsec-spoa/
+COPY --from=build /var/log/crowdsec-spoa/ /var/log/crowdsec-spoa/
 
-# Run as user
-USER crowdsec-spoa
+# Declare volumes for customizable content
+VOLUME /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
+VOLUME /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-ENTRYPOINT ["/docker_start.sh"]
+EXPOSE 9000 6060
+
+ENTRYPOINT ["/crowdsec-spoa-bouncer"]
+CMD ["-c", "/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml"]

Vagrantfile

@@ -0,0 +1,156 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.define "dev" do |vm|
+    vm.vm.box = "debian/bookworm64"
+    vm.vm.hostname = "crowdsec-spoa-test"
+    vm.vm.network "private_network", ip: "192.168.56.10"
+    vm.vm.network "forwarded_port", guest: 9090, host: 9090
+
+    vm.vm.provider "libvirt" do |lv|
+      lv.memory = "4096"
+      lv.cpus = 2
+    end
+
+    vm.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__exclude: [".git/", "node_modules/", "*.log"]
+
+    vm.vm.provision "shell", inline: <<-SHELL
+      set -e
+
+      # Update system and install base packages
+      apt-get update && apt-get upgrade -y
+      apt-get install -y tcpdump vim curl wget git build-essential ca-certificates \
+        gnupg lsb-release apt-transport-https software-properties-common nginx unzip
+
+      # Install HAProxy 3.1
+      curl -fsSL https://haproxy.debian.net/haproxy-archive-keyring.gpg \
+        --create-dirs --output /etc/apt/keyrings/haproxy-archive-keyring.gpg
+      echo "deb [signed-by=/etc/apt/keyrings/haproxy-archive-keyring.gpg]" \
+        https://haproxy.debian.net bookworm-backports-3.1 main > /etc/apt/sources.list.d/haproxy.list
+      apt-get update && apt-get install -y haproxy=3.1.*
+
+      # Install Go 1.25.2
+      GO_VERSION="1.25.2"
+      wget -qO- "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" | tar -xzC /usr/local
+      echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
+      echo 'export PATH=$PATH:/usr/local/go/bin' >> /home/vagrant/.bashrc
+
+      # Install CrowdSec
+      curl -s https://install.crowdsec.net | sh
+      apt-get install -y crowdsec
+
+      # Install Nuclei for AppSec testing
+      NUCLEI_VERSION="3.1.7"
+      wget -qO /tmp/nuclei.zip "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
+      unzip -q /tmp/nuclei.zip -d /tmp && mv /tmp/nuclei /usr/local/bin/nuclei && chmod +x /usr/local/bin/nuclei
+      rm -f /tmp/nuclei.zip
+      nuclei -update-templates -silent 2>/dev/null || true
+
+      # Clone CrowdSec Hub
+      git clone -q https://github.com/crowdsecurity/hub.git /opt/hub || true
+
+      # Create user and directories
+      groupadd -r crowdsec-spoa 2>/dev/null || true
+      useradd -r -g crowdsec-spoa -d /opt/crowdsec-spoa-bouncer -s /bin/false crowdsec-spoa 2>/dev/null || true
+      mkdir -p /opt/crowdsec-spoa-bouncer /etc/crowdsec/bouncers /var/log/crowdsec-spoa-bouncer \
+        /run/crowdsec-spoa /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+      chown -R crowdsec-spoa:crowdsec-spoa /opt/crowdsec-spoa-bouncer /var/log/crowdsec-spoa-bouncer /run/crowdsec-spoa
+
+      # Copy Lua scripts and templates
+      mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+      cp /vagrant/lua/*.lua /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/ 2>/dev/null || true
+      cp /vagrant/templates/*.html /var/lib/crowdsec-haproxy-spoa-bouncer/html/ 2>/dev/null || true
+      chmod 644 /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/*.lua 2>/dev/null || true
+      chmod 644 /var/lib/crowdsec-haproxy-spoa-bouncer/html/*.html 2>/dev/null || true
+
+      # Configure nginx
+      cat > /etc/nginx/sites-available/default << 'EOF'
+server {
+    listen 4444 default_server;
+    listen [::]:4444 default_server;
+
+    root /var/www/html;
+    index index.html index.htm index.nginx-debian.html;
+
+    server_name _;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
+EOF
+
+      # Copy and configure HAProxy
+      cp /vagrant/config/haproxy.cfg /etc/haproxy/haproxy.cfg 2>/dev/null || true
+      cp /vagrant/config/crowdsec.cfg /etc/haproxy/crowdsec.cfg 2>/dev/null || true
+      # Update server addresses and remove the second SPOA server (port 9001 doesn't exist)
+      sed -i 's/whoami:2020/127.0.0.1:4444/g; s/spoa:9000/127.0.0.1:9000/g; /server s3 spoa:9001/d' \
+        /etc/haproxy/haproxy.cfg 2>/dev/null || true
+      # Increase SPOA processing timeout to accommodate AppSec calls (AppSec has 5s timeout)
+      sed -i 's/timeout\s\+processing\s\+500ms/timeout     processing      6s/' \
+        /etc/haproxy/crowdsec.cfg 2>/dev/null || true
+
+      # Copy and configure bouncer
+      cp /vagrant/config/crowdsec-spoa-bouncer.yaml.local /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml 2>/dev/null || true
+      # Update URLs (match with or without trailing slash) and API key
+      sed -i 's|http://crowdsec:8080|http://127.0.0.1:8080|g; s|http://crowdsec:7422|http://127.0.0.1:4241|g; s|api_key:.*|api_key: this_is_a_bad_password|g' \
+        /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml 2>/dev/null || true
+
+      # Configure AppSec before starting CrowdSec
+      # Install AppSec collections first
+      cscli collections install crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules || true
+      
+      # Configure AppSec acquisition
+      mkdir -p /etc/crowdsec/acquis.d
+      cat > /etc/crowdsec/acquis.d/appsec.yaml << 'EOF'
+appsec_config: crowdsecurity/appsec-default
+labels:
+  type: appsec
+listen_addr: 0.0.0.0:4241
+source: appsec
+EOF
+
+      # Now start all services with CrowdSec properly configured
+      systemctl enable --now nginx haproxy crowdsec
+      sleep 5
+      cscli bouncers add crowdsec-spoa-bouncer --key this_is_a_bad_password 2>/dev/null || true
+    SHELL
+
+    vm.vm.provision "shell", run: "always", inline: <<-SHELL
+      set -e
+      export PATH=$PATH:/usr/local/go/bin
+
+      # Build SPOA bouncer
+      if [ -f "/vagrant/main.go" ]; then
+        cd /vagrant
+        if go build -ldflags="-s -w" -o /opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer .; then
+          chown crowdsec-spoa:crowdsec-spoa /opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer
+          chmod +x /opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer
+
+          # Install systemd service
+          cp /vagrant/config/crowdsec-spoa-bouncer.service /etc/systemd/system/crowdsec-spoa-bouncer.service
+          sed -i 's|${BIN}|/opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer|g; s|${CFG}|/etc/crowdsec/bouncers|g' \
+            /etc/systemd/system/crowdsec-spoa-bouncer.service
+          sed -i 's|Type=notify|Type=simple|g; /ExecStartPre=/d' \
+            /etc/systemd/system/crowdsec-spoa-bouncer.service
+
+          systemctl daemon-reload
+          systemctl enable --now crowdsec-spoa-bouncer
+        fi
+      fi
+
+      # Restart services in order
+      systemctl restart nginx
+      sleep 2
+      systemctl restart crowdsec-spoa-bouncer 2>/dev/null || true
+      sleep 3
+      systemctl restart haproxy
+
+      # Verify services
+      for svc in nginx crowdsec-spoa-bouncer haproxy; do
+        systemctl is-active --quiet $svc && echo "✅ $svc: running" || echo "❌ $svc: failed"
+      done
+    SHELL
+  end
+end