Customizing Google reCAPTCHA Keys
Prior to version 4.9, Imunify360 used embedded reCAPTCHA keys to show Google reCAPTCHA challenge for greylisted IP addresses and did not require any settings for captcha challenge. Starting from v4.9, Imunify360 admins can specify their own reCAPTCHA keys for the server.
In this article, you can find a step by step guide on how to set up a custom site and secret keys for your Imunify360 server.
Why did we add custom key support?
Google has a limited rate for free reCAPTCHA use which is 1 million requests per month (more accurately - “1 million renders of reCAPTCHA”). The limit is enough for a single hosting provider. However, it’s not enough for the Imunify product to handle all requests within the free limits. Thus, we recommend that you start using custom keys registered for your Google account which will guarantee that the reCAPTCHA challenge will be properly shown on your servers.
Will 1M request limit be enough for me?
We’ve analyzed the maximum and the average reCAPTCHA rate among all customers and confidently state that it’s more than enough for any hosting provider with high-load servers.
*Note: Google counts only real reCAPTCHA renders which are less than 1% of CAPTCHA requests shown on the Imunify360 Dashboard. It happens due to the majority of requests coming from dummy bots without JavaScript support.
What if I need more than 1M calls per month?
You can always register a few custom keys, and rotate them using Cron jobs.
How to specify the keys for the Imunify360 CAPTCHA?
Public and secret reCAPTCHA keys are required for integration between Imunify360 and Google reCAPTCHA service.
The site key will be publicly available and shown on pages along with reCAPTCHA widget or Invisible CAPTCHA, whereas the secret key will be stored for intercommunication between the backend of Imunify360 and Google service.
*Note: Due to the captcha rate limit we recommend using different reCAPTCHA keys for each server.
Google’s quotation: If you wish to make more than 1k calls per second or 1m calls per month, you must use reCAPTCHA Enterprise or fill out this form and wait for an exception approval.
Steps to configure
- Open https://www.google.com/recaptcha/admin/create
- Fill in required values
- Set any value as a label, e.g. my servers cluster #1
- Select reCAPTCHA v2
- Select Invisible reCAPTCHA badge
- Add any dummy domain, e.g. example.org
- Note
You don’t need to put all your domains here - Accept terms and proceed
- Notice keys
You need to put these keys on the Imunify360 settings page
or use the following CLI commands:
# imunify360-agent config update '{"WEBSHIELD": {"captcha_site_key": "6Ldu4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXCN6fJ"}}'
# imunify360-agent config update '{"WEBSHIELD": {"captcha_secret_key": "6Ldu4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQqUuk"}}'
6.The final step is to allow Google to process requests from any of your domains
-
- Open the Settings page
- And disable the Verify the origin of reCAPTCHA solutions
- Open the Settings page
That’s it.
Verification
In order to make sure that you’ve done everything correctly you need to do the following:
- Make sure that your IP is not whitelisted (using the CLI):
# imunify360-agent whitelist ip list
IP TTL COUNTRY IMPORTED_FROM COMMENT
1.2.3.4 10256 None None Whitelisted for 3 hours due to successful panel login
# imunify360-agent whitelist ip delete 1.2.3.4
OK
# imunify360-agent whitelist ip list
IP TTL COUNTRY IMPORTED_FROM COMMENT - Send at least two WAF test requests to any domain on the server
# curl -v http://example.org/?i360test=88ff0adf94a190b9d1311c8b50fe2891c85af732
- Open your test domain in the browser and let it pass the captcha challenge
- Check the list of whitelisted IPs again
# imunify360-agent whitelist ip list
IP TTL COUNTRY IMPORTED_FROM COMMENT
1.2.3.4 86377 None None IP auto-whitelisted with expiration date: 2020-05-28 15:29:34
If you see that your IP is whitelisted then integration between Imunify360 and reCAPTCHA service was done properly.
You can watch how invisible reCAPTCHA works at
Please Share Your Feedback
The Imunify product team would like to hear from you. To share your ideas and observations, please send them to us at feedback@cloudlinux.com.
If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify360 support team at cloudlinux.zendesk.com.