Skip to main content
The bot-mitigation component is registered by sitectl-isle for Islandora contexts. It uses the core sitectl Traefik bot-mitigation helper with ISLE’s Drupal router options. It adds the captcha-protect Traefik middleware to the Drupal router. Generic bot-mitigation environment controls live under core sitectl traefik; this component handles the Drupal route wiring. When enabled, requests to Drupal routes can be challenged with Cloudflare Turnstile before they reach Drupal. It defaults to disabled. Supported dispositions:
DispositionMeaning
enabledLoad captcha-protect as a local Traefik plugin and apply it to Drupal routes.
disabledLeave Drupal routes without the captcha-protect challenge middleware.

Enable During Create

Choose bot mitigation in the interactive sitectl create isle flow, or pass the flag directly: 
sitectl create isle --bot-mitigation on
The component defaults to off so existing automated create flows do not unexpectedly add a captcha challenge.

Enable On An Existing Site

sitectl set bot-mitigation enabled
This updates docker-compose.yml, adds the captcha-protect middleware reference to the Drupal router, appends the middleware definition at the bottom of conf/traefik/drupal.yml, installs the local Traefik plugin source under conf/traefik/plugins/captcha-protect, and mounts the challenge template used by the plugin. The ISLE plugin passes RouterName: "drupal" and RouterConfigPath: "conf/traefik/drupal.yml" to the core helper. Other app plugins can pass their own router options and override captcha-protect fields such as ProtectRoutes when registering and applying their bot-mitigation component.

Managed files

When enabled, the component manages:
  • docker-compose.yml Traefik command, mounts, and Turnstile environment defaults
  • conf/traefik/drupal.yml Drupal router middleware reference and captcha-protect middleware definition
  • conf/traefik/plugins/captcha-protect local Traefik plugin source
  • conf/traefik/challenge.tmpl.html challenge page template

Turnstile Keys

By default, sitectl writes Cloudflare Turnstile test keys: 
TURNSTILE_SITE_KEY: ${TURNSTILE_SITE_KEY:-1x00000000000000000000AA}
TURNSTILE_SECRET_KEY: ${TURNSTILE_SECRET_KEY:-1x0000000000000000000000000000000AA}
These keys are only for testing. They always allow bots that can run JavaScript to pass the challenge. For a real site, create Turnstile keys in Cloudflare and set TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY in the site’s environment before deploying bot mitigation.

Local Plugin Source

Traefik’s recommended plugin setup normally specifies a plugin version and lets Traefik download the plugin assets from Traefik’s plugin discovery service when the Traefik container is created. ISLE avoids that production-time network dependency by mounting the captcha-protect plugin source locally: 
./conf/traefik/plugins/captcha-protect:/plugins-local/src/github.com/libops/captcha-protect:r
This keeps Traefik startup independent of Traefik’s plugin discovery service. The site repository contains the plugin source that Traefik needs, so recreating the Traefik container does not require a remote plugin download.

Disable

sitectl set bot-mitigation disabled
Disabling removes the Traefik command, mounts, Turnstile environment defaults, and Drupal router middleware entry. It does not delete the local plugin source directory or an existing challenge.tmpl.html file from your checkout.