reCAPTCHA with OpenLiteSpeed

How Can We Help?
< Back
You are here:
Print

reCAPTCHA with OpenLiteSpeed

As of OpenLiteSpeed 1.5.1, reCAPTCHA is available as a method of defense against DDoS attack.

How To Enable at the Server Level

Access the WebAdmin console via https://YOUR_SERVER_IP:7080

Navigate to Configuration > Server > Security > LS reCAPTCHA

recaptha

  • Enable reCAPTCHA: The master switch. This should be set to Yes. If you wish to use reCAPTCHA at the virtual host level, then you must first enable it here, at the server level. reCAPTCHA will be activated when the number of concurrent requests reaches the configured Connection Limit.
  • Connection Limit: The number of concurrent connections (SSL & non-SSL) needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number. Initially you should set this number low enough for easy testing. For example, 2.  The default value is 15000, which makes it almost impossible to activate the reCAPTCHA.
  • SSL Connection Limit:  The number of concurrent SSL connections needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent connections drop below this number.  Initially you should set this number low enough for easy testing. For example, 2.  The default value is 10000, which makes it almost impossible to activate the reCAPTCHA.
  • reCAPTCHA Type: The reCAPTCHA type to use with the key pairs. If a key pair has not been provided and this setting is set to Not Set, a default key pair of type Invisible will be used. Checkbox will display a check box reCAPTCHA for the visitor to validate.  Invisible will attempt to validate the reCAPTCHA automatically, and if successful, will redirect to the desired page. Invisible is the default, but for easy testing, you can switch to Checkbox.
  • Site Key: The public key provided by Google via its reCAPTCHA service. A default Site Key will be used if not set.
  • Secret Key:  The private key provided by Google via its reCAPTCHA service. A default Secret Key will be used if not set.
  • Max Tries: The maximum number of reCAPTCHA attempts permitted before denying the visitor. Default value is 3.
  • Allowed Robot Hits:  Number of hits per 10 seconds to allow “good bots” to pass. Bots will still be throttled when the server is under load. Default value is 3.
  • Bot White List:  List of custom user agents to allow access. Will be subject to the “good bots” limitations, including Allowed Robot Hits.

How To Enable at the Virtual Host Level

Tip: Server-level reCAPTCHA must be enabled, as it is the master switch.

Virtual-host-level connection limits will override server level limits.

Virtual-host-level reCAPTCHA is enabled through the WebAdmin console. (It is not possible to enable reCAPTCHA through Rewrite Rules with OLS. That functionality is currently only available with LiteSpeed Enterprise.)

Navigate to Configuration > Virtual Hosts > Security and set LS reCAPTCHA > Enable reCAPTCHA to Yes.

recaptha

  • Concurrent Request Limit:  The number of concurrent requests needed to activate reCAPTCHA. reCAPTCHA will be used until concurrent requests drop below this number. Initially you should set this number low enough for easy testing. For example, 2.  The default value is 15000, which makes it almost impossible to activate the reCAPTCHA.
  • reCAPTCHA Type: The reCAPTCHA type to use with the key pairs. If a key pair has not been provided and this setting is set to Not Set, a default key pair of type Invisible will be used. Checkbox will display a check box reCAPTCHA for the visitor to validate.  Invisible will attempt to validate the reCAPTCHA automatically, and if successful, will redirect to the desired page. Invisible is the default, but for easy testing, you can switch to Checkbox.
  • Max Tries: The maximum number of reCAPTCHA attempts permitted before denying the visitor. Default value is 3.

Customizing the Good Bots List

Google bots are considered good bots because they help index your site. However, they cannot do their job properly without receiving the correct page. The Bot White List configuration may be used to specify bots that you may need for your site.

Here, we have configured Edge in the Bot White List text area. Bot White List is a contains match, but regex may be used as well.

After restarting, browsers containing Edge in the user-agent header will bypass reCAPTCHA:

The browser on the left is Microsoft Edge, the browser on the right is Chrome.}}

The Allowed Robot Hits configuration may be used to limit how many times a good bot (including Googlebot) is allowed to hit a URL before it is redirected to reCAPTCHA as well. This may be useful to prevent bad actors from bypassing reCAPTCHA using a custom user agent.

Customizing the reCAPTCHA Page

The default reCAPTCHA page is generic. If you would like to customize the page, you may do so by creating a file at $SERVER_ROOT/lsrecaptcha/_recaptcha_custom.shtml

There are two script tags that are required and it is strongly recommended to avoid changing the form and the recaptchadiv unless you know what you are doing. There are three echos within the page itself. Those are used by the web server to customize the reCAPTCHA type and keys and specify any query string used.

Beyond those required attributes, everything else is customizable. As noted before, please ensure that you have backups of the default page and your customized page. Note that the .shtml extension is required in order to use configured type and keys.

Apply Your Own Site Key

You can apply your own reCAPTCHA key and adjust the configuration as you like. Client verification is completely determined by Google’s reCAPTCHA service. The invisible type may display a difficult puzzle.

For server wide protection that needs to cover a lot of domains, make sure Verify the origin of reCAPTCHA solutions is unchecked. Otherwise, you may need to apply a key for each domain.

reCAPTCHA Returning 403 and Dropping Connection

If reCAPTCHA fails a few times, it will return a 403 error and then drop the connection from that IP. It is the way it works in order to block attacks. If the invisible reCAPTCHA keeps auto-refreshing and then fails, just change the type to one-click

Blocked IP Addresses

If a visitor is not given the full number of Max Tries before being blocked, check the blacklist. If the visitor’s IP is not explicitly blacklisted, it may be temporarily blocked due to previously failed reCAPTCHA attempts. Clearing the RAM will remove the IP from the temporarily blocked list.

If you are a Cloudflare user, you might have whitelist the Cloudflare IPs with Trusted status in order to prevent reCAPTCHA challenges being presented to all visits proxied through Cloudflare.