The page you are looking for doesn't exist or has been moved.
The page you are looking for doesn't exist or has been moved.
mCaptcha is a kickass CAPTCHA systems that gives (DDoS) @@ -15,4 +15,4 @@ is alien to us. For this reason, all of our source code is freely available(both as in freedom and beers) at our GitHub.
Aravinth Mavniannan: Author
Prof. Sibi Chakkaravarthy Sethuraman: Mentor and -Security Advisor
Posted December 23, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited June 14, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Hello and welcome to the first edition of the monthly report!
I believe free software like mCaptcha is critical to a healthy internet @@ -19,4 +19,4 @@ hCaptcha.
mCaptcha is successfully incorporated in India and ideas for mCaptcha commercial operations
Posted July 7, 2022 by Aravinth Manivannan ‐ 2 min read
Last Edited July 7, 2022
Python bindings to mCaptcha PoW, DDoS effectiveness measurement, major refactoring to prepare for support for other databases, We also tried to test its DoS defence effectiveness, and some exciting news regarding managed hosting!
Posted June 10, 2022 by Aravinth Manivannan ‐ 4 min read
Last Edited June 14, 2022
New features, improved accessibility and software integrations
Posted December 23, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited June 14, 2022
We are conducting a survey to benchmark and gather performance metrics of our system on various devices
Posted October 28, 2021 by Aravinth Manivannan ‐ 1 min read
Last Edited December 23, 2021
PoW performance of native and WASM implementations. Does the native implementation have and edge over the WASM library?
Posted September 1, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited September 1, 2021
Introducing mCaptcha, a kickass CAPTCHA systems that gives (DDoS) attackers a run for their money. Oh and UX is great too!
Posted May 26, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited December 2, 2021
mCaptcha is successfully incorporated in India and ideas for mCaptcha commercial operations
Posted July 7, 2022 by Aravinth Manivannan ‐ 2 min read
Last Edited July 7, 2022
Python bindings to mCaptcha PoW, DDoS effectiveness measurement, major refactoring to prepare for support for other databases, We also tried to test its DoS defence effectiveness, and some exciting news regarding managed hosting!
Posted June 10, 2022 by Aravinth Manivannan ‐ 4 min read
Last Edited June 14, 2022
New features, improved accessibility and software integrations
Posted December 23, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited June 14, 2022
We are conducting a survey to benchmark and gather performance metrics of our system on various devices
Posted October 28, 2021 by Aravinth Manivannan ‐ 1 min read
Last Edited December 23, 2021
PoW performance of native and WASM implementations. Does the native implementation have and edge over the WASM library?
Posted September 1, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited September 1, 2021
Introducing mCaptcha, a kickass CAPTCHA systems that gives (DDoS) attackers a run for their money. Oh and UX is great too!
Posted May 26, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited December 2, 2021
Posted July 7, 2022 by Aravinth Manivannan ‐ 2 min read
Last Edited July 7, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Hello and welcome to the June 2022 edition of the monthly report!
I spent June doing non-technical tasks but I made significant @@ -22,4 +22,4 @@ to device mechanisms to prevent me or any future party with influence in mCaptcha development from hurting the project by it non-free.
Hostea is also an experiment in Free Software commercial operations, so naturally I’m highly impressed by the ideas that are being discussed there. mCaptcha, too, will borrow ideas from that project to make its -development economically sustainable.
Posted June 10, 2022 by Aravinth Manivannan ‐ 4 min read
Last Edited June 14, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Hello and welcome to the May 2022 edition of the monthly report!
mCaptcha, for a while was showing all the signs of a dead project: @@ -9,59 +9,59 @@ is far from dead!
So if you are writing a script to do some chore on your favourite website that is protected by mCaptcha, you can now solve the mCaptcha -automatically from within the program.
Here’s an example:
import os
-
-import mcaptcha_pow_py
-import requests
-
-# get the sitekey that is used in the mCaptcha protected form
-SITEKEY = os.getenv("MCAPTCHA_CAPTCHA_SITEKEY")
-# the hostname of the mCaptcha instance that the form is using
-MCAPTCHA_HOST = os.getenv("MCAPTCHA_CAPTCHA_HOST")
-
-
-GET_CONFIG_ROUTE = f"{MCAPTCHA_HOST}/api/v1/pow/config"
-VERIFY_POW_ROUTE = f"{MCAPTCHA_HOST}/api/v1/pow/verify"
-
-def solve_captcha():
-
- # get challenge configuration
- key = {"key": sitekey}
- challenge_config = requests.post(GET_CONFIG_ROUTE, json=key)
- challenge_config = challenge_config.json()
-
- # extract configuration data
- config = mcaptcha_pow_py.PoWConfig(challenge_config["salt"])
- pow_string = challenge_config["string"]
- pow_difficulty_factor = challenge_config["difficulty_factor"]
-
- # generate work
- work = config.work(pow_string, pow_difficulty_factor)
-
- # verify PoW
- proof = {
- "key": SITEKEY,
- "nonce": work.nonce,
- "result": work.result,
- "string": challenge_config["string"],
- }
- resp = requests.post(VERIFY_POW_ROUTE, json=proof)
- resp = resp.json()
-
- # extract verification token
- token = resp["token"]
-
- return token
-
-
-token = solve_captcha()
-data = {
- "username": "me",
- "password": "superlongpassword",
- "confirm_password": "superlongpassword",
- "mcaptcha__token": token,
-}
-response = requests.post("/mCaptcha-protected-form", data=data)
+automatically from within the program.Here’s an example:
1import os
+ 2
+ 3import mcaptcha_pow_py
+ 4import requests
+ 5
+ 6# get the sitekey that is used in the mCaptcha protected form
+ 7SITEKEY = os.getenv("MCAPTCHA_CAPTCHA_SITEKEY")
+ 8# the hostname of the mCaptcha instance that the form is using
+ 9MCAPTCHA_HOST = os.getenv("MCAPTCHA_CAPTCHA_HOST")
+10
+11
+12GET_CONFIG_ROUTE = f"{MCAPTCHA_HOST}/api/v1/pow/config"
+13VERIFY_POW_ROUTE = f"{MCAPTCHA_HOST}/api/v1/pow/verify"
+14
+15def solve_captcha():
+16
+17 # get challenge configuration
+18 key = {"key": sitekey}
+19 challenge_config = requests.post(GET_CONFIG_ROUTE, json=key)
+20 challenge_config = challenge_config.json()
+21
+22 # extract configuration data
+23 config = mcaptcha_pow_py.PoWConfig(challenge_config["salt"])
+24 pow_string = challenge_config["string"]
+25 pow_difficulty_factor = challenge_config["difficulty_factor"]
+26
+27 # generate work
+28 work = config.work(pow_string, pow_difficulty_factor)
+29
+30 # verify PoW
+31 proof = {
+32 "key": SITEKEY,
+33 "nonce": work.nonce,
+34 "result": work.result,
+35 "string": challenge_config["string"],
+36 }
+37 resp = requests.post(VERIFY_POW_ROUTE, json=proof)
+38 resp = resp.json()
+39
+40 # extract verification token
+41 token = resp["token"]
+42
+43 return token
+44
+45
+46token = solve_captcha()
+47data = {
+48 "username": "me",
+49 "password": "superlongpassword",
+50 "confirm_password": "superlongpassword",
+51 "mcaptcha__token": token,
+52}
+53response = requests.post("/mCaptcha-protected-form", data=data)
This could be missed for building DDoS bots(more on that
here) but this could also be
used to make CAPTCHA solving automated within screen readers and other
@@ -113,4 +113,4 @@ publicly made, funding and expenses publicly documented, and all
collaborations, too, publicly documented. This of course doesn’t imply
that private, personally identifiable information(addresses and phone
numbers, for instance) will be publicly disclosed. Such information will
-be redacted and published.
Posted September 1, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited September 1, 2021
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
mCaptcha uses a @@ -22,4 +22,4 @@ much.
P.S Work is underway to benchmark multiple platforms. A detailed will be published when that data is available.
For this post, I asked some of my friends to run the tests on their computers. The results slightly varied but even the slowest case generated proof for 4500000 difficulty(the highest in this test), in under -15 seconds!
Posted May 26, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited December 2, 2021
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
At mCaptcha, we believe in digital freedom and privacy and so we built a @@ -22,4 +22,4 @@ share their knowledge with others. If everything was labeled intellectual property, we might still be stuck in Stone Age. The idea of intellectual property is alien to us. For this reason, all of our source code is freely available(both as in freedom and beers) at our -GitHub.
AGPLMIT/APACHEAGPLMIT/APACHEWe are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Survey link: https://survey.mcaptcha.org/survey/campaigns/b717e51e-24d4-4ab6-912f-de2dfe3ce1fe/about
NOTE: The survey(at least, the lucky draw is temporarily suspended @@ -12,4 +12,4 @@ various devices and browsers. The data collected from the survey will be made public, we believe it will guide sysadmins configure difficulty factor properly.
If you are interested in the lucky draw, please save the submission ID and the proof will be presented
to you at the end of the survey.
This blog post will be updated with the winning submission IDs and the
-winners should provide the matching proof to claim their rewards.
proof to claim their rewards.Come say hi at our Matrix community!
We are on the Fediverse at +
Come say hi at our Matrix community!
We are on the Fediverse at @mCapthca@batsense.net, toot at us for queries and whatnot :)
The project also has a twitter twitter presence at @m_captcha(Nitter hyperlink). This space is used in -addition to the blog to post short updates.
Write to me at realaravinth@batsense.net!
We use GitHub for managing tickets
Write to me at realaravinth@batsense.net!
We use GitHub for managing tickets
We have a Matrix @@ -6,4 +6,4 @@ community, come say hi!.
You can find me(@realaravinth) on the Matrix, on GitHub or email me at -realaravinth@batense.net.
Creator of mCaptcha.
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted July 7, 2022 by Aravinth Manivannan ‐ 2 min read
Last Edited July 7, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted June 10, 2022 by Aravinth Manivannan ‐ 4 min read
Last Edited June 14, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted December 23, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited June 14, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted October 28, 2021 by Aravinth Manivannan ‐ 1 min read
Last Edited December 23, 2021
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted September 1, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited September 1, 2021
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted May 26, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited December 2, 2021
Creator of mCaptcha.
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted July 7, 2022 by Aravinth Manivannan ‐ 2 min read
Last Edited July 7, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted June 10, 2022 by Aravinth Manivannan ‐ 4 min read
Last Edited June 14, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted December 23, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited June 14, 2022
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted October 28, 2021 by Aravinth Manivannan ‐ 1 min read
Last Edited December 23, 2021
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted September 1, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited September 1, 2021
We are mCaptcha. We build kickass CAPTCHA systems that give (DDoS) attackers a run for their money. And we do all of this without tracking your users. Oh and did I mention our UX is great?
Posted May 26, 2021 by Aravinth Manivannan ‐ 2 min read
Last Edited December 2, 2021
The mCaptcha contributors.
The mCaptcha contributors.
The browser part of mCaptcha is divided into three components.
This is the code that links mCaptcha with your website’s frontend code. +
The browser part of mCaptcha is divided into three components.
This is the code that links mCaptcha with your website’s frontend code.
It creates an iframe containing the mCaptcha widget and injects the
received verification proof token into a hidden input field.
Support is available for various frameworks, see
mCaptcha/glue for the full list.
For frameworks without official support, a low-level library,
@@ -13,4 +13,4 @@ verification proof token to the parent window, assuming it’s loaded as
an iframe.
mCaptcha/mCaptcha/templates/widgetWebAssembly library which generates Proofs of Work for mCaptcha systems.
WebAssembly bindings(mCaptcha/pow_wasm) are available for the main rust library(mCaptcha/pow_sha256).
For browsers without support WebAssembly, a
polyfill(pow_sha256-polyfill)
-is available.
Documentation for the library used in mCaptcha core.
Documentation for the library used in mCaptcha core.
Rust crate which generates SHA256 Proofs of Work on serializable datatypes.
This is a fork of the pow library by
+
Rust crate which generates SHA256 Proofs of Work on serializable datatypes.
This is a fork of the pow library by
@robkorn) with some new
additions. Primary of these being:
Other small changes have also been included of various importance but mostly just stylistic/ease of use improvements.
Changelog is available at the project’s -repository
Answers to frequently asked questions.
Coming soon
Answers to frequently asked questions.
Coming soon
Solutions to common problems.
Coming soon
Solutions to common problems.
mCaptcha by default is configured to server at localhost hostname. If
+the instance is deployed at another hostname, please try setting
+MCAPTCHA_SERVER_DOMAIN environment variable to the hostname at which
+your instance is deployed or setting the equivalent in config.toml:
1[server]
+2domain=mydomain
+mCaptcha is highly responsive to detecting DDoS attacks. Admins are +advised to take advantage of it by setting low difficulty +factors for normal traffic levels +for their website.
Lowest advisable difficulty factor is 5000.
For instance, if it is normal for my website to get 2000 requests for +every 30 seconds, I will set a cool +down period of 30 seconds and the +first level of difficulty configuration will have a visitor threshold of 2000 with a +difficulty factor of 5000.
There are two modes to setting difficulty factor for your website on +mCaptcha:
Easy mode asks a few basic statistics about your website and generates a +configuration that should work for your website. Currently, easy mode is +guided by assumptions on suitable difficulty factors to protect a +website but it will be fine-tuned as mCaptcha sees more deployment.
Configuration generated by easy mode can be tweaked later using the +advance mode, as you become more familiar with how mCaptcha works.
Advance mode gives the admin granular control over how mCaptcha behaves +on their website. It has options to set the difficulty factor for each +level of traffic(or visitor threshold, in mCaptcha speak), fully taking +advantage of mCaptcha’s variable difficulty factor feature.
For instance, if it is normal for a website to get 200 requests over 30 +seconds, then setting a very low difficulty factor for a visitor +threshold of 200 and a cool down period of 30 seconds will allow the +users to pass through without waiting on the CAPTCHA. But if 1000 +requests over 30 seconds will bring down the service, then the admin can +configure increasing levels of difficulty factor of increasing traffic +levels, effectively rate limiting its users and protecting the +underlying website.
mCaptcha can protect your website from DDoS attacks. In this guide we’ll +explore how to install mCaptcha on your website. The end result will be +something like this, on your website:
For the purpose of this demo, we will be using +demo.mcaptcha.org, a demo instance running +in @realaravinth’s bedroom(for this same reason, it shouldn’t be used +for anything serious)
Head over to demo.mcaptcha.org and +create an account. When ready, sign in.
A site key is how a new CAPTCHA is configured within mCaptcha. To create +a new site key, click on “New Site” button in the dashboard.
There are two options to create a new site key, easy and advanced. We +are going to use the easy mode in this tutorial. If you are interested +in learning more about the advance mode, please see here.
Easy Mode
Easy mode asks a few basic statistics about your website and generates a +configuration that should work for your website. Currently, easy mode is +guided by assumptions on suitable difficulty factors to protect a +website but it will be fine-tuned as mCaptcha sees more deployment.
Configuration generated by easy mode can be tweaked later using the +advance mode, as you become more familiar with how mCaptcha works.
Fill the form and submit it.
Submitting the form will take you to a page where site key configuration +can be viewed. “View deployment” link will display CAPTCHA widget with +the supplied configuration. Click on it and grab the widget link.
Integration support is available for some frontend JavaScript +frameworks. To see full list of supported frameworks, please see +here.
There are two options to use the integration library to integrate +mCaptcha on your website:
In this tutorial, we’ll be using the CDN.
Pasting the following snippet on the page, within the form that requires to be protected
+will load the mCaptcha widget with the configuration supplied. Be sure
+to replace Your {{paste your widget link}} with the link obtained from
+the previous step.
1<div id="mcaptcha__widget-container"></div>
+ 2<script src="https://unpkg.com/@mcaptcha/vanilla-glue@0.1.0-alpha-2/dist/index.js"></script>
+ 3<script charset="utf-8">
+ 4 let config = {
+ 5 widgetLink: new URL(
+ 6 {{paste yout widget link}}
+ 7 ),
+ 8 };
+ 9 new mcaptchaGlue.default(config);
+10</script>
+A full example is available +here.
Get access token from the user’s
+form submission payload. The access token will be associated with a
+parameter called mcaptcha__token.
1 mcaptcha_token = request.form["mcaptcha__token"]
+Validate access token with mCaptcha instance
1payload = {
+ 2 "token": mcaptcha_token,
+ 3 "key": mcaptcha_sitekey, # captcha site key
+ 4 # mCaptcha account secret; available in settings
+ 5 "secret": mcaptcha_account_secret,
+ 6}
+ 7resp = requests.post(
+ 8 "https://demo.mcaptha.org/api/v1/pow/siteverify", json=payload
+ 9)
+10resp = resp.json()
+1 if resp["valid"] == False:
+2 return "invalid captcha", 400
+3 else:
+4 return allow_access_to_protected_resource(request.form)
+Please see here for a complete Flask example and here for an Actix +Web example.
Congratulations, mCaptcha is now integrated with your website!
mCaptcha is a privacy focused, libre CAPTCHA system with a kickass UX.
There are two main ways to get started with mCaptcha:
One page summary of how to start a new Doks project. Quick Start →
Bare metal deployment is tedious, most of this will be automated with a script in the future.
mcaptcha is highly configurable.
Configuration is applied/merged in the following order:
MCAPTCHA_CONFIG./config/default.toml/etc/mcaptcha/config.tomlFor Debian based distributions:
sudo apt install postgres
-mcaptcha$ sudo useradd -b /srv -m -s /usr/bin/zsh mcaptcha
-$ sudo -iu postgres # switch to `postgres` user
-$ psql
-postgres=# CREATE USER mcaptcha WITH PASSWORD 'my super long password and yes you need single quote`;
-$ createdb -O mcaptcha mcaptcha # create db 'mcaptcha' with 'mcaptcha' as owner
+Bare metal deployment is tedious, most of this will be automated with a script in the future.
mcaptcha is highly configurable.
Configuration is applied/merged in the following order:
MCAPTCHA_CONFIG./config/default.toml/etc/mcaptcha/config.tomlFor Debian based distributions:
1sudo apt install postgres
+mcaptcha1$ sudo useradd -b /srv -m -s /usr/bin/zsh mcaptcha
+1$ sudo -iu postgres # switch to `postgres` user
+2$ psql
+3postgres=# CREATE USER mcaptcha WITH PASSWORD 'my super long password and yes you need single quote`;
+4$ createdb -O mcaptcha mcaptcha # create db 'mcaptcha' with 'mcaptcha' as owner
mCaptcha/cache module:See mCaptcha/cache for more
-details.
mcaptchaTo build mcaptcha, you need the following dependencies:
v14.16.0)$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
-Install node(v14.16.0)
Install yarn(JavaScript package manager)
Build with make:
$ make dev-env && \
- make release
-$ sudo cp ./target/release/mcaptcha /usr/bin/ && \
- mkdir sudo /etc/mcaptcha && \
- sudo cp config/default.toml /etc/mcaptcha/config.toml
-/etc/systemd/system/mcaptcha.service:[Unit]
-Description=mCaptcha: a CAPTCHA system that gives attackers a run for their money
-
-[Service]
-Type=simple
-User=mcaptcha
-ExecStart=/usr/bin/mcaptcha
-Restart=on-failure
-RestartSec=1
-SuccessExitStatus=3 4
-RestartForceExitStatus=3 4
-SystemCallArchitectures=native
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-Environment="RUST_LOG=info"
-
-[Unit]
-After=sound.target
-Wants=network-online.target
-Wants=network-online.target
-Requires=postgresql.service
-After=syslog.target
-
-[Install]
-WantedBy=multi-user.target
-$ sudo systemctl daemon-reload && \
- sudo systemctl enable mcaptcha && \ # Auto startup during boot
- sudo systemctl start mcaptcha
-``
-mcaptchaTo build mcaptcha, you need the following dependencies:
v14.16.0)1$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
+Install node(v14.16.0)
Install yarn(JavaScript package manager)
Build with make:
1$ make dev-env && \
+2 make release
+1$ sudo cp ./target/release/mcaptcha /usr/bin/ && \
+2 mkdir sudo /etc/mcaptcha && \
+3 sudo cp config/default.toml /etc/mcaptcha/config.toml
+/etc/systemd/system/mcaptcha.service: 1[Unit]
+ 2Description=mCaptcha: a CAPTCHA system that gives attackers a run for their money
+ 3
+ 4[Service]
+ 5Type=simple
+ 6User=mcaptcha
+ 7ExecStart=/usr/bin/mcaptcha
+ 8Restart=on-failure
+ 9RestartSec=1
+10SuccessExitStatus=3 4
+11RestartForceExitStatus=3 4
+12SystemCallArchitectures=native
+13MemoryDenyWriteExecute=true
+14NoNewPrivileges=true
+15Environment="RUST_LOG=info"
+16
+17[Unit]
+18After=sound.target
+19Wants=network-online.target
+20Wants=network-online.target
+21Requires=postgresql.service
+22After=syslog.target
+23
+24[Install]
+25WantedBy=multi-user.target
+1$ sudo systemctl daemon-reload && \
+2 sudo systemctl enable mcaptcha && \ # Auto startup during boot
+3 sudo systemctl start mcaptcha
+4``
+mCaptcha server requires dependencies like a Postgres database and a Redis cache
Database migrations are baked into the server binary so don’t worry +
mCaptcha server requires dependencies like a Postgres database and a Redis cache
Database migrations are baked into the server binary so don’t worry about them.
When compiling from source, unset database configuration(comment out
database configuration/ unset relevant environment variables).
mCaptcha uses sqlx database client
@@ -12,19 +12,19 @@ heat will be reset and visitor count will start from 0. For small
installations, this should post a problem as heat is short lived and is
reset anyways at cool down period.
mCaptcha uses a custom Redis module called cache to overcome some of Redis' -limitations.
Once again, there are two ways to go about this:
Download and run Postgres
docker create --name mcaptcha-postgres \
- -e POSTGRES_PASSWORD=<databse-password> \
- -p 5432:5432 \
- postgres && docker start mcaptcha-postgres
-docker create --name mcaptcha-cache \
- -p 6379:6379 \
- mcaptcha/cache && docker start mcaptcha-cache
+limitations.Instructions
Once again, there are two ways to go about this:
- Docker
- Bare metal
Docker
Database
Download and run Postgres
1docker create --name mcaptcha-postgres \
+2 -e POSTGRES_PASSWORD=<database-password> \
+3 -p 5432:5432 \
+4 postgres && docker start mcaptcha-postgres
+
Redis
1docker create --name mcaptcha-cache \
+2 -p 6379:6379 \
+3 mcaptcha/cache && docker start mcaptcha-cache
See mCaptcha/cache for more
-details.
1. Install Postgres if you don’t have it already.
For Debian based distributions:
sudo apt install postgres
-
2. Create new user for running mCaptcha
$ sudo useradd -b /srv -m -s /usr/bin/bash mcaptcha
-
3. Create new user in Postgres
$ sudo -iu postgres # switch to `postgres` user
-$ psql
-postgres=# CREATE USER mcaptcha WITH PASSWORD 'my super long password and yes you need single quote';
-$ createdb -O mcaptcha mcaptcha # create db 'mcaptcha' with 'mcaptcha' as owner
+details.1. Install Postgres if you don’t have it already.
For Debian based distributions:
1sudo apt install postgres
+
2. Create new user for running mCaptcha
1$ sudo useradd -b /srv -m -s /usr/bin/bash mcaptcha
+
3. Create new user in Postgres
1$ sudo -iu postgres # switch to `postgres` user
+2$ psql
+3postgres=# CREATE USER mcaptcha WITH PASSWORD 'my super long password and yes you need single quote';
+4$ createdb -O mcaptcha mcaptcha # create db 'mcaptcha' with 'mcaptcha' as owner
4. Install mCaptcha/cache
See mCaptcha/cache for more
-details.
Deploy mCaptcha with docker
mcaptcha is highly configurable.
Configuration is applied/merged in the following order:
MCAPTCHA_CONFIG./config/default.toml/etc/mcaptcha/config.tomlSee +
mcaptcha is highly configurable.
Configuration is applied/merged in the following order:
MCAPTCHA_CONFIG./config/default.toml/etc/mcaptcha/config.tomlSee CONFIGURATION.md -for configurable options.
If you have already have a Postgres instance running, then:
docker run -p <host-machine-port>:<port-in-configuration-file> \
- --add-host=database:<database-ip-addrss> \
- -e RUST_LOG=debug \
- -e DATABASE_URL="postgres://<db-user>:<db-password>@database:<db-port>/<db-name>" \
- mcaptcha/mcaptcha:latest
+for configurable options.2. Run image
If you have already have a Postgres instance running, then:
1docker run -p <host-machine-port>:<port-in-configuration-file> \
+2 --add-host=database:<database-ip-addrss> \
+3 -e RUST_LOG=debug \
+4 -e DATABASE_URL="postgres://<db-user>:<db-password>@database:<db-port>/<db-name>" \
+5 mcaptcha/mcaptcha:latest
If you don’t have a Postgres instance running, you can either install
one using a package manager or launch one with docker. A docker-compose
configuration is available that will launch both
-a database instance mcaptcha instance.
With docker-compose
Follow steps above to build docker image.
Set database password docker-compose configuration.
Launch network
docker-compose up -d
-
Follow steps above to build docker image.
Set database password docker-compose configuration.
Launch network
1docker-compose up -d
+Get started with self-hosting mCaptcha
There are two main ways to self-host mCaptcha:
Get started with self-hosting mCaptcha
There are two main ways to self-host mCaptcha:
When a visitor solves the CAPTCHA and sends their solution to an +mCaptcha instance, the solution will be verified for correctness. If the +solution is correct, mCaptcha will return a single use access token.
This access token should be attached to the visitor’s requited to the +protected service and the protected service should validity of the +access token with the mCaptcha instance and only allow access to +protected resource if the access token is valid.
1curl --location --request POST 'https://mcaptcha.example.net/api/v1/pow/siteverify' \
+2 --header 'Content-Type: application/json' \
+3 --data-raw '{
+4 "token": "replace this with the access token presented by visitor",
+5 "key": "replace this with the sitekey associated with the CAPTCHA"
+6 "secret": "replace this with mCaptcha account secret, available in settings"
+7 }'
+mCaptcha implements leaky bucket algorithm to measure +current traffic levels. Cooldown period specifies the leak or the time +after which a visitor addition is decremented.
For instance, if initial traffic level is 0 and a user visits one +second later, the traffic level will be incremented to 1. Now, if the +cooldown period is set to 30 seconds, the traffic level will be +decremented after 30 seconds. So after 30 seconds, the traffic level will +go from 1 to 0.
When configuring mCaptcha in easy +mode, the default cooldown period is +set to 30 seconds.
Difficulty factor determines the time it takes to solve a CAPTCHA. The +higher the difficulty factor, the longer it will take to generate a +proof of work for it to solve the CAPTCHA.
mCaptcha’s proof of work based mechanism makes it highly accessible to +people with special needs but it is important to choose the difficulty factor +with care as very high difficulty factors will make the CAPTCHA +inaccessible to users on slow devices.
Site key is a unique identifier associated with CAPTCHA configurations +created on mCaptcha. It is required to integrate a CAPTCHA with your +website.
mCaptcha’s variable difficulty factor mechanism requires a website’s traffic +statistics be split into levels, so that it can deploy the right +difficulty factor for each level.
Visitor threshold is used to traffic into levels and mCaptcha accepts a +difficulty configuration for each of these levels. When current traffic +exceeds a difficulty factor, mCaptcha will increase the difficulty +factor to the next configured level.
For instance, consider the configuration given below:
| Level | Difficulty Factor | Visitor Threshold |
|---|---|---|
| 1 | 5,000 | 2,000 |
| 2 | 50,000 | 5,000 |
| 3 | 500,000 | 10,000 |
| 4 | 5,000,000 | 15,000 |
If the website sees 2,000 requests in a 30 second window, level 1 +difficulty factor(5,000) will be deployed. If the traffic increases to +5,000 requests in a 30 second window, then difficulty factor will be +upgraded to level 2(50,000). Likewise 10,000 and 15,000 requests over 30 +seconds will result in difficulty factor being upgraded to 500,000 and +5,000,000 respectively.
Visitor threshold is how mCaptcha determines which difficulty factor +level to deploy. mCaptcha uses leaky bucket algorithm to keep the +visitor threshold constantly updated within the configured cool down +period. So, at any given moment the, the current visitor level will be +the amount of traffic that was served in the cool down period specified.
Last Edited July 16, 2021
mCaptcha is a small operation that is self-funded. At the time of @@ -8,4 +8,4 @@ way in supporting us.
Some of the payment options are anonymous. You can o me(@realaravinth) an email so that I can thank you :)
85QAHsHqg4WfA6G7ycXc7U4LmrSLCQARv6H9p3AYjf8o8YP
WH3ngC8Zi7bUYGUifdXb54Xuz41kcu2pqgGFuAYp3VSh5JsR
-
mCaptcha is proof-of-work based captcha system that is privacy focussed and fully automated.
Try mCaptcha +mCaptcha is proof-of-work based captcha system that is privacy focused and fully automated.
Try mCaptcha - Get startedDoesn't track, doesn't profile your users.
Got users behind NATs? No issues. We don't use IP address for rate-liming. NAT or not you get the mCaptcha experience.
mCaptcha is silent, so silent that your users won't even feel it. No more annoying images, no more helping for Big Brothers with their ML stuff
Our PoW-based solution defends fiersly. mCaptcha makes attacking your site more experience than what it will take for you to respond to the attacker's requests
Client libraries are licensed using properiatary-friendly free software licenses but the core is AGPL'd. We believe this is a tech that can change the way the web works so mCaptcha will always be free
Already using a captcha solution? No worries, our APIs are compatible with reCaptcha and hCaptcha!
Doesn't track, doesn't profile your users.
Got users behind NATs? No issues. We don't use IP address for rate-liming. NAT or not you get the mCaptcha experience.
mCaptcha is silent, so silent that your users won't even feel it. No more annoying images, no more helping for Big Brothers with their ML stuff
Our PoW-based solution defends fiersly. mCaptcha makes attacking your site more experience than what it will take for you to respond to the attacker's requests
Client libraries are licensed using properiatary-friendly free software licenses but the core is AGPL'd. We believe this is a tech that can change the way the web works so mCaptcha will always be free
Already using a captcha solution? No worries, our APIs are compatible with reCaptcha and hCaptcha!
Last Edited May 27, 2021
TLDR: We do not use cookies, we do not collect any personal data and @@ -6,4 +6,4 @@ logs aren’t shared with third-parties.
The following information is collected:
Contact us if you have any questions.
Effective Date: 20th May, 2021
Contact us if you have any questions.
Effective Date: 20th May, 2021
Last Edited May 27, 2021
Security is at the heart of mCaptcha. If you find any discrepancies in @@ -211,4 +211,4 @@ NXxBvA5ABkcHzULubZWLB3QoKDP5DgEXB4cA7kMDryFPnN2shSdBsWt69g1E3gVo zKdOEDuIPIv4f7HhhCDCylGwfwqar5XJwnHQrBXLpwlTm4neDsnEOvOzyd8= =gpUQ -----END PGP PUBLIC KEY BLOCK----- -
mCaptcha is built entirely using free software libraries tools. We are @@ -6,4 +6,4 @@ grateful for all maintainers and contributors for their time and effort in making them!
mCaptcha shied logo is derived from this photo captured by Paweł Czerwiński. You can check out -their work at: