Skip to content

feat: add experimental HTTP template server #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
LaurenceJJones wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

feat: add experimental HTTP template server #109

LaurenceJJones wants to merge 8 commits into from

Conversation

@LaurenceJJones
Copy link
Member

@LaurenceJJones LaurenceJJones commented Nov 18, 2025
edited
Loading

Add experimental HTTP template server feature that allows users to render ban and captcha templates via HTTP endpoint instead of using Lua scripts.

Key features:

  • HTTP server with configurable listen address/port and TLS support
  • Template rendering using Go's native html/template package
  • Host configuration lookup using Host header from HAProxy
  • Support for ban and captcha remediation types
  • Catch-all route for simplified HAProxy configuration
  • HEAD requests return 403 for ban/captcha remediations

Changes:

  • Add HTTPTemplateServerConfig to bouncer configuration
  • Implement HTTP template server in pkg/httptemplate
  • Add Go template renderer in pkg/template
  • Create .tmpl template files for ban and captcha
  • Add GetProviderInfo helper in captcha package
  • Update Dockerfile to create log directory and copy templates
  • Add HAProxy configuration example for HTTP template server
  • Update all config files to use canonical header names (X-Crowdsec-*)

This is an experimental feature and must be explicitly enabled via http_template_server.enabled in the configuration.

@LaurenceJJones
feat: add experimental HTTP template server
37730b6 
Add experimental HTTP template server feature that allows users to render
ban and captcha templates via HTTP endpoint instead of using Lua scripts.

Key features:
- HTTP server with configurable listen address/port and TLS support
- Template rendering using Go's native text/template package
- Host configuration lookup using Host header from HAProxy
- Support for ban and captcha remediation types
- Catch-all route for simplified HAProxy configuration
- HEAD requests return 403 for ban/captcha remediations

Changes:
- Add HTTPTemplateServerConfig to bouncer configuration
- Implement HTTP template server in pkg/httptemplate
- Add Go template renderer in pkg/template
- Create .tmpl template files for ban and captcha
- Add GetProviderInfo helper in captcha package
- Update Dockerfile to create log directory and copy templates
- Add HAProxy configuration example for HTTP template server
- Update all config files to use canonical header names (X-Crowdsec-*)

This is an experimental feature and must be explicitly enabled via
http_template_server.enabled in the configuration.
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 18, 2025
View reviewed changes
@LaurenceJJones
security: remove sensitive header data from logs
642daae 
Remove full header map from log entry to prevent exposure of sensitive
data such as cookies, authorization tokens, etc. Log only the essential
message that remediation header was not found.
Copilot finished reviewing on behalf of LaurenceJJones November 18, 2025 10:37
Copilot AI reviewed Nov 18, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request adds an experimental HTTP template server feature that enables HAProxy to render ban and captcha pages through HTTP endpoints instead of Lua scripts. The server leverages Go's native text/template package for rendering and provides a RESTful alternative to the existing Lua-based approach.

Key Changes:

  • Implements HTTP template server with configurable listen address/port and optional TLS support
  • Adds Go template renderer and .tmpl template files for ban and captcha pages
  • Updates all HAProxy configuration files to use canonical header naming convention (X-Crowdsec-*)

Reviewed Changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 16 comments.

Show a summary per file
File Description
templates/captcha.tmpl New Go template for captcha page with dark mode support and retry logic
templates/ban.tmpl New Go template for ban page with dark mode support
pkg/template/renderer.go Template rendering wrapper using Go's text/template package
pkg/httptemplate/server.go HTTP server implementation handling ban/captcha rendering and host configuration lookup
pkg/cfg/config.go Configuration structures for HTTP template server including TLS settings
internal/remediation/captcha/providers.go Added GetProviderInfo helper to retrieve provider-specific frontend configuration
cmd/root.go Integration of HTTP template server into main application lifecycle
Dockerfile Updated to copy new .tmpl templates and standardize directory paths
debian/rules Added installation of .tmpl template files
rpm/SPECS/crowdsec-haproxy-spoa-bouncer.spec Added .tmpl template files to package
config/haproxy-httptemplate.cfg New HAProxy configuration example demonstrating HTTP template server usage
config/haproxy.cfg Updated header names to canonical format (X-Crowdsec-*)
config/haproxy-upstreamproxy.cfg Updated header names to canonical format (X-Crowdsec-*)
config/crowdsec-spoa-bouncer.yaml Added HTTP template server configuration section
docker-compose.yaml Updated volume paths to match standardized directory structure
docker-compose.proxy-test.yaml Updated volume paths to match standardized directory structure
docker-compose.httptemplate-test.yaml New Docker Compose configuration for testing HTTP template server

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@LaurenceJJones LaurenceJJones added this to the 0.2.1 milestone Nov 18, 2025
@LaurenceJJones
Copy link
Member Author

LaurenceJJones commented Nov 18, 2025

link #107

@LaurenceJJones
feat: return 403 for HEAD requests and .ico files
4c0742c 
Return 403 Forbidden for HEAD requests and favicon (.ico) file requests
instead of rendering templates. This prevents unnecessary template rendering
for these request types and provides a cleaner response.
@LaurenceJJones LaurenceJJones mentioned this pull request Nov 18, 2025
Merged
@LaurenceJJones
Merge main into feature/http-template-server
7be3a1b
@LaurenceJJones
fix: address Copilot PR review comments
1edcca1 
- Fix duplicate class attributes in ban.tmpl and captcha.tmpl
- Update meta charset to HTML5 syntax in both templates
- Fix indentation inconsistencies in templates and haproxy config
- Move HTTP template server startup after hosts are loaded
- Remove redundant error check in httptemplate server
- Fix comment typo: X-CrowdSec -> X-Crowdsec
- Add template name parameter to NewRenderer for better error messages
- Remove unnecessary template volume mount from docker-compose
Copilot finished reviewing on behalf of LaurenceJJones November 25, 2025 11:08
Copilot AI reviewed Nov 25, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 13 out of 13 changed files in this pull request and generated 12 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@LaurenceJJones
fix: use parallel shutdown for services with shared timeout
66727ab 
- Shutdown SPOA and HTTP template server in parallel
- Both services share a single 5-second timeout context
- Maximum total shutdown time is 5 seconds (not 10)
- Simplified logging to avoid duplicate messages
@LaurenceJJones
fix: address all Copilot security and code quality issues
ca65bcc 
Security fixes:
- Switch from text/template to html/template for XSS protection
- Add host header validation (length and invalid character checks)
- Add TLS certificate/key file existence validation
- Buffer template rendering before WriteHeader to handle errors properly

Code quality improvements:
- Remove unnecessary Array.from() in JavaScript (NodeList is iterable)
- Update meta charset to HTML5 syntax in all templates
- Fix duplicate class attributes in SVG elements
- Improve comment clarity and accuracy
- Update HAProxy config comment for clarity

Template consistency:
- Apply all fixes to both .tmpl and .html template files
- Ensure Lua-based and HTTP template server use consistent templates
@LaurenceJJones
Merge branch 'main' into feature/http-template-server
0ab1efd
@LaurenceJJones LaurenceJJones marked this pull request as draft November 27, 2025 13:58
@LaurenceJJones LaurenceJJones removed this from the 0.2.1 milestone Nov 27, 2025
@LaurenceJJones
Copy link
Member Author

LaurenceJJones commented Nov 27, 2025

untagging 0.2.1 to investigate haproxy native features and marking as draft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LaurenceJJones