Problem on Ubuntu 24.04 with recaptcha

[ngreatorex]

Hi,

I'm trying to set up the nginx bouncer with recaptcha support on Ubuntu 24.04 LTS. Despite having new enough versions (according to #44) I am unable to get it to work with HTTP2 connections. The first connection to the server shows the captcha as expected, but if you refresh the page it will change to a 500 error, with the log:

2025/10/16 17:03:18 [error] 23#23: *15 lua entry thread aborted: runtime error: /usr/lib/crowdsec/lua/crowdsec.lua:653: http2 requests are not supported without content-length header
stack traceback:
coroutine 0:
        [C]: in function 'read_body'
        /usr/lib/crowdsec/lua/crowdsec.lua:653: in function 'Allow'
        access_by_lua(conf.d/crowdsec_nginx.conf:20):6: in main chunk, client: 172.17.0.1, server: _, request: "HEAD / HTTP/2.0", host: "127.0.0.1:8444"

Incidentally I get the same error in both live and stream modes. As the error seems to be coming from the lua code, I am raising it here instead of against cs-nginx-bouncer but let me know if it should be raised there instead.

To reproduce:

Dockerfile (replace the keys as appropriate):

FROM ubuntu:noble

RUN apt-get update && \
    apt-get -y install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson curl mc net-tools
RUN curl -s https://install.crowdsec.net | sh
RUN apt-get -y install crowdsec || true
RUN bash -c "crowdsec &"
RUN apt-get -y install crowdsec-nginx-bouncer || true
RUN apt-get -y install ssl-cert || true
RUN sed -i 's|^CAPTCHA_PROVIDER=$|CAPTCHA_PROVIDER=recaptcha|' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
RUN sed -i 's|^SITE_KEY=$|SITE_KEY=<SITE KEY HERE>|' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
RUN sed -i 's|^SECRET_KEY=$|SECRET_KEY=<SECRET KEY HERE>|' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
RUN sed -i '/^lua_ssl_trusted_certificate/ i \resolver 8.8.8.8 ipv6=off;' /etc/nginx/conf.d/crowdsec_nginx.conf
RUN sed -i 's|# listen 443 ssl default_server;|listen 443 ssl default_server http2;|' /etc/nginx/sites-available/default
RUN sed -i 's|# listen \[::\]:443 ssl default_server;|listen [::]:443 ssl default_server http2;|' /etc/nginx/sites-available/default
RUN sed -i 's|# include snippets/snakeoil.conf;|include snippets/snakeoil.conf;|' /etc/nginx/sites-available/default
RUN echo 'error_log /dev/stdout debug;' >> /etc/nginx/nginx.conf

RUN cat <<EOF > /opt/start.sh
#!/bin/bash
crowdsec & nginx -g "daemon off;"
EOF

RUN chmod +x /opt/start.sh

CMD ["/opt/start.sh"]

Commands to build and run the container:

docker build -t nginx-cs-test .
docker run -d --name nginx-cs-test -p 8444:443 nginx-cs-test
docker exec -i nginx-cs-test cscli decisions add -r 172.16.0.0/12 -t captcha

Demonstrating the problem:

$ curl -sIk --http2 https://127.0.0.1:8444/
HTTP/2 200
server: nginx/1.24.0 (Ubuntu)
date: Thu, 16 Oct 2025 17:03:00 GMT
content-type: text/html
cache-control: no-cache

$ curl -sIk --http2 https://127.0.0.1:8444/
HTTP/2 500
server: nginx/1.24.0 (Ubuntu)
date: Thu, 16 Oct 2025 17:03:18 GMT
content-type: text/html
content-length: 186

$

Versions:

 $ docker exec nginx-cs-test dpkg -l *nginx* | grep ^ii
ii  crowdsec-nginx-bouncer 1.1.3             all          lua-based nginx bouncer for Crowdsec
ii  libnginx-mod-http-lua  1:0.10.26-2       amd64        Lua module for Nginx
ii  libnginx-mod-http-ndk  1:0.3.3-1build1   amd64        Nginx Development Kit module
ii  nginx                  1.24.0-2ubuntu7.5 amd64        small, powerful, scalable web/proxy server
ii  nginx-common           1.24.0-2ubuntu7.5 all          small, powerful, scalable web/proxy server - common files

I have uploded the nginx debug log output to https://gist.github.com/ngreatorex/fe77d5dec4eac7bf9a077247af21d1d5

[ngreatorex]

I think this may have been introduced by 77e452a

[LaurenceJJones]

I think this may have been introduced by 77e452a

actually this change most likely has fixed it (since the get_body function was returning an error and the new code doesnt use that function), the code you see in this repository is currently not released on Nginx or Openresty repositories ref: https://github.com/crowdsecurity/cs-nginx-bouncer/releases/tag/v1.1.3

so if you have the ability to test the code directly from the repository then you can report back if this fixes it, and we can push releasing this as P1.

[ngreatorex]

New Dockerfile:

FROM ubuntu:noble

RUN apt-get update && \
    apt-get -y install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson curl mc net-tools
RUN curl -s https://install.crowdsec.net | sh
RUN apt-get -y install crowdsec || true
RUN bash -c "crowdsec &"
RUN apt-get -y install crowdsec-nginx-bouncer || true
RUN apt-get -y install ssl-cert || true
RUN sed -i 's|^CAPTCHA_PROVIDER=$|CAPTCHA_PROVIDER=recaptcha|' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
RUN sed -i 's|^SITE_KEY=$|SITE_KEY=6LdwmuwrAAAAAAZcxYY6SHnIXlrf9M8G6p76xuRF|' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
RUN sed -i 's|^SECRET_KEY=$|SECRET_KEY=6LdwmuwrAAAAAHme8h7Gj3WYbuhlgUJutD_UZSBd|' /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
RUN sed -i '/^lua_ssl_trusted_certificate/ i \resolver 8.8.8.8 ipv6=off;' /etc/nginx/conf.d/crowdsec_nginx.conf
RUN sed -i 's|# listen 443 ssl default_server;|listen 443 ssl default_server http2;|' /etc/nginx/sites-available/default
RUN sed -i 's|# listen \[::\]:443 ssl default_server;|listen [::]:443 ssl default_server http2;|' /etc/nginx/sites-available/default
RUN sed -i 's|# include snippets/snakeoil.conf;|include snippets/snakeoil.conf;|' /etc/nginx/sites-available/default
RUN echo 'error_log /dev/stdout debug;' >> /etc/nginx/nginx.conf

WORKDIR /opt
RUN apt-get -y install git || true
RUN git clone --depth=1 https://github.com/crowdsecurity/lua-cs-bouncer.git
RUN rm -R /usr/lib/crowdsec/lua/*
RUN cp -R lua-cs-bouncer/lib/* /usr/lib/crowdsec/lua/

RUN cat <<EOF > /opt/start.sh
crowdsec & nginx -g "daemon off;"
EOF

RUN chmod +x /opt/start.sh

CMD ["/opt/start.sh"]

The only thing that changed was the line number in the error:

2025/10/21 17:20:21 [error] 24#24: *15 lua entry thread aborted: runtime error: /usr/lib/crowdsec/lua/crowdsec.lua:734: http2 requests are not supported without content-length header
stack traceback:
coroutine 0:
        [C]: in function 'read_body'
        /usr/lib/crowdsec/lua/crowdsec.lua:734: in function 'Allow'
        access_by_lua(conf.d/crowdsec_nginx.conf:20):6: in main chunk, client: 172.17.0.1, server: _, request: "HEAD / HTTP/2.0", host: "127.0.0.1:8444"

PS: the error is coming from the read_body function and not get_body

[andyrue]

I just installed crowdsec today on Ubuntu 24.04 and I'm getting the exact same error.

2025/12/12 02:25:59 [error] 228639#228639: *231 lua entry thread aborted: runtime error: /usr/lib/crowdsec/lua/crowdsec.lua:734: http2 requests are not supported without content-length header
stack traceback:
coroutine 0:
	[C]: in function 'read_body'
	/usr/lib/crowdsec/lua/crowdsec.lua:734: in function 'Allow'
	access_by_lua(conf.d/crowdsec_nginx.conf:19):6: in main chunk, client: myip, server: _, request: "GET /login HTTP/2.0", host: "_"

Here are my versions.

# dpkg -l *nginx* | grep ^ii

ii  crowdsec-nginx-bouncer          1.1.5                             all          lua-based nginx bouncer for Crowdsec
ii  libnginx-mod-http-lua           1:0.10.26-2                       amd64        Lua module for Nginx
ii  libnginx-mod-http-ndk           1:0.3.3-1build1                   amd64        Nginx Development Kit module
ii  nginx                           1.24.0-2ubuntu7.5                 amd64        small, powerful, scalable web/proxy server
ii  nginx-common                    1.24.0-2ubuntu7.5                 all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                      1.24.0-2ubuntu7.5                 all          nginx web/proxy server (standard version with 3rd parties)