pretecno/crowdsec-bouncer-traefik-plugin
3
0
Fork 0
mirror of https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin.git synced 2025-11-08 15:15:05 +01:00
Code Issues Packages Releases Activity

⬆️ 📝 Update exemples and version traefik 3, crowdsec 1.6.1-2, plugin … (#160)

Browse Source 
* ⬆️ 📝 Update exemples and version traefik 3, crowdsec 1.6.1-2, plugin 1.3.0

* 📝 🐛 Fix race in exemple and doc for tls
This commit is contained in:
mathieuHa
2024-05-01 20:03:19 +02:00
committed by GitHub
parent 1f11531509
commit e6b10b8ac4
18 changed files with 89 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
Makefile
View File

@@ -26,25 +26,25 @@ run_local:
docker compose -f docker-compose.local.yml up -d --remove-orphans
run_behindproxy:
docker compose -f examples/behind-proxy/docker-compose.cloudflare.yml up -d --remove-orphans
docker compose -f examples/behind-proxy/docker-compose.yml up -d --remove-orphans
run_cacheredis:
docker compose -f examples/redis-cache/docker-compose.redis.yml up -d --remove-orphans
docker compose -f examples/redis-cache/docker-compose.yml up -d --remove-orphans
run_trustedips:
docker compose -f examples/trusted-ips/docker-compose.trusted.yml up -d --remove-orphans
docker compose -f examples/trusted-ips/docker-compose.yml up -d --remove-orphans
run_binaryvm:
cd examples/binary-vm/ && sudo vagrant up
run_tlsauth:
docker compose -f examples/tls-auth/docker-compose.tls-auth.yml down && docker compose -f examples/tls-auth/docker-compose.tls-auth.yml up -d && docker compose -f examples/tls-auth/docker-compose.tls-auth.yml restart && docker compose -f examples/tls-auth/docker-compose.tls-auth.yml logs -f
docker compose -f examples/tls-auth/docker-compose.yml up -d --remove-orphans
run_appsec:
docker compose -f examples/appsec-enabled/docker-compose.appsec-enabled.yml up -d
docker compose -f examples/appsec-enabled/docker-compose.yml up -d
run_captcha:
docker compose -f examples/captcha/docker-compose.captcha.yml up -d
docker compose -f examples/captcha/docker-compose.yml up -d
run_custom_ban_page:
docker compose -f examples/custom-ban-page/docker-compose.yml up -d
@@ -62,19 +62,25 @@ restart:
docker compose -f docker-compose.yml restart
restart_behindproxy:
docker compose -f examples/behind-proxy/docker-compose.cloudflare.yml restart
docker compose -f examples/behind-proxy/docker-compose.yml restart
restart_cacheredis:
docker compose -f examples/redis-cache/docker-compose.redis.yml restart
docker compose -f examples/redis-cache/docker-compose.yml restart
restart_trustedips:
docker compose -f examples/trusted-ips/docker-compose.trusted.yml restart
docker compose -f examples/trusted-ips/docker-compose.yml restart
restart_tlsauth:
docker compose -f examples/tls-auth/docker-compose.tls-auth.yml
docker compose -f examples/tls-auth/docker-compose.yml
restart_appsec:
docker compose -f examples/tls-auth/docker-compose.appsec-enabled.yml
docker compose -f examples/tls-auth/docker-compose.yml
restart_captcha:
docker compose -f examples/captcha/docker-compose.yml
restart_custombanpage:
docker compose -f examples/custom-ban-page/docker-compose.yml
show_logs:
docker compose -f docker-compose.yml restart
@@ -86,11 +92,13 @@ show_dev_logs:
docker compose -f docker-compose.dev.yml logs -f
clean_all_docker:
docker compose -f examples/behind-proxy/docker-compose.cloudflare.yml down --remove-orphans
docker compose -f examples/redis-cache/docker-compose.redis.yml down --remove-orphans
docker compose -f examples/trusted-ips/docker-compose.trusted.yml down --remove-orphans
docker compose -f examples/tls-auth/docker-compose.tls-auth.yml down --remove-orphans
docker compose -f examples/appsec-enabled/docker-compose.appsec-enabled.yml down --remove-orphans
docker compose -f examples/behind-proxy/docker-compose.yml down --remove-orphans
docker compose -f examples/redis-cache/docker-compose.yml down --remove-orphans
docker compose -f examples/trusted-ips/docker-compose.yml down --remove-orphans
docker compose -f examples/tls-auth/docker-compose.yml down --remove-orphans
docker compose -f examples/appsec-enabled/docker-compose.yml down --remove-orphans
docker compose -f examples/captcha/docker-compose.yml down --remove-orphans
docker compose -f examples/custom-ban-page/docker-compose.yml down --remove-orphans
docker compose -f docker-compose.local.yml down --remove-orphans
docker compose -f docker-compose.yml down --remove-orphans
@@ -101,3 +109,6 @@ clean_vagrant:
show_metrics:
docker exec crowdsec cscli metrics
show_decisions:
docker exec crowdsec cscli decisions list

14
examples/behind-proxy/docker-compose.cloudflare.yml → examples/behind-proxy/docker-compose.yml
View File

@@ -1,8 +1,6 @@
version: "3.8"
services:
cloudflare:
image: "traefik:v2.10.4"
image: "traefik:v3.0.0"
container_name: "cloudflare"
restart: unless-stopped
command:
@@ -21,7 +19,7 @@ services:
- 8080:8080
traefik:
image: "traefik:v2.10.4"
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
@@ -35,7 +33,7 @@ services:
- "--entrypoints.web.forwardedheaders.trustedips=172.21.0.5"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.1.13"
- "--experimental.plugins.bouncer.version=v1.3.0"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- logs-traefik:/var/log/traefik
@@ -47,7 +45,7 @@ services:
whoami-foo:
image: traefik/whoami
container_name: "simple-service-foo"
container_name: "simple-service-foo-cloudflare"
restart: unless-stopped
labels:
- "traefik.enable=true"
@@ -66,7 +64,7 @@ services:
whoami-bar:
image: traefik/whoami
container_name: "simple-service-bar"
container_name: "simple-service-bar-cloudflare"
restart: unless-stopped
labels:
- "traefik.enable=true"
@@ -81,7 +79,7 @@ services:
crowdsec:
image: crowdsecurity/crowdsec:v1.5.2
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment:

2
examples/binary-vm/scripts/install_traefik.sh
View File

@@ -2,7 +2,7 @@
DEBIAN_FRONTEND=noninteractive sudo apt-get update && sudo apt-get install wget -y
# DEBIAN_FRONTEND=noninteractive sudo apt-get upgrade -y --assume-yes
wget -O traefik.tar.gz "https://github.com/traefik/traefik/releases/download/v2.10.4/traefik_v2.10.4_linux_amd64.tar.gz"
wget -O traefik.tar.gz "https://github.com/traefik/traefik/releases/download/v3.0.0/traefik_v3.0.0_linux_amd64.tar.gz"
tar -zxvf traefik.tar.gz
# inspired from https://gist.github.com/ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85
sudo mv ./traefik /usr/local/bin/

2
examples/binary-vm/scripts/install_whoami.sh
View File

@@ -1,7 +1,7 @@
#!/bin/bash
DEBIAN_FRONTEND=noninteractive sudo apt-get update && apt-get install wget -y
wget -O whoami.tar.gz "https://github.com/traefik/whoami/releases/download/v1.9.0/whoami_v1.9.0_linux_amd64.tar.gz"
wget -O whoami.tar.gz "https://github.com/traefik/whoami/releases/download/v1.10.1/whoami_v1.10.1_linux_amd64.tar.gz"
tar -zxvf whoami.tar.gz
# inspired from https://gist.github.com/ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85
sudo mv ./whoami /usr/local/bin/

4
examples/captcha/README.md
View File

@@ -32,7 +32,7 @@ It is not directly accessible from Traefik even when importing the plugin, so [d
```yaml
...
traefik:
image: "traefik:v2.11.0"
image: "traefik:v3.0.0"
volumes:
- './captcha.html:/captcha.html'
...
@@ -52,7 +52,7 @@ More information is available on configuring Crowdsec in the [official documenta
```yaml
...
crowdsec:
image: crowdsecurity/crowdsec:v1.6.0
image: crowdsecurity/crowdsec:v1.6.1-2
volumes:
# For captcha and ban mixed decision
- './profiles.yaml:/etc/crowdsec/profiles.yaml:ro'

12
examples/captcha/docker-compose.captcha.yml → examples/captcha/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
traefik:
image: "traefik:v2.11.0"
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
@@ -12,14 +12,14 @@ services:
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
# - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
# - "--experimental.plugins.bouncer.version=v1.2.0"
- "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.3.0"
# - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- logs-captcha-enabled:/var/log/traefik
- './captcha.html:/captcha.html'
- ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
# - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
ports:
- 8000:80
- 8080:8080
@@ -55,7 +55,7 @@ services:
- "traefik.http.middlewares.crowdsec.plugin.bouncer.captchaHTMLFilePath=/captcha.html"
crowdsec:
image: crowdsecurity/crowdsec:v1.6.0
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment:

12
examples/custom-ban-page/docker-compose.yml
View File

@@ -1,6 +1,6 @@
services:
traefik:
image: "traefik:v2.11.0"
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
@@ -12,14 +12,14 @@ services:
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
# - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
# - "--experimental.plugins.bouncer.version=v1.3.0-beta3"
- "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.3.0"
# - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- logs-custom-ban-page-enabled:/var/log/traefik
- './ban.html:/ban.html'
- ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
# - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
ports:
- 8000:80
- 8080:8080
@@ -46,7 +46,7 @@ services:
- "traefik.http.middlewares.crowdsec.plugin.bouncer.banHtmlFilePath=/ban.html"
crowdsec:
image: crowdsecurity/crowdsec:v1.6.0
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment:

4
examples/kubernetes/README.md
View File

@@ -32,13 +32,15 @@ minikube start
helm repo add traefik https://traefik.github.io/charts
helm repo update
kubectl create ns traefik
helm upgrade --version v26.1.0 --install --namespace=traefik \
helm upgrade --version v28.0.0 --install --namespace=traefik \
--values=./traefik/values.yml \
traefik traefik/traefik
```
_A [bug](https://github.com/traefik/traefik-helm-chart/commit/e7ce1b410c858642069033305eb6362f26689f16) has been fixed in chart 26.1.0 that could prevent plugin to be loaded_
_v28.0.0 of the Traefik helm chart is only compatible with v3 of Traefik_
#### View the Traefik dashboard
> Port forward the dashboard:

2
examples/kubernetes/crowdsec/values.yml
View File

@@ -1,5 +1,5 @@
image:
tag: v1.6.0
tag: v1.6.1-2
agent:
acquisition:

2
examples/kubernetes/traefik/dashboard.yml
View File

@@ -1,5 +1,5 @@
# dashboard.yaml
apiVersion: traefik.containo.us/v1alpha1
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: dashboard

2
examples/kubernetes/traefik/plugin.yml
View File

@@ -1,4 +1,4 @@
apiVersion: traefik.containo.us/v1alpha1
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer

4
examples/kubernetes/traefik/values.yml
View File

@@ -1,5 +1,5 @@
image:
tag: v2.11
tag: v3.0.0
logs:
general:
@@ -14,4 +14,4 @@ experimental:
plugins:
bouncer:
moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
version: "v1.2.0"
version: "v1.3.0"

10
examples/redis-cache/docker-compose.redis.yml → examples/redis-cache/docker-compose.yml
View File

@@ -1,8 +1,6 @@
version: "3.8"
services:
traefik:
image: "traefik:v2.10.4"
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
@@ -15,7 +13,7 @@ services:
- "--entrypoints.web.address=:80"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.1.13"
- "--experimental.plugins.bouncer.version=v1.3.0"
# - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
@@ -52,7 +50,7 @@ services:
whoami-redis-secure:
image: traefik/whoami
container_name: "simple-service-bar"
container_name: "simple-service-bar-redis"
restart: unless-stopped
labels:
- "traefik.enable=true"
@@ -73,7 +71,7 @@ services:
crowdsec:
image: crowdsecurity/crowdsec:v1.5.2
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment:

16
examples/standalone-mode/docker-compose.alone.yml → examples/standalone-mode/docker-compose.yml
View File

@@ -1,8 +1,6 @@
version: "3.8"
services:
traefik:
image: "traefik:v2.10.4"
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
@@ -15,16 +13,18 @@ services:
- "--entrypoints.web.address=:80"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.1.13"
- "--experimental.plugins.bouncer.version=v1.3.0"
# - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
ports:
- 80:80
- 8080:8080
whoami-foo:
image: traefik/whoami
container_name: "simple-service-foo"
container_name: "simple-service-foo-alone"
restart: unless-stopped
labels:
- "traefik.enable=true"
@@ -37,9 +37,7 @@ services:
# - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecmode=alone"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.CrowdsecCapiMachineId=logincacacalfkrjebfreifgzfblezgyfoerxsqxsqxsqxsr"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.CrowdsecCapiPassword=Password2"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.CrowdsecCapiMachineId=FIXME"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.CrowdsecCapiPassword=FIXME"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseccapiscenarios=crowdsecurity/sshd,crowdsecurity/asterisk_bf,crowdsecurity/asterisk_user_enum,crowdsecurity/base-http-scenarios"
volumes:
logs-local:

2
examples/tls-auth/Dockerfile
View File

@@ -1,4 +1,4 @@
FROM ubuntu:22.04
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y curl wget
RUN VERSION=$(curl --silent "https://api.github.com/repos/cloudflare/cfssl/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') && VNUMBER=${VERSION#"v"} && wget https://github.com/cloudflare/cfssl/releases/download/${VERSION}/cfssl_${VNUMBER}_linux_amd64 -O cfssl && chmod +x cfssl && mv cfssl /usr/local/bin

7
examples/tls-auth/README.md
View File

@@ -72,11 +72,11 @@ The service `whoami-bar` will authenticate with a **client certificate** signed
Access to a route that communicate via https and authenticate with API-key:
```
curl http://localhost:80/foo
curl http://localhost:8000/foo
```
Access to a route that communicate via https and authenticate with a client certificate:
```
curl http://localhost:80/bar
curl http://localhost:8000/bar
```
Access to the traefik dashboard
```
@@ -89,5 +89,4 @@ make run_tlsauth
```
Note:
> This example is still in Beta and use a new version of Crowdsec (v1.4.3) at time of writing
A functionnality has been disabled in Crowdsec in order to make the example work DISABLE_AGENT: "true"
> Traefik need to be restart if certificates are regenerated after his launch

21
examples/tls-auth/docker-compose.tls-auth.yml → examples/tls-auth/docker-compose.yml
View File

@@ -1,8 +1,6 @@
version: "3.8"
services:
traefik:
image: "traefik:v2.10.4"
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
@@ -15,7 +13,7 @@ services:
- "--entrypoints.web.address=:80"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.1.13"
- "--experimental.plugins.bouncer.version=v1.3.0"
# - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
@@ -25,10 +23,11 @@ services:
# - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
ports:
- 80:80
- 8000:80
- 8080:8080
depends_on:
- crowdsec
- gencert
# Use HTTPS scheme but with lapikey authentication
# whoami-foo:
@@ -63,10 +62,10 @@ services:
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapischeme=https"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateBouncerFile=/etc/traefik/crowdsec-certs/bouncer.pem"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateBouncerKeyFile=/etc/traefik/crowdsec-certs/bouncer-key.pem"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateBouncerKeyFile=/etc/traefik/crowdsec-certs/bouncer-key.pem"
crowdsec:
image: crowdsecurity/crowdsec:v1.5.2
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment:
@@ -80,11 +79,13 @@ services:
CERT_FILE: "/etc/crowdsec/certs/server.pem"
KEY_FILE: "/etc/crowdsec/certs/server-key.pem"
CACERT_FILE: "/etc/crowdsec/certs/inter.pem"
# CLIENT_CERT_FILE: "/etc/crowdsec/certs/bouncer.pem"
# CLIENT_CERT_FILE: "/etc/crowdsec/certs/bouncer.pem"
AGENTS_ALLOWED_OU: "agent-ou"
BOUNCERS_ALLOWED_OU: "bouncer-ou"
LEVEL_DEBUG: "true"
# Disabled because it restart in loop otherwise
DISABLE_AGENT: "true"
# DISABLE_AGENT: "true"
# Disabled for the examples
DISABLE_ONLINE_API: "true"
volumes:
@@ -97,7 +98,9 @@ services:
- crowdsec-config-tls-auth:/etc/crowdsec/
labels:
- "traefik.enable=false"
depends_on:
- gencert
gencert:
build: .
volumes:

12
examples/trusted-ips/docker-compose.trusted.yml → examples/trusted-ips/docker-compose.yml
View File

@@ -1,8 +1,6 @@
version: "3.8"
services:
traefik:
image: "traefik:v2.10.4"
image: "traefik:v3.0.0"
container_name: "traefik"
restart: unless-stopped
command:
@@ -15,7 +13,7 @@ services:
- "--entrypoints.web.address=:80"
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.bouncer.version=v1.1.13"
- "--experimental.plugins.bouncer.version=v1.3.0"
# - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
@@ -29,7 +27,7 @@ services:
whoami1:
image: traefik/whoami
container_name: "simple-service-foo"
container_name: "simple-service-foo-trustedips"
restart: unless-stopped
labels:
- "traefik.enable=true"
@@ -48,7 +46,7 @@ services:
whoami2:
image: traefik/whoami
container_name: "simple-service-bar"
container_name: "simple-service-bar-trustedips"
restart: unless-stopped
labels:
- "traefik.enable=true"
@@ -67,7 +65,7 @@ services:
crowdsec:
image: crowdsecurity/crowdsec:v1.5.2
image: crowdsecurity/crowdsec:v1.6.1-2
container_name: "crowdsec"
restart: unless-stopped
environment: