Fossil Forum

sudofoss 1 month, 2 weeks ago

Post: Put Fossil server behind an existing captcha

This is my first post so I want to thank the team first for creating Fossil and SQLite and making these excellent one-of-a-kind tools freely available for all.

I am attempting to set up a Fossil server for the first time and so far everything has been going on without any issue thanks to the excellent and comprehensive documentation available here.

In this case, Fossil is being added to an existing website as a CGI process. Following the manual, a small file with the '.cgi' extension was created, with the first line consisting of a shebang and the fossil binary path, and the second line consisting of the fossil repository path, which works as expected.

The website has already a custom CAPTCHA solution which basically creates a token after the user solves the captcha correctly, stores it server-side in a small SQLite file and stores it client-side in a cookie. Whenever the user tries to access any page the cookie is checked and, if the value of the cookie is not found in the sqlite file, the user is redirected to the captcha page.

The website is located in a shared-hosting/virtual-host environment using Apache, and PHP is already installed. The custom sqlite/captcha solution was implemented in PHP.

My question is if it is possible to put Fossil behind this existing cookie mechanism (I am aware that Fossil has its own 'robot defense' mechanisms). I guess this is a pretty simple problem, but I am not a very experienced server administrator.

Any tips to achieve this are welcome.

sudofoss 1 month, 1 week ago

Quick followup to ask if this is a question outside of the scope of the Fossil forum, or if there is rather no obvious straightforward answer to such a problem.

stephan 1 month, 1 week ago

Quick followup to ask...

It's not out of scope, just exotic.

MelvaigT 1 month, 1 week ago

There is a saying: the only simple problems are the ones that are not understood yet.

Or to put that another way, try to ask the right question, and give the people you ask any necessary information.

In your case: the 'simple' answer is that the script you have already written needs to be extended with the logic you describe. But that jumps the gun a bit: you should only be doing this if you have already made up your mind that your own anti-robot defence is better than the one Fossil itself provides. It isn't clear if you have considered that question, or the follow-up one: are the details of the logic compatible with what Fossil does?

My best guess is you should not be doing this in the first place. What you do need to do is make sure you have monitoring in place on your web server to ensure you know if you are under attack, and can identify whether such an attack is related to either the existing site or Fossil. You need this anyway to evaluate your suggestion if you do decide to implement it.

As to what you describe of your current solution: it sounds a bit like the old 'select all pictures with traffic lights' approach. There is a reason many sites do not use this any more: many of the most troublesome robots belong to AI engineers trying to catch up with Google and friends in terms of access to training data. These folks have the technology to identify picture content.

I am no longer convinced about 'proof of work' schemes either - the same people have access to more compute power than the rest of us can shake a stick at.

Trevor

anonymous 1 month ago

You can proxy your instance through Anubis similar to they do on git.kernel.org, this presents them with a captcha/proof of work before they can hit your instance.

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button