mirror of
https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin.git
synced 2026-07-19 10:52:19 +02:00
* 🐛 fall back to system trust store when no custom TLS CA is set Closes #327. Until now, configuring `crowdsecLapiScheme=https` forced the operator to either provide `crowdsecLapiTLSCertificateAuthority` (a custom CA) or set `crowdsecLapiTLSInsecureVerify=true` — there was no way to rely on the host's system trust store, which is the expected setup when the LAPI sits behind a reverse proxy with a publicly trusted (e.g. Let's Encrypt) certificate. Two contributing bugs: - `validateParamsTLS` rejected an empty CA up-front. - `getTLSConfig` always allocated an empty `tls.Config.RootCAs`, which silently disabled the standard library's fall-back to `x509.SystemCertPool()`. Fix: drop the validation error for the empty-CA case and only allocate `RootCAs` when a custom CA is actually provided. Same change applies symmetrically to the AppSec path since the helper is shared. Add unit tests covering the four meaningful states (HTTP, HTTPS with system CA, HTTPS with custom CA, HTTPS with insecure verify) plus the malformed-PEM rejection. README updated to document the system trust store as an explicit option for both LAPI and AppSec HTTPS. * 📝 fix gofmt alignment in TLS test struct * ✅ update existing test: https without CA is now accepted * ♻️ tests: hoist shared validPEM to package level, rename cfgGarbage Address review on #331: - the self-signed validPEM block was duplicated in two test funcs; declare it once at package level and drop both local copies. - rename cfgGarbage -> cfgInvalidCA (and its test case) for a descriptive name. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ✅ e2e mock: add tls-system-ca scenario (HTTPS LAPI via system trust store) CI regression coverage for this PR: with no custom CA configured, the bouncer must fall back to the OS/system trust store for an HTTPS LAPI. In the binary suite the "system trust store" is whatever Go's x509.SystemCertPool() reads, which honours SSL_CERT_FILE on the Traefik process. The scenario mints a throwaway CA, serves the mock LAPI over HTTPS with a cert signed by it, and runs the stack twice: - positive: SSL_CERT_FILE = our CA -> LAPI trusted -> 200 - negative: SSL_CERT_FILE = empty bundle -> not trusted -> 403 (fail-closed) The negative run proves the patch still VERIFIES (not an insecure skip). - mocklapi: optional --lapi-tls-cert/--lapi-tls-key to serve the LAPI over TLS. - common.sh: opt-in LAPI_TLS_CERT/KEY (HTTPS mock) and TRAEFIK_SSL_CERT_FILE (inject SSL_CERT_FILE into Traefik); both default-empty, other scenarios unaffected. - adds openssl as a scenario-only dependency. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
128 lines
3.5 KiB
Makefile
128 lines
3.5 KiB
Makefile
.PHONY: lint test vendor clean e2e_mock
|
|
|
|
export GO111MODULE=on
|
|
|
|
# Binary/mock suite (Traefik binary + mock LAPI). This is what CI runs.
|
|
# The local Docker suite (make e2e) lives in a separate PR/branch.
|
|
E2E_MOCK_SCENARIOS := stream-mode live-mode none-mode trusted-ips custom-ban-page captcha appsec tls-system-ca
|
|
|
|
default: lint test
|
|
|
|
lint:
|
|
golangci-lint run
|
|
|
|
test:
|
|
go test -v -cover ./...
|
|
|
|
yaegi_test:
|
|
yaegi test -v .
|
|
|
|
e2e_mock: $(addprefix e2e_mock_,$(E2E_MOCK_SCENARIOS))
|
|
|
|
e2e_mock_%:
|
|
./tests/e2e/mock/scenarios/$*/run.sh
|
|
|
|
vendor:
|
|
go mod vendor
|
|
|
|
clean:
|
|
rm -rf ./vendor
|
|
|
|
run_dev:
|
|
docker compose -f docker-compose.dev.yml up -d --remove-orphans
|
|
|
|
run_local:
|
|
docker compose -f docker-compose.local.yml up -d --remove-orphans
|
|
|
|
run_behindproxy:
|
|
docker compose -f examples/behind-proxy/docker-compose.yml up -d --remove-orphans
|
|
|
|
run_cacheredis:
|
|
docker compose -f examples/redis-cache/docker-compose.yml up -d --remove-orphans
|
|
|
|
run_trustedips:
|
|
docker compose -f examples/trusted-ips/docker-compose.yml up -d --remove-orphans
|
|
|
|
run_binaryvm:
|
|
cd examples/binary-vm/ && sudo vagrant up
|
|
|
|
run_tlsauth:
|
|
docker compose -f examples/tls-auth/docker-compose.yml up -d --remove-orphans
|
|
|
|
run_appsec:
|
|
docker compose -f examples/appsec-enabled/docker-compose.yml up -d --remove-orphans
|
|
|
|
run_custom_captcha:
|
|
docker compose -f examples/custom-captcha/docker-compose.yml up -d --remove-orphans
|
|
|
|
run_captcha:
|
|
docker compose -f examples/captcha/docker-compose.yml up -d --remove-orphans
|
|
|
|
run_custom_ban_page:
|
|
docker compose -f examples/custom-ban-page/docker-compose.yml up -d --remove-orphans
|
|
|
|
run:
|
|
docker compose -f docker-compose.yml up -d --remove-orphans
|
|
|
|
restart_dev:
|
|
docker compose -f docker-compose.dev.yml restart
|
|
|
|
restart_local:
|
|
docker compose -f docker-compose.local.yml restart
|
|
|
|
restart:
|
|
docker compose -f docker-compose.yml restart
|
|
|
|
restart_behindproxy:
|
|
docker compose -f examples/behind-proxy/docker-compose.yml restart
|
|
|
|
restart_cacheredis:
|
|
docker compose -f examples/redis-cache/docker-compose.yml restart
|
|
|
|
restart_trustedips:
|
|
docker compose -f examples/trusted-ips/docker-compose.yml restart
|
|
|
|
restart_tlsauth:
|
|
docker compose -f examples/tls-auth/docker-compose.yml
|
|
|
|
restart_appsec:
|
|
docker compose -f examples/tls-auth/docker-compose.yml
|
|
|
|
restart_captcha:
|
|
docker compose -f examples/captcha/docker-compose.yml
|
|
|
|
restart_custombanpage:
|
|
docker compose -f examples/custom-ban-page/docker-compose.yml
|
|
|
|
show_logs:
|
|
docker compose -f docker-compose.yml restart
|
|
|
|
show_local_logs:
|
|
docker compose -f docker-compose.local.yml logs -f
|
|
|
|
show_dev_logs:
|
|
docker compose -f docker-compose.dev.yml logs -f
|
|
|
|
clean_all_docker:
|
|
docker compose -f examples/behind-proxy/docker-compose.yml down --remove-orphans
|
|
docker compose -f examples/redis-cache/docker-compose.yml down --remove-orphans
|
|
docker compose -f examples/trusted-ips/docker-compose.yml down --remove-orphans
|
|
docker compose -f examples/tls-auth/docker-compose.yml down --remove-orphans
|
|
docker compose -f examples/appsec-enabled/docker-compose.yml down --remove-orphans
|
|
docker compose -f examples/captcha/docker-compose.yml down --remove-orphans
|
|
docker compose -f examples/custom-captcha/docker-compose.yml down --remove-orphans
|
|
docker compose -f examples/custom-ban-page/docker-compose.yml down --remove-orphans
|
|
docker compose -f docker-compose.local.yml down --remove-orphans
|
|
docker compose -f docker-compose.yml down --remove-orphans
|
|
|
|
clean_vagrant:
|
|
cd examples/binary-vm/ && sudo vagrant destroy -f
|
|
|
|
|
|
show_metrics:
|
|
docker exec crowdsec cscli metrics
|
|
|
|
show_decisions:
|
|
docker exec crowdsec cscli decisions list
|
|
|