I built a Caddy module for self-hosted ALTCHA captcha verification. ALTCHA is a proof-of-work protocol similar to Cloudflare Turnstile - users solve a computational challenge in their browser instead of clicking images. Takes about 200ms to solve.
The module is entirely self-contained. Caddy generates HMAC-signed challenges, the browser widget solves them and Caddy verifies the solution. No external API calls needed.
Install:
xcaddy build --with github.com/stardothosting/caddy-altcha
Example config:
{
order altcha_verify before reverse_proxy
}
example.com {
route /api/altcha/challenge {
altcha_challenge {
hmac_key {env.ALTCHA_HMAC_KEY}
max_number 1000000
}
}
route /captcha {
root * /var/www/altcha
file_server
}
@protected path /login /register /api/*
altcha_verify @protected {
hmac_key {env.ALTCHA_HMAC_KEY}
session_backend redis://localhost:6379
challenge_redirect /captcha
}
reverse_proxy backend:8080
}
It supports Redis/memory/file session backends, preserves POST data across challenges, and includes rate limiting and CORS protection. Works well with Coraza WAF if you want to challenge only suspicious requests.