mirror of
https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin.git
synced 2025-11-08 15:15:05 +01:00
Add AppSec Path Variable (#202)
* Added Appsec Path config Variable * ✨ Add path env var for lapi and appsec * 🍱 Update README.md --------- Co-authored-by: Tobias Heinze <tobias.heinze@telekom.de> Co-authored-by: Max Lerebourg <maxlerebourg@gmail.com>
This commit is contained in:
Tobias Heinze
12
README.md
12
README.md
@@ -329,6 +329,10 @@ Only one instance of the plugin is *possible*.
|
||||
- string
|
||||
- default: "crowdsec:7422"
|
||||
- Crowdsec Appsec Server available on which host and port. The scheme will be handled by the CrowdsecLapiScheme var.
|
||||
- CrowdsecAppsecPath
|
||||
- string
|
||||
- default: "/"
|
||||
- Crowdsec Appsec Server available on this path. Will be appended to CrowdsecAppsecHost. Need to finish with "/".
|
||||
- CrowdsecAppsecFailureBlock
|
||||
- bool
|
||||
- default: true
|
||||
@@ -344,6 +348,10 @@ Only one instance of the plugin is *possible*.
|
||||
- string
|
||||
- default: "crowdsec:8080"
|
||||
- Crowdsec LAPI available on which host and port.
|
||||
- CrowdsecLapiPath
|
||||
- string
|
||||
- default: "/"
|
||||
- Crowdsec LAPI Server available on this path. Will be appended to CrowdsecLapiHost. Need to finish with "/".
|
||||
- CrowdsecLapiKey
|
||||
- string
|
||||
- default: ""
|
||||
@@ -493,12 +501,14 @@ http:
|
||||
crowdsecMode: live
|
||||
crowdsecAppsecEnabled: false
|
||||
crowdsecAppsecHost: crowdsec:7422
|
||||
crowdsecAppsecPath: "/"
|
||||
crowdsecAppsecFailureBlock: true
|
||||
crowdsecAppsecUnreachableBlock: true
|
||||
crowdsecLapiKey: privateKey-foo
|
||||
crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
|
||||
crowdsecLapiHost: crowdsec:8080
|
||||
crowdsecLapiScheme: http
|
||||
crowdsecLapiHost: crowdsec:8080
|
||||
crowdsecLapiPath: "/"
|
||||
crowdsecLapiTLSInsecureVerify: false
|
||||
crowdsecCapiMachineId: login
|
||||
crowdsecCapiPassword: password
|
||||
|
||||
14
bouncer.go
14
bouncer.go
@@ -62,10 +62,12 @@ type Bouncer struct {
|
||||
enabled bool
|
||||
appsecEnabled bool
|
||||
appsecHost string
|
||||
appsecPath string
|
||||
appsecFailureBlock bool
|
||||
appsecUnreachableBlock bool
|
||||
crowdsecScheme string
|
||||
crowdsecHost string
|
||||
crowdsecPath string
|
||||
crowdsecKey string
|
||||
crowdsecMode string
|
||||
crowdsecMachineID string
|
||||
@@ -105,8 +107,10 @@ func New(_ context.Context, next http.Handler, config *configuration.Config, nam
|
||||
if config.CrowdsecMode == configuration.AloneMode {
|
||||
config.CrowdsecCapiMachineID, _ = configuration.GetVariable(config, "CrowdsecCapiMachineID")
|
||||
config.CrowdsecCapiPassword, _ = configuration.GetVariable(config, "CrowdsecCapiPassword")
|
||||
config.CrowdsecLapiScheme = configuration.HTTPS
|
||||
config.CrowdsecLapiHost = crowdsecCapiHost
|
||||
config.CrowdsecLapiScheme = "https"
|
||||
config.CrowdsecLapiPath = "/"
|
||||
config.CrowdsecAppsecEnabled = false
|
||||
config.UpdateIntervalSeconds = 7200 // 2 hours
|
||||
crowdsecStreamRoute = crowdsecCapiStreamRoute
|
||||
crowdsecHeader = crowdsecCapiHeader
|
||||
@@ -147,10 +151,12 @@ func New(_ context.Context, next http.Handler, config *configuration.Config, nam
|
||||
crowdsecMode: config.CrowdsecMode,
|
||||
appsecEnabled: config.CrowdsecAppsecEnabled,
|
||||
appsecHost: config.CrowdsecAppsecHost,
|
||||
appsecPath: config.CrowdsecAppsecPath,
|
||||
appsecFailureBlock: config.CrowdsecAppsecFailureBlock,
|
||||
appsecUnreachableBlock: config.CrowdsecAppsecUnreachableBlock,
|
||||
crowdsecScheme: config.CrowdsecLapiScheme,
|
||||
crowdsecHost: config.CrowdsecLapiHost,
|
||||
crowdsecPath: config.CrowdsecLapiPath,
|
||||
crowdsecKey: config.CrowdsecLapiKey,
|
||||
crowdsecMachineID: config.CrowdsecCapiMachineID,
|
||||
crowdsecPassword: config.CrowdsecCapiPassword,
|
||||
@@ -408,7 +414,7 @@ func handleNoStreamCache(bouncer *Bouncer, remoteIP string) (string, error) {
|
||||
routeURL := url.URL{
|
||||
Scheme: bouncer.crowdsecScheme,
|
||||
Host: bouncer.crowdsecHost,
|
||||
Path: crowdsecLapiRoute,
|
||||
Path: bouncer.crowdsecPath + crowdsecLapiRoute,
|
||||
RawQuery: fmt.Sprintf("ip=%v&banned=true", remoteIP),
|
||||
}
|
||||
body, err := crowdsecQuery(bouncer, routeURL.String(), false)
|
||||
@@ -504,7 +510,7 @@ func handleStreamCache(bouncer *Bouncer) error {
|
||||
streamRouteURL := url.URL{
|
||||
Scheme: bouncer.crowdsecScheme,
|
||||
Host: bouncer.crowdsecHost,
|
||||
Path: bouncer.crowdsecStreamRoute,
|
||||
Path: bouncer.crowdsecPath + bouncer.crowdsecStreamRoute,
|
||||
RawQuery: fmt.Sprintf("startup=%t", !isCrowdsecStreamHealthy || isStartup),
|
||||
}
|
||||
body, err := crowdsecQuery(bouncer, streamRouteURL.String(), false)
|
||||
@@ -584,7 +590,7 @@ func appsecQuery(bouncer *Bouncer, ip string, httpReq *http.Request) error {
|
||||
routeURL := url.URL{
|
||||
Scheme: bouncer.crowdsecScheme,
|
||||
Host: bouncer.appsecHost,
|
||||
Path: "/",
|
||||
Path: bouncer.appsecPath,
|
||||
}
|
||||
var req *http.Request
|
||||
if httpReq.Body != nil && httpReq.ContentLength > 0 {
|
||||
|
||||
@@ -3,7 +3,9 @@ You need to create a crowdsec API credentials for the CAPI.
|
||||
You can follow the documentation here: https://docs.crowdsec.net/docs/central_api/intro
|
||||
|
||||
```bash
|
||||
curl -X POST "https://api.crowdsec.net/v2/watchers" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"PASSWORD\", \"machine_id\": \"LOGIN\"}"
|
||||
LOGIN=...
|
||||
PASSWORD=...
|
||||
curl -X POST "https://api.crowdsec.net/v2/watchers" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"password\": \"$PASSWORD\", \"machine_id\": \"$LOGIN\"}"
|
||||
```
|
||||
|
||||
These CAPI credentials must be set in your docker-compose.yml or in your config files
|
||||
|
||||
@@ -35,8 +35,7 @@ services:
|
||||
|
||||
- "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
|
||||
# - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
|
||||
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecmode=alone"
|
||||
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
|
||||
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecMode=alone"
|
||||
- "traefik.http.middlewares.crowdsec.plugin.bouncer.CrowdsecCapiMachineId=FIXME"
|
||||
- "traefik.http.middlewares.crowdsec.plugin.bouncer.CrowdsecCapiPassword=FIXME"
|
||||
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseccapiscenarios=crowdsecurity/sshd,crowdsecurity/asterisk_bf,crowdsecurity/asterisk_user_enum,crowdsecurity/base-http-scenarios"
|
||||
|
||||
@@ -40,10 +40,12 @@ type Config struct {
|
||||
CrowdsecMode string `json:"crowdsecMode,omitempty"`
|
||||
CrowdsecAppsecEnabled bool `json:"crowdsecAppsecEnabled,omitempty"`
|
||||
CrowdsecAppsecHost string `json:"crowdsecAppsecHost,omitempty"`
|
||||
CrowdsecAppsecPath string `json:"crowdsecAppsecPath,omitempty"`
|
||||
CrowdsecAppsecFailureBlock bool `json:"crowdsecAppsecFailureBlock,omitempty"`
|
||||
CrowdsecAppsecUnreachableBlock bool `json:"crowdsecAppsecUnreachableBlock,omitempty"`
|
||||
CrowdsecLapiScheme string `json:"crowdsecLapiScheme,omitempty"`
|
||||
CrowdsecLapiHost string `json:"crowdsecLapiHost,omitempty"`
|
||||
CrowdsecLapiPath string `json:"crowdsecLapiPath,omitempty"`
|
||||
CrowdsecLapiKey string `json:"crowdsecLapiKey,omitempty"`
|
||||
CrowdsecLapiKeyFile string `json:"crowdsecLapiKeyFile,omitempty"`
|
||||
CrowdsecLapiTLSInsecureVerify bool `json:"crowdsecLapiTlsInsecureVerify,omitempty"`
|
||||
@@ -98,10 +100,12 @@ func New() *Config {
|
||||
CrowdsecMode: LiveMode,
|
||||
CrowdsecAppsecEnabled: false,
|
||||
CrowdsecAppsecHost: "crowdsec:7422",
|
||||
CrowdsecAppsecPath: "/",
|
||||
CrowdsecAppsecFailureBlock: true,
|
||||
CrowdsecAppsecUnreachableBlock: true,
|
||||
CrowdsecLapiScheme: HTTP,
|
||||
CrowdsecLapiHost: "crowdsec:8080",
|
||||
CrowdsecLapiPath: "/",
|
||||
CrowdsecLapiKey: "",
|
||||
CrowdsecLapiTLSInsecureVerify: false,
|
||||
UpdateIntervalSeconds: 60,
|
||||
@@ -217,11 +221,11 @@ func ValidateParams(config *Config) error {
|
||||
}
|
||||
}
|
||||
|
||||
if err := validateURL("CrowdsecLapi", config.CrowdsecLapiScheme, config.CrowdsecLapiHost); err != nil {
|
||||
if err := validateURL("CrowdsecLapi", config.CrowdsecLapiScheme, config.CrowdsecLapiHost, config.CrowdsecLapiPath); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := validateURL("CrowdsecAppsec", config.CrowdsecLapiScheme, config.CrowdsecAppsecHost); err != nil {
|
||||
if err := validateURL("CrowdsecAppsec", config.CrowdsecLapiScheme, config.CrowdsecAppsecHost, config.CrowdsecAppsecPath); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -257,11 +261,11 @@ func ValidateParams(config *Config) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func validateURL(variable, scheme, host string) error {
|
||||
// This only check that the format of the URL scheme://host is correct and do not make requests
|
||||
testURL := url.URL{Scheme: scheme, Host: host}
|
||||
func validateURL(variable, scheme, host, path string, path string) error {
|
||||
// This only check that the format of the URL scheme://host/path is correct and do not make requests
|
||||
testURL := url.URL{Scheme: scheme, Host: host, Path: path}
|
||||
if _, err := http.NewRequest(http.MethodGet, testURL.String(), nil); err != nil {
|
||||
return fmt.Errorf("CrowdsecLapiScheme://%sHost: '%v://%v' must be an URL", variable, scheme, host)
|
||||
return fmt.Errorf("CrowdsecLapiScheme://%sHost: '%v://%v%v' must be a valid URL", variable, scheme, host, path)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user