mirror of
https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin.git
synced 2026-02-05 00:23:42 +01:00
892909b9b8
* 🐛 fix start up config error for appsec * :doc: add documentation on appsec variables and missing conf parameter * 🍱 fix lint * 🍱 fix lint * 🍱 fix lint * 🍱 fix after lot of tests * update exemple tls with new variables tested * fix exemple appsec with release and not localplugin --------- Co-authored-by: mhx <mathieu@hanotaux.fr>
121 lines
5.4 KiB
YAML
121 lines
5.4 KiB
YAML
services:
|
|
traefik:
|
|
image: "traefik:v3.5.0"
|
|
container_name: "traefik"
|
|
restart: unless-stopped
|
|
command:
|
|
# - "--log.level=DEBUG"
|
|
- "--accesslog"
|
|
- "--accesslog.filepath=/var/log/traefik/access.log"
|
|
- "--api.insecure=true"
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
- "--entrypoints.web.address=:80"
|
|
|
|
- "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
|
|
- "--experimental.plugins.bouncer.version=v1.5.0"
|
|
# - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- logs-tls-auth:/var/log/traefik
|
|
- crowdsec-certs-tls-auth:/etc/traefik/crowdsec-certs
|
|
# - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
|
|
ports:
|
|
- 8000:80
|
|
- 8080:8080
|
|
depends_on:
|
|
- crowdsec
|
|
- gencert
|
|
|
|
# Use HTTPS scheme but with lapikey authentication
|
|
# whoami-foo:
|
|
# image: traefik/whoami
|
|
# container_name: "simple-service-foo"
|
|
# restart: unless-stopped
|
|
# labels:
|
|
# - "traefik.enable=true"
|
|
# - "traefik.http.routers.router-foo.rule=Path(`/foo`)"
|
|
# - "traefik.http.routers.router-foo.entrypoints=web"
|
|
# - "traefik.http.routers.router-foo.middlewares=crowdsec@docker"
|
|
# - "traefik.http.services.service-foo.loadbalancer.server.port=80"
|
|
# - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
|
|
# - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
|
|
# - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
|
|
# - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapischeme=https"
|
|
# - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
|
|
|
|
# Use HTTPS scheme with TLS cert authentication
|
|
whoami-bar:
|
|
image: traefik/whoami
|
|
container_name: "simple-service-bar"
|
|
restart: unless-stopped
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.router-bar.rule=PathPrefix(`/bar`)"
|
|
- "traefik.http.routers.router-bar.entrypoints=web"
|
|
- "traefik.http.routers.router-bar.middlewares=crowdsec@docker"
|
|
- "traefik.http.services.service-bar.loadbalancer.server.port=80"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecMode=none"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapischeme=https"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsecscheme=https"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecAppsecTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
|
|
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapikey=40796d93c2958f9e58345514e67740e5="
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateBouncerFile=/etc/traefik/crowdsec-certs/bouncer.pem"
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateBouncerKeyFile=/etc/traefik/crowdsec-certs/bouncer-key.pem"
|
|
# Enable AppSec
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsecenabled=true"
|
|
# Define AppSec host and port informations
|
|
- "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecappsechost=crowdsec:7422"
|
|
crowdsec:
|
|
image: crowdsecurity/crowdsec:latest
|
|
container_name: "crowdsec"
|
|
restart: unless-stopped
|
|
environment:
|
|
CUSTOM_HOSTNAME: crowdsec
|
|
# whoami-foo is authenticating with api key over https
|
|
# whoami-bar is authenticating with tls cert over https
|
|
BOUNCER_KEY_TRAEFIK_FOO: 40796d93c2958f9e58345514e67740e5=
|
|
LOCAL_API_URL: https://127.0.0.1:8080
|
|
USE_TLS: "true"
|
|
CERT_FILE: "/etc/crowdsec/certs/server.pem"
|
|
KEY_FILE: "/etc/crowdsec/certs/server-key.pem"
|
|
CACERT_FILE: "/etc/crowdsec/certs/inter.pem"
|
|
# CLIENT_CERT_FILE: "/etc/crowdsec/certs/bouncer.pem"
|
|
# CLIENT_CERT_FILE: "/etc/crowdsec/certs/bouncer.pem"
|
|
AGENTS_ALLOWED_OU: "agent-ou"
|
|
BOUNCERS_ALLOWED_OU: "bouncer-ou"
|
|
LEVEL_DEBUG: "true"
|
|
# Disabled because it restart in loop otherwise
|
|
# DISABLE_AGENT: "true"
|
|
# Disabled for the examples
|
|
DISABLE_ONLINE_API: "true"
|
|
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
|
|
volumes:
|
|
- ./config/acquis.yaml:/etc/crowdsec/acquis.yaml
|
|
# - ./config/config.yaml:/etc/crowdsec/config_local.yaml
|
|
# - ./config/local_api_credentials.yaml:/etc/crowdsec/local_api_credentials.yaml:ro
|
|
- crowdsec-certs-tls-auth:/etc/crowdsec/certs/:ro
|
|
- logs-tls-auth:/var/log/traefik:ro
|
|
- crowdsec-db-tls-auth:/var/lib/crowdsec/data/
|
|
- crowdsec-config-tls-auth:/etc/crowdsec/
|
|
labels:
|
|
- "traefik.enable=false"
|
|
depends_on:
|
|
- gencert
|
|
|
|
gencert:
|
|
build: .
|
|
volumes:
|
|
- crowdsec-certs-tls-auth:/out
|
|
- ./in:/in:ro
|
|
|
|
volumes:
|
|
logs-tls-auth:
|
|
crowdsec-db-tls-auth:
|
|
crowdsec-config-tls-auth:
|
|
crowdsec-certs-tls-auth:
|