pretecno/crowdsec-bouncer-traefik-plugin
3
0
Fork 0
mirror of https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin.git synced 2025-11-08 15:15:05 +01:00
Code Issues Packages Releases Activity
143 Commits 7 Branches 65 Tags
5dd06567f4bd9a3c6f30935106ecd1c3ecc0ce75
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Max Lerebourg 5dd06567f4 🍱 test validate
2022-12-04 16:58:06 +01:00
.assets
🍱 finition
2022-09-28 18:02:43 +02:00
.github
Update issue templates
2022-11-27 18:15:11 +01:00
exemples
51 feature support tls connections to crowdsec not signed by a public ca (#53)
2022-11-30 17:54:49 +01:00
pkg
Add tests for cache internal pkg
2022-12-04 16:30:27 +01:00
tests
🍱 test validate
2022-12-04 16:58:06 +01:00
vendor
Add tests for cache internal pkg
2022-12-04 16:30:27 +01:00
.gitignore
51 feature support tls connections to crowdsec not signed by a public ca (#53)
2022-11-30 17:54:49 +01:00
.golangci.yml
51 feature support tls connections to crowdsec not signed by a public ca (#53)
2022-11-30 17:54:49 +01:00
.traefik.yml
fix lint
2022-09-29 10:52:29 +02:00
acquis.yaml
16 read ip address from x forwarded for or x real ip instead of remoteaddr if it exists (#17)
2022-10-15 14:00:32 +02:00
bouncer_test.go
🍱 test validate
2022-12-04 16:58:06 +01:00
bouncer.go
🍱 test validate
2022-12-04 16:58:06 +01:00
docker-compose.local.yml
Update all documentation and exemple
2022-11-19 13:46:15 +01:00
docker-compose.yml
⬆️ Bump to go 1.19 (#37)
2022-11-19 20:40:03 +01:00
go.mod
Add tests for cache internal pkg
2022-12-04 16:30:27 +01:00
go.sum
Add tests for cache internal pkg
2022-12-04 16:30:27 +01:00
LICENSE
first commit
2022-09-27 18:12:25 +02:00
Makefile
51 feature support tls connections to crowdsec not signed by a public ca (#53)
2022-11-30 17:54:49 +01:00
README.md
51 feature support tls connections to crowdsec not signed by a public ca (#53)
2022-11-30 17:54:49 +01:00

README.md

GitHub GitHub go.mod Go version GitHub tag (latest SemVer) Build Status Go Report Card

Crowdsec Bouncer Traefik plugin

This plugins aims to implement a Crowdsec Bouncer into a traefik plugin.

CrowdSec is an open-source and collaborative IPS (Intrusion Prevention System) and a security suite. We leverage local behavior analysis and crowd power to build the largest CTI network in the world.

The purpose is to enable treafik to authorize or block requests from IP based and their reputation and behavior.

The crowdsec utility will provide the community blocklist which contains highly reported and validated IP banned from the crowdsec network.

When used with crowdsec it will leverage the local API which will analyze traefik logs and take decisions on the requests made by users/bots. Malicious actors will be banned based on patterns against your website.

There are 3 operating modes (CrowdsecMode) for this plugin:

Mode Description
none If the client IP is on ban list, it will get a http code 403 response. Otherwise, request will continue as usual. All request call the Crowdsec LAPI
live If the client IP is on ban list, it will get a http code 403 response. Otherwise, request will continue as usual. The bouncer can leverage use of a local cache in order to reduce the number of requests made to the Crowdsec LAPI. It will keep in cache the status for each IP that makes queries.
stream Stream Streaming mode allows you to keep in the local cache only the Banned IPs, every requests that does not hit the cache is authorized. Every minute, the cache is updated with news from the Crowdsec LAPI.

The recommanded mode for performance is the streaming mode, decisions are updated every 60 sec by default and that's the only communication between traefik and crowdsec. Every requests that happens hits the cache for quick decisions.

The cache can be local to the Traefik instance using the filesystem or use of a separated redis instance.
The redis instance is currently in beta and support Redis 7.0.X version

Usage

To get started, use the docker-compose.yml file.

You can run it with:

make run

Note

/!\ Since Release 1.1.0, cache is no longer duplicated but shared by all services This lowers the overhead of the cache in memory and the numbers of cache to fetch it from crowdsec in situation with many services

Variables

  • Enabled
    • bool
    • enable the plugin
    • default: false
  • LogLevel
    • string
    • default: INFO, expected value are: INFO, DEBUG
  • CrowdsecMode
    • string
    • default: live, expected value are: none, live, stream
  • CrowdsecLapiScheme
    • string
    • default: http, expected value are: http, https
  • CrowdsecLapiHost
    • string
    • default: "crowdsec:8080"
    • Crowdsec LAPI available on which host and port.
  • CrowdsecLapiKey
    • string
    • default: ""
    • Crowdsec LAPI key for the bouncer : must be unique by service.
  • CrowdsecLapiKeyFile
    • string
    • default: ""
    • Crowdsec File path of the LAPI key for the bouncer : must be unique by service.
  • CrowdsecLapiTLSInsecureVerify
    • bool
    • default: false
    • Disable verification of certificate presented by Crowdsec LAPI
  • CrowdsecLapiTlsCertificateAuthority
    • string
    • default: ""
    • PEM-encoded Certificate Authority of the Crowdsec LAPI
  • CrowdsecLapiTlsCertificateAuthorityFile
    • string
    • default: ""
    • File path of the Certificate Authority of the Crowdsec LAPI
  • CrowdsecLapiTlsCertificateBouncer
    • string
    • default: ""
    • PEM-encoded client Certificate of the Bouncer
  • CrowdsecLapiTlsCertificateBouncerFile
    • string
    • default: ""
    • File path of the client Certificate of the Bouncer
  • CrowdsecLapiTlsCertificateBouncerKey
    • string
    • default: ""
    • PEM-encoded client private key of the Bouncer
  • CrowdsecLapiTlsCertificateBouncerKeyFile
    • string
    • default: ""
    • File path of the client private key of the Bouncer
  • UpdateIntervalSeconds
    • int64
    • default: 60
    • Used only in stream mode, interval between requests to fetch blacklisted IPs from LAPI
  • DefaultDecisionSeconds
    • int64
    • default: 60
    • Used only in live mode, decision duration of accepted IPs
  • ForwardedHeadersTrustedIPs
    • []string
    • default: []
    • List of IPs of trusted Proxies that are in front of traefik (ex: Cloudflare)
  • ForwardedHeadersCustomName
    • string
    • default: "X-Forwarded-For"
    • Name of the header where the real IP of the client should be retrieved
  • RedisCacheEnabled
    • bool
    • default: false
    • enable redis cache instead of filesystem cache
  • RedisCacheHost
    • string
    • default: "redis:6379"
    • hostname and port for the redis service
  • ClientTrustedIPs
    • string
    • default: []
    • List of client IPs we trust, they will bypass any more check to the bouncer or cache (usefull for LAN or VPN IP)

Configuration

For each plugin, the Traefik static configuration must define the module name (as is usual for Go packages).

The following declaration (given here in YAML) defines a plugin:

# Static configuration

experimental:
  plugins:
    bouncer:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin

# Dynamic configuration

http:
  routers:
    my-router:
      rule: host(`woami.localhost`)
      service: service-foo
      entryPoints:
        - web
      middlewares:
        - crowdsec

  services:
    service-foo:
      loadBalancer:
        servers:
          - url: http://127.0.0.1:5000
  
  middlewares:
    crowdsec:
      plugin:
        bouncer:
          enabled: false
          logLevel: DEBUG
          updateIntervalSeconds: 60
          defaultDecisionSeconds: 60
          crowdsecMode: live
          crowdsecLapiKey: privateKey-foo
          crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http
          crowdsecLapiTLSInsecureVerify: false
          forwardedHeadersTrustedIPs: 
            - 10.0.10.23/32
            - 10.0.20.0/24
          clientTrustedIPs: 
            - 192.168.1.0/24
          forwardedHeadersCustomName: X-Custom-Header
          redisCacheEnabled: false
          redisCacheHost: "redis:6379"
          crowdsecLapiTLSCertificateAuthority: |-
            -----BEGIN CERTIFICATE-----
            MIIEBzCCAu+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
            ...
            Q0veeNzBQXg1f/JxfeA39IDIX1kiCf71tGlT
            -----END CERTIFICATE-----
          crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/ca.pem
          crowdsecLapiTLSCertificateBouncer: |-
            -----BEGIN CERTIFICATE-----
            MIIEHjCCAwagAwIBAgIUOBTs1eqkaAUcPplztUr2xRapvNAwDQYJKoZIhvcNAQEL
            ...
            RaXAnYYUVRblS1jmePemh388hFxbmrpG2pITx8B5FMULqHoj11o2Rl0gSV6tHIHz
            N2U=
            -----END CERTIFICATE-----
          crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/bouncer.pem
          crowdsecLapiTLSCertificateBouncerKey: |-
            -----BEGIN RSA PRIVATE KEY-----
            MIIEogIBAAKCAQEAtYQnbJqifH+ZymePylDxGGLIuxzcAUU4/ajNj+qRAdI/Ux3d
            ...
            ic5cDRo6/VD3CS3MYzyBcibaGaV34nr0G/pI+KEqkYChzk/PZRA=
            -----END RSA PRIVATE KEY-----
          crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/bouncer-key.pem

These are the default values for the plugin except for LapiKey.

Authenticate with LAPI

You can either authenticate with LAPIKEY to the LAPI or using client certificates. Please see below for more detail on each option.

Generate LAPI KEY

You can generate a crowdsec API key for the LAPI. You can follow the documentation here: https://docs.crowdsec.net/docs/user_guides/lapi_mgmt/

docker-compose -f docker-compose-local.yml up -d crowdsec
docker exec crowdsec cscli bouncers add crowdsecBouncer

This LAPI key must be set where is noted FIXME-LAPI-KEY in the docker-compose.yml

...
whoami:
  labels:
    - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=FIXME-LAPI-KEY"
    - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapischeme=http"
    - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapihost=crowdsec:8080"
...
crowdsec:
  environment:
    BOUNCER_KEY_TRAEFIK: FIXME-LAPI-KEY
...

Note:

Crowdsec does not require a specific format for la LAPI-key, you may use something like FIXME-LAPI-KEY but that is not recommanded for obvious reasons

You can then run all the containers:

docker-compose up -d

Use certificates to authenticate with Crowdsec

You can follow the example in exemples/tls-auth to view how to authenticate with client certificates with the LAPI. In that case communications with the LAPI must go through HTTPS.

A script is available to generate certificates in exemples/tls-auth/gencerts.sh and must be colocated with the in directory which contains the inputs for the PKI creation.

Use HTTPS to communicate with the LAPI

To communicate with the LAPI in HTTPS you need to either accept any certificates setting the crowdsecLapiTLSInsecureVerify to true or add the CA used to by the server certificate of Crowdsec using crowdsecLapiTLSCertificateAuthority or crowdsecLapiTLSCertificateAuthorityFile. Set the crowdsecLapiScheme to https.

Crowdsec must be listening in HTTPS for this to work. Please see the tls-auth exemple or the official documentation: https://docs.crowdsec.net/docs/local_api/tls_auth/

Fill variable with value of file

Every sensitive variable or file based can be provided with the content as raw or through a file path that Traefik can read. The file variable will be used as preference if both content and file are provided for the same variable. Format is:

  • Content: VARIABLE_NAME: XXX
  • FILE : VARIABLE_NAME_FILE: /path

Add manually an IP to the blocklist (testing purpose)

docker-compose up -d crowdsec
docker exec crowdsec cscli decisions add --ip 10.0.0.10 -d 10m # this will be effective 10min
docker exec crowdsec cscli decisions remove --ip 10.0.0.10

Local Mode

Traefik also offers a developer mode that can be used for temporary testing of plugins not hosted on GitHub. To use a plugin in local mode, the Traefik static configuration must define the module name (as is usual for Go packages) and a path to a Go workspace, which can be the local GOPATH or any directory.

The plugins must be placed in ./plugins-local directory, which should be in the working directory of the process running the Traefik binary. The source code of the plugin should be organized as follows:

./plugins-local/
    └── src
        └── github.com
            └── maxlerebourg
                └── crowdsec-bouncer-traefik-plugin
                    ├── bouncer.go
                    ├── bouncer_test.go
                    ├── go.mod
                    ├── LICENSE
                    ├── Makefile
                    ├── readme.md
                    └── vendor/*

For local developpement a docker-compose.local.yml is provided and reproduce the directory layout needed by traefik. This works once you have generated and filled your LAPI-KEY (crowdsecLapiKey), if not look below for informations

docker-compose -f docker-compose.local.yml up -d

Equivalent to

make run_local

Exemples

  1. Behind another proxy service (ex: clouflare)

You need to configure your Traefik to trust Forwarded headers by your front proxy In the exemple we use another instance of traefik with the container named cloudflare to simulate a front proxy

The "internal" Traefik instance is configured to trust the cloudflare forward headers This helps Traefik choose the right IP of the client: see https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers

  - "--entrypoints.web.forwardedheaders.trustedips=172.21.0.5"

We configure the middleware to trust as well the IP:

    - "traefik.http.middlewares.crowdsec1.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"

To play the demo environnement run:

make run_behindproxy
  1. With Redis as an external shared cache

The plugin must be configured to connect to a redis instance

  redisCacheHost: "redis:6379"

Here redis is the hostname of a container located in the same network as Traefik and 6379 the default port of redis

To play the demo environnement run:

make run_cacheredis
  1. Using Trusted IP (ex: LAN OR VPN) that won't get filtered by crowdsec

You need to configure your Traefik to trust Forwarded headers by your front proxy In the exemple we use a whoami container protected by crowdsec, and we ban or IP before allowing using TrustedIPs

If you are using another proxy in front, you need to add it's IP in the trusted IP for the forwarded headers. This helps Traefik choose the right IP of the client: see https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers The "internal" Traefik instance is configured to trust the forward headers

  - "--entrypoints.web.forwardedheaders.trustedips=172.21.0.5"

We configure the middleware to trust as well the IP of the intermediate proxy if needed:

    - "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"

Add your IP to the ban list

docker exec crowdsec cscli decisions add --ip 10.0.10.30 -d 10m

You should get a 403 on http://localhost/foo

Replace 10.0.10.30 by your IP

Add the IPs that will not be filtered by the plugin

    - "traefik.http.middlewares.crowdsec.plugin.bouncer.clientTrustedips=10.0.10.30/32"

Replace 10.0.10.30/32 by your IP or IP range, so it's not getting checked against ban cache of crowdsec

You should get a 200 on http://localhost/foo even if you are on the ban cache

To play the demo environnement run:

make run_trustedips
  1. Using https communication and tls authentication with Crowdsec
Summary

This example demonstrate the use of https between the Traefik plugin and the Crowdsec LAPI.

It is possible to communicate with the LAPI in https and still authenticate with API key. You can add the client TLS certificate generated to authenticate without any Token in the plugin.

However note that it is not possible to authenticate with TLS client certificate without https setup for the LAPI.

The example is detailed below and will be place in the examples/tls-auth/README.md file.

Details

Simple HTTPS communication: It is possible to talk to Crowdsec LAPI which is configured with a self-signed certificate In that case the setting crowdsecLapiTLSInsecureVerify must be set to true.

It is recommanded to validate the certificate presented by Crowdsec LAPI using the Certificate Authority which created it.

You can provide the Certificate Authority using:

  • A file path readable by Traefik
http:
  middlewares:
    crowdsec:
      plugin:
        bouncer:
          crowdsecLapiTlsCertificateAuthorityFile: /etc/traefik/certs/crowdsecCA.pem
  • The PEM encoded certificate as a text variable

In the static file configuration of Traefik

http:
  middlewares:
    crowdsec:
      plugin:
        bouncer:
          crowdsecLapiTlsCertificateAuthority: |-
              -----BEGIN CERTIFICATE-----
              MIIEBzCCAu+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
              MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK
              ...
              C6qNieSwcvWL7C03ri0DefTQMY54r5wP33QU5hJ71JoaZI3YTeT0Nf+NRL4hM++w
              Q0veeNzBQXg1f/JxfeA39IDIX1kiCf71tGlT
              -----END CERTIFICATE-----

In a dynamic configuration of a provider (ex docker) as a Label

services:
  whoami-foo:
    image: traefik/whoami
    labels:
      - |
        traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiTlsCertificateAuthority=
        -----BEGIN CERTIFICATE-----
        MIIEBzCCAu+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT
        MRAwDgYDVQQHDAdTZWF0dGxlMRMwEQYDVQQIDApXYXNoaW5ndG9uMSIwIAYDVQQK
        ...
        C6qNieSwcvWL7C03ri0DefTQMY54r5wP33QU5hJ71JoaZI3YTeT0Nf+NRL4hM++w
        Q0veeNzBQXg1f/JxfeA39IDIX1kiCf71tGlT
        -----END CERTIFICATE-----

The example tls-auth presents 2 services, foo and bar which comes with the bouncer. At startup, certificates are created in a shared docker volume by a sidecar container which exits after.

Traefik will use client and CA certificates. The Bouncer will use server and CA certificates.

The service whoami-foo will authenticate with an API key over HTTPS after verifying the server certificate with CA. The service whoami-bar will authenticate with a client certificate signed by the CA.

Access to a route that communicate via https and authenticate with API-key:

curl http://localhost:80/foo

Access to a route that communicate via https and authenticate with a client certificate:

curl http://localhost:80/bar

Access to the traefik dashboard

curl http://localhost:8080/dashboard/#/

To play the demo environnement run:

make run_tlsauth

Note:

This example is still in Beta and use a new version of Crowdsec (v1.4.3) at time of writing A functionnality has been disabled in Crowdsec in order to make the example work DISABLE_AGENT: "true"

About

Me and mathieuHa have been using traefik since 2020 at Primadviz. We come from web developper and security engineer background and wanted to add the power of a very promesing technology (Crowdsec) into the edge router we love.

We initially run into this project: https://github.com/fbonalair/traefik-crowdsec-bouncer It was using traefik and forward auth middleware to verify every requests. They had to go through a webserver which then contacts of another webservice (the crowdsec LAPI) to make a decision based on the source IP. We initially proposed some improvement by implementing a streaming mode and a local cache. With the Traefik hackathon we deciced to implement our solution directly as a traefik plugin which could be found by every one on plugins.traefik.io and be more performant.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme Apache-2.0 1.6 MiB
Languages
Go 73.7%
HTML 23%
Makefile 3.3%