Traefik plugin for Crowdsec - WAF and IP protection

License: Apache License 2.0

Makefile 3.64% Go 68.58% HTML 27.79%

crowdsec crowdsec-bouncer traefik traefik-middleware traefik-plugin waf

crowdsec-bouncer-traefik-plugin's People

Contributors

Stargazers

Watchers

Forkers

mmetc ukaserge laurencejjones subbeh stadnitski rauny-henrique warzito

crowdsec-bouncer-traefik-plugin's Issues

How does Live-mode work?

So, this is not a bug-report :)

But i'm strugling a bit on how Live-mode actually work compared to Stream-mode.

When i run my instance in stream-mode (with Redis, thanks for adding the password!), Crowdsec will block IP's when they do something they shouldn't according to the collections i run. This seems to work great.

But when i run my Traefik instance in Live-mode, it never blocks any IP's. But i see that all of the IP's trying to connect to my instance gets a cache:hit, but maybe they are never forwarded to Crowdsec when they are hit in the cache, so that the buckets in Crowdsec will never fill up?

So, when i run Live-mode, will this plugin still send the IP's trying to connect to Crowdsec, or is that only every 60sec? In the latter case, that means it will "never" be triggered by Crowdsec for a ban?

Several TrustedIPs in docker-compose

Describe the bug
Hi, I tried to add several IP networks as trusted IPs within the docker-compose.yml file but neither worked

 - "traefik.http.middlewares.crowdsec.plugin.bouncer.clienttrustedips=192.168.a.0/24, 172.16.b.0/24"
 - "traefik.http.middlewares.crowdsec.plugin.bouncer.clienttrustedips=192.168.a.0/24 172.16.b.0/24 "
 - "traefik.http.middlewares.crowdsec.plugin.bouncer.clienttrustedips=[192.168.a.0/24, 172.16.b.0/24]"

What would be the correct syntax at all?

Feature: Read crowdsecLapiKey from file

Quick thought, it might be a good idea to have this variable readable from a file on the local filesystem, since dynamic traefik configurations usually reside in git repositories, and pushing API keys to git services is a big no no.

[BUG] RedisPassword with 1.1.11-beta

Hello,

Thanks for trying to get RedisPasswords to work.
It seems like the plugin can get an connection to the Redis-instance as i get AUTH-messages in my Redis-instance, but i don't get any GET, SET or DELETE-messages, and the log of Redis says:

This is the settings used:

redisCacheEnabled: true

redisCacheHost: Redis:6379

redisCachePassword: REDACTED

logLevel: DEBUG

[FEATURE] Less verbose logs

Sometimes it happens my crowdsec dies, or something else happens.

It would be better if the plugin wouldn't log within traefik logs, every single host that attempts to connect:

ERROR: CrowdsecBouncerTraefikPlugin: 2023/02/12 10:08:48 ServeHTTP isCrowdsecStreamHealthy:false ip:[REDACTED]
... Million more lines for 1 hour that crowdsec was dead.

Because the journal just becomes unreadable.

It would be okay for it to be like the above in DEBUG mode, but the regular logging should be something like:

DATE - Failed to connect to crowdsec...
DATE - Regained connection...

And maybe set some flap time between the above two logs, eg. 5 minutes before retrying, or maybe have this as a user customizable variable.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.

[QUESTION] context deadline exceeded

hello, first of all great work. I already starred you.
This is much better than the old way.

But I got one Problem. Communication between CrowdSec and the Plugin does not work.
Here my config:

traefi.yml

  plugins:
    crowdsec-bouncer-traefik-plugin:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.1.7"

(back to 1.1.7 because i wanted to test whether the problem comes from the beta)

my middleware

    crowdsec-bouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          Enabled: "true"
          crowdsecLapiHost: 10.10.100.36:8080
          crowdsecMode: none
          CrowdsecLapiKey: myapikey

none because i want to test each query for the beginning.

When I try to access the page (working without the middleware) it takes some seconds then I get a blank page and thats in my syslog of traefik:

Jan  4 20:21:07 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:07 getTLSConfigCrowdsec:CrowdsecLapiScheme not https
Jan  4 20:21:08 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:08 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan  4 20:21:11 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:11 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan  4 20:21:13 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:13 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan  4 20:21:18 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:18 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Jan  4 20:21:18 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:18 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan  4 20:21:21 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:21 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Jan  4 20:21:23 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:23 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Jan  4 20:21:28 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:28 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I turned off all firewalls for testing.

[FEATURE] tcp middleware support

Hi, i use traefik as a SMTP reverse proxy via proxy protocol tcp,

it would be great if the bouncer would also support blockings in the tcp middleware section.

[FEATURE] Redis password support

Describe the bug 🐛
How do you connect to a Redis instance with a Redis password? and chose Redis DB?

Expected behavior 👀
Connection established.

Context 🔎
Trying to connect to my Redis instance which is running AUTH with password. Tried different connectionstrings, but noone seems to work.
t.ex:
redis://:PASSWORD@redis:6379/5
redis://:PASSWORD@redis:6379/5
:PASSWORD@redis:6379
:PASSWORD@redis:6379/5

Version (please complete the following information):

OS: Docker @unraid
Traefik version: 2.9
Plugin version: 1.1.10
Redis ? :7.0.4

[Config] K8S - Unknown plugin type

Describe the bug 🐛
The plugin is loaded according to the traefik debug logs:

{"level":"debug","msg":"loading of plugin: crowdsec-bouncer-traefik-plugin: github.com/maxlerebourg/[email protected]","time":"2023-04-14T14:45:31+02:00"}

All routers then report that the plugin "bouncer" is unknown:

{"entryPointName":"websecure","level":"error","msg":"plugin: unknown plugin type: bouncer","routerName":"paperless-paperless-ingress-bd6074e47e859bbe5ad9@kubernetescrd","time":"2023-04-14T14:45:32+02:00"}

Expected behavior 👀
The plugin type should be known as the plugin is loaded.

Context 🔎
See "To Reproduce"

Version (please complete the following information):

OS: Ubuntu + RKE2 (Kubernetes)
Traefik version: 2.9.9
Plugin version: 1.1.11
Redis : No

To Reproduce

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-deployment
  namespace: traefik
  labels:
    app: traefik
spec:
  replicas: 3
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-account
      terminationGracePeriodSeconds: 60
      containers:
        - name: traefik
          image: traefik:v2.9.10
          env:
            - name: TZ
              value: Europe/Zurich
          volumeMounts:
          - name: varlog
            mountPath: /var/log
          args:
            - --global.sendanonymoususage=false
            - --global.checknewversion=false
            - --entryPoints.web.proxyProtocol.trustedIPs=192.168.1.0/24
            - --entryPoints.web.proxyProtocol.insecure=true
            # https
            - --entryPoints.websecure.proxyProtocol.trustedIPs=192.168.1.0/24
            - --entryPoints.websecure.proxyProtocol.insecure=true
            - --api.dashboard=true
            - --api.insecure=false
            - --entrypoints.web.address=:80/tcp
            - --entrypoints.websecure.address=:443/tcp
            - --entrypoints.websecure.http.middlewares=traefik-default-secure-traefik@kubernetescrd
            - --entrypoints.traefik.address=:9000/tcp
            - --providers.kubernetescrd
            - --providers.kubernetescrd.ingressclass=traefik-external
            - --providers.kubernetescrd.allowCrossNamespace=true
            - --providers.kubernetesingress
            - --entrypoints.web.http.redirections.entryPoint.to=:443
            - --entrypoints.web.http.redirections.entryPoint.scheme=https
            - --entrypoints.websecure.http.tls=true
            - --serversTransport.insecureSkipVerify=true
            - --log.format=json
            - --log.level=DEBUG
            - --accesslog=true
            - --accesslog.filepath=/var/log/access.log
            - --accesslog.fields.names.StartUTC=drop
            - --accesslog.format=json
            - --experimental.plugins.crowdsec-bouncer-traefik-plugin.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
            - --experimental.plugins.crowdsec-bouncer-traefik-plugin.version=v1.1.11
          ports:
            - name: web
              containerPort: 80
              protocol: TCP
            - name: websecure
              containerPort: 443
              protocol: TCP
            - name: traefik
              containerPort: 9000
              protocol: TCP
        - name: traefik-access-log
          image: busybox:1.28
          args: [/bin/sh, -c, 'tail -n+1 -F /var/log/access.log']
          volumeMounts:
          - name: varlog
            mountPath: /var/log
      volumes:
      - name: varlog
        emptyDir: {}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: default-secure-traefik
  namespace: traefik
spec:
  chain:
    middlewares:
    - name: default-header
    - name: errorpage-nginx-middleware
      namespace: errorpage
    - name: bouncer
      namespace: crowdsec
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: bouncer
  namespace: crowdsec
spec:
  plugin:
    bouncer:
      enabled: "true"
      logLevel: DEBUG
      crowdsecMode: live
      crowdsecLapiScheme: http
      crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
      CrowdsecLapiKey: MY-SECRET-API

Deployed Crowdsec with the Helm chart and following values:

container_runtime: containerd
tls:
  enabled: true
  bouncer:
    secret: "traefik-certificate"
agent:
  tolerations:
    - key: node-role.kubernetes.io/control-plane
      operator: Equal
      effect: NoSchedule
  # Specify each pod whose logs you want to process
  acquisition:
    # The namespace where the pod is located
    - namespace: traefik
      # The pod name
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name to find a matching parser
      program: traefik
  env:
    - name: PARSERS
      value: "crowdsecurity/cri-logs"
    - name: COLLECTIONS
      value: "crowdsecurity/traefik"
  persistentVolume:
    config:
      enabled: false
lapi:
  dashboard:
    enabled: true
  persistentVolume:
    config:
      enabled: false

Apply above manifest to a cluster and let all pods be created (ignore the other two middlewares). All pods will start but Traefik will report that the plugin is unknown and no router using it will work. If you remove the bouncer middleware everything works great again.

Some logs:

{"level":"debug","msg":"Propagating new UP status","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware sonarr-sonarr-ingress-486104bc5adb2e24936e","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-whitelist@kubernetescrd","middlewareType":"IPWhiteLister","msg":"Creating middleware","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-whitelist@kubernetescrd","middlewareType":"IPWhiteLister","msg":"Setting up IPWhiteLister with sourceRange: [192.168.1.0/24]","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-whitelist@kubernetescrd","msg":"Adding tracing to middleware","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-secure-traefik@kubernetescrd","middlewareType":"Chain","msg":"Creating middleware","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"error","msg":"plugin: unknown plugin type: bouncer","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","msg":"Creating load-balancer","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","msg":"Creating server 0 http://10.42.4.60:80","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serverName":0,"serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"child http://10.42.4.60:80 now UP","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"Propagating new UP status","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","msg":"Creating server 1 http://10.42.1.41:80","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serverName":1,"serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"child http://10.42.1.41:80 now UP","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"Still UP, no need to propagate","time":"2023-04-14T14:45:31+02:00"}

What did I miss while setting up the plugin?

Feature: Support TLS connections to Crowdsec not signed by a public CA

When Crowdsec enables TLS Traefik cannot talk to him if the certificates are not signed by a public CA.

Following the documentation of Crowdsec on setting up TLS auth certificates are signed by an unknown authority

traefik.log

Nov 27 14:20:36 debian11.localdomain traefik[2621]: INFO: CrowdsecBouncerTraefikPlugin: 2022/11/27 14:20:36 error while fetching https://localhost:8080/v1/decisions/stream?startup=true: Get "https://localhost:8080/v1/decisions/stream?startup=true": x509: certificate signed by unknown authority
Nov 27 14:21:36 debian11.localdomain traefik[2621]: DEBUG: CrowdsecBouncerTraefikPlugin: 2022/11/27 14:21:36 handleStreamCache

We need to offer the option to trust the CA when connecting or to ignore self signed certificates

🎨 Rework some functions to improve code lisibility

Describe the solution you'd like ✨
More clear code

If you like the plugin, please consider starring it, so you can get updates and we get some more visibility ✨

Add the option to use a shared cache between all instances of the middleware

Currently every instance of the middleware create a local cache and makes a recurring call to Crowdsec.

If this is possible, use the shared cache and use a synchronization process that feed the cache only once for all instances.

Rework the code so we can use a share deported cache like redis.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.

Implement shared cache with an external redis as an option

When #18 is resolved, it will be easy to deal with shared cache.

This can be usefull if the cache is filled with many IP or if we want to use it for many Traefik instances using the same crowdsec and redis cache instance.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.

Feature: Add automated tests to the plugin

Currently before every release we do a manual series of tests.

The ideas is to write unit tests and integration tests to ease the release process

Significant slow down after updating to v1.1.1 and configuring to use redis

My setup:

14 services using the bouncer
Local redis cache in the same docker network as traefik

Right after upgrading to v1.1.1 every request is very slow (45+ seconds). Services are unusable in that state.
I have verified the redis cache and IPs successfully get cached in it with a "f" value, so the connection is working, but something is wrong and I could not figure out what it is.

When I revert to v1.1.0 everything goes back to normal.
With redisCacheEnabled: false on version v1.1.1, the issue doesn't appear.

It's definitely something to do when redis gets involved.

Bug: bouncer.go:176:6: panic

Hello,

I am a new user of the traefik bouncer plugin in a (stable) docker environment and I have unexplained errors in the logs:
time="2022-12-06T18:33:12+01:00" level=error msg="plugins-storage/sources/gop-3552147530/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/bouncer.go:176:6: panic" plugin=plugin-bouncer module=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin

I have activated the DEBUG log level but nothing appears in the logs, error surrounding lines are these ones but they also appear outside of the error context so I don't think they are directly related:
DEBUG: CrowdsecBouncerTraefikPlugin: 2022/12/06 18:33:12 ServeHTTP ip:82.xxx.xxx.xxx isTrusted:true

Apart from that, everything seems to be working (as far as my recent experience of the product goes) and I don't know what this error causes if anything.

I have found no way to reproduce the error.

Traefik version 2.9.5
Plugin version 1.1.5

Thanks.

Plugin configuration:
middlewares-traefik-bouncer:
plugin:
bouncer:
enabled: true
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiScheme: http
crowdsecLapiHost: crowdsec:8080
crowdsecLapiKey: xxxx
clientTrustedIPs:
- 192.168.0.0/24
- 82.xxx.xxx.xxx
forwardedHeadersTrustedIPs:
# Cloudflare IP Ranges
# https://www.cloudflare.com/ips/
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22

Cache is disabled but tested ips remaining banned due to cache hits?

Hi there

I have got your plugin working now with kubernetes but noticed an odd occurrence

Cache is currently disabled;

redisCacheEnabled: false

But manually added ips remain banned due to cache hits?

cache:hit isBanned:true

How can that be with cache disabled?

Also, is crowdsecMode set to none when redis is disabled?

Thanks :)

Support version 3.X of Traefik

After upgrading to v3.0.0-beta2, we encounter panics

This problem could come from Traefik or the plugin might need some adaptation.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to load readme: failed to get the readme file: GET https://api.github.com/repos/maxlerebourg/crowdsec-bouncer-traefik-plugin/readme?ref=v0.1.0-alpha: 404 Not Found []

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.

Allow the Real IP the be fetched from a custom header

Currently the IP from the user is fetched using the X-Forwarded-For Header.

Some solutions hooked up in front of traefik might provided a custom header.

Add the option to use this custom header instead

systemctl spammed with cache:miss

Dec 26 22:55:11 hostname traefik[3734797]: ERROR: CrowdsecBouncerTraefikPlugin: 2022/12/26 22:55:11 cache:miss

Hey, I just noticed I've been having this error logged every single second for the past week, effectively the plugin was not working at all. When I add my desktop to the ban list, I can still access everything behind the proxy. Any ideas on how to troubleshoot? Also occurs on 1.1.5.

Using traefik 2.9.5.

Bypassing Crowdsec for local IPs?

Hello,

I was wondering if this is possible at all with the current implementation?

I know local IPs can be excluded from rate limiting in crowdsec itself, but I would like it if localnet IPs could access services behind traefik, without the bouncer plugin querying crowdsec at all.

I'm guessing some sort of permanent cache would be the solution here (In the case of stream mode), and perhaps even in live mode, the plugin could read IPs from that same "permanent cache".

Generate CI with github actions

Currently none of the CI have ever passed.

Code is using go 1.18, and CI is set to 1.17

There is some lint option we need to tweak to be able to pass CI

Prepare the CI for added tests later

Read IP address from X-Forwarded-For or X-Real-Ip instead of RemoteAddr if it exists.

Currently the bouncer reads the IP address from RemoteAddr. If traefik is behind a load balancer (in my case cloudflared tunnel) that IP will be the IP address of the load balancer.
In that case, the bouncer should try to read the IP address from X-Forwarded-For or X-Real-Ip headers to obtain the real IP address.
The other solution is to have a setting in the traefik configuration to define the header which the IP address will be read from.

clientTrustedIPs seems to block every IP except it's parameters

Hey @mathieuHa, just wanted to let you know that I'm having some issues accessing services from the outside.

Now everyone gets 403 responses. Disabling the bouncer from the traefik static config fixes the issue, meaning the plugin is definitely the culprit.

Consider that everything on localnet is 172.16.1.1/24

I've set:

clientTrustedIPs:
  - 172.16.1.1/24

And this works as expected, these clients are not rate limited and don't go through crowdsec.

Though when adding - 0.0.0.0/0, I have access all services externally.

It seems now that only clientTrustedIPs are allowed to connect, regardless of what crowdsec says.

Any thoughts?

I'm using Traefik 2.8.4, and the latest commit of this plugin (deployed in the plugins-local dir). I don't use redis for now. I'll look into debug mode a bit later, if it's even required at all, though this seems like some sort of funny semantic issue :)

[BUG] Stream Mode stops blocking

Describe the bug 🐛
Unfortunately I do not have exact details but i got this case already multiple times.
I am not 100% sure what triggers the bug but i think it happened everytime I made a config mistake in traefik, I corrected it and restarted the traefik service. Then the plugin is not blocking anymore.

I have uptimekuma running and I banned the ip of the container. Like this uptimekuma can check for Code 403 and I see, if it is working.
I checked it with wget from the container aswell to verify the result and I get a Code 200.
Switching the middleware from stream to none works instantly and i get a Code 403.
Yes I always waited the time to sync the banlist again and much longer. I also reduced polling time to 15 s.
The logs look like the plugin is first serving then checking?!

The Debug Log of the pluging with stream is:

Jan 30 09:25:09 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:25:09 ServeHTTP ip:10.10.100.38 isTrusted:false
Jan 30 09:25:09 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:25:09 cache:GetDecision ip:10.10.100.38
Jan 30 09:25:09 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:25:09 ServeHTTP:getDecision ip:10.10.100.38 isBanned:true cache:miss

Logs tell me in Stream mode isBanned:true but the website is served

This is what it looks like, when i switch to none and wget the page:

Jan 30 09:39:45 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:39:45 ServeHTTP ip:10.10.100.38 isTrusted:false
Jan 30 09:39:45 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:39:45 ServeHTTP:handleNoStreamCache ip:10.10.100.38 isBanned:true handleNoStreamCache:banned

Output of cscli decisions list on crowdsec is this

│ 1290066 │ cscli  │ Ip:10.10.100.38   │ kumacheck │ ban    │ | │ 1 │ 999986h15m18.041025541s │ 349

Expected behavior 👀
When the logs tell me in Stream mode isBanned:true the client should be blocked.

Context 🔎

OS: Debian11 (LXC)
Traefik version: 2.9.6
Plugin version: 1.1.9
Redis ? : no

My Config:

experimental:
  plugins:
    bouncer:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: v1.1.9

    ### crowdsec ###
    crowdsec-bouncer:
      plugin:
        bouncer:
          enabled: true
          logLevel: DEBUG
          crowdsecLapiHost: <host>:<port>
          crowdsecMode: stream
          updateIntervalSeconds: 15
          crowdsecLapiKey: <key>
          clientTrustedIPs:
            - 10.10.1.0/24
            - 10.10.20.0/24

To Reproduce
Like I wrote I do not have an exact trigger, maybe I will find it in the next days.

:arrow_up: Bump go to 1.19

Feature : Update all exemple with Traefik Version at release

There are a lot of exemples, and for each release we need to go through each of them and update Traefik version, plugin version, and crowdsec version

We should add a recipe in make that will take 3 args (versions) and update all at once before each release

fix loging

Purpose is to use a consitent logging pattern

name of the bouncer, name of the function, action and sometimes more context

Decisions don't seem to work in Traefik plugin (Kubernetes)

Describe the bug

I have installed the traefik and crowdsec charts and they are working correctly. I added the plugin to the traefik deployment config as documented. However I don't see an IP address for the bouncer when I restart traefik, I also don't see anything in the traefik logs to indicate that the plugin is doing anything. When I block my own IPs nothing happens.
I have traefik loglevel to DEBUG.

Maybe I am misunderstanding how it should work?

To Reproduce
Steps to reproduce the behavior:
see above

Expected behavior
I would expect the bouncer to block my IP when I load the site. in the crowdsec agent I would expect to see details on the bouncer, but they are blank.

Screenshots

traefik config

spec:
      containers:
      - args:
        - --global.checknewversion
        - --global.sendanonymoususage
        - --entrypoints.metrics.address=:9100/tcp
        - --entrypoints.traefik.address=:9000/tcp
        - --entrypoints.web.address=:8000/tcp
        - --api.dashboard=true
        - --ping=true
        - --metrics.prometheus=true
        - --metrics.prometheus.entrypoint=metrics
        - --providers.kubernetescrd
        - --providers.kubernetesingress=true
        - --log.level=DEBUG
        - --accesslog=true
        - --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,10.137.0.0/16,143.110.0.0/16,146.190.0.0/16,159.203.0.0/16,159.203.0.0/16,165.227.0.0/16,167.99.0.0/16
        - --accesslog.fields.headers.defaultmode=keep
        - --serversTransport.insecureSkipVerify=true
        - --entryPoints.web.forwardedHeaders.insecure
        - --experimental.plugins.crowdsec-bouncer-traefik-plugin.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
        - --experimental.plugins.crowdsec-bouncer-traefik-plugin.version=v1.1.6
        image: traefik:v2.9.6

Traefik middleware

spec:
  plugin:
    crowdsec-bouncer-traefik-plugin:
      CrowdsecLapiKey: f0000000000000000000000
      Enabled: "true"
      crowdsecLapiHost: sec-crowdsec:8080
      crowdsecLapiScheme: http
      crowdsecMode: live
      defaultDecisionSeconds: 60
      forwardedHeadersCustomName: X-Custom-Header
      forwardedHeadersTrustedIPs:
      - 157.230.0.0/16
      - 10.137.0.0/16
      - 167.99.0.0/16
      - 165.227.0.0/16
      - 159.203.0.0/16
      - 146.190.0.0/16
      logLevel: DEBUG
      updateIntervalSeconds: 60

Desktop (please complete the following information):
Kubernetes client

Additional context
Any idea of what I am doing wrong?

Add an exemple with Traefik using binary

Setup a quick lab and release an exemple for binary traefik version

This will help us debug issues like #41

[BUG] When crowdsec is not available at Traefik Start, middleware never become healthy

Describe the bug 🐛

Expected behavior 👀
Traefik fails, then it retries after one minutes and eventually when Crowdsec is ready, it becomes healthy

Context 🔎
Before posting, make sure to use the logLevel: DEBUG of the plugin and see if you can fix the error yourself.
If not, post your plugin configuration file (anonimize IP and secret key) and a partial logs file where the error is encountered.

Version (please complete the following information):

OS: [e.g. Ubuntu, Debian, Docker] docker desktop 4.17
Traefik version: [e.g. 2.9., 3.0.] 2.9.6
Plugin version: [e.g. 1.1.*] "main"
Redis ? : [e.g. 7.0.*] none

To Reproduce
Steps to reproduce the behavior:

change docker-compose.local.yml

version: "3.8"

services:
  traefik:
    image: "traefik:v2.9.6"
    container_name: "traefik"
    restart: unless-stopped
    command:
      - "--log.level=DEBUG"
      - "--accesslog"
      - "--accesslog.filepath=/var/log/traefik/access.log"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"

      - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - logs-local:/var/log/traefik
      - ./:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
    ports:
      - 80:80
      - 8080:8080
    depends_on:
      - crowdsec

  whoami-foo:
    image: traefik/whoami
    container_name: "simple-service-foo"
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.router-foo.rule=Path(`/foo`)"
      - "traefik.http.routers.router-foo.entrypoints=web"
      - "traefik.http.routers.router-foo.middlewares=crowdsec-foo@docker" 
      - "traefik.http.services.service-foo.loadbalancer.server.port=80"
      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled=true"
      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecMode=stream"
      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiHost=crowdsec:8080"
      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel=DEBUG"
      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"

  crowdsec:
    image: crowdsecurity/crowdsec:v1.4.6
    container_name: "crowdsec"
    restart: unless-stopped
    environment:
      COLLECTIONS: crowdsecurity/traefik
      CUSTOM_HOSTNAME: crowdsec
      BOUNCER_KEY_TRAEFIK_1: 40796d93c2958f9e58345514e67740e5
      BOUNCER_KEY_TRAEFIK_2: 44c36dac5c4140af9f06f397508e82c7
    volumes:
      - ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
      - logs-local:/var/log/traefik:ro
      - crowdsec-db-local:/var/lib/crowdsec/data/
      - crowdsec-config-local:/etc/crowdsec/
    labels:
      - "traefik.enable=false"
volumes:
  logs-local:
  crowdsec-db-local:
  crowdsec-config-local:

docker-compose -f docker-compose.local.yml up -d

Go to http://localhost:8080/dashboard/#/http/routers/router-foo@docker

If you like the plugin, please consider starring it, so you can get updates and we get some more visibility ✨

Confused about configuring TLS

Hey, I'm having some issues with the crowdsec container.

When I enable the tls option in config.yml, and place server certificates generated using mkcert into /etc/crowdsec/certs of the container, crowdsec keeps crashing and won't start.

I don't need client cert auth, the API key will do fine. But I'm guessing then the crowdsec container still needs to have server side certificates?

middleware config:

    crowdsec:
      plugin:
        bouncer:
          enabled: true
          #logLevel: DEBUG
          updateIntervalSeconds: 60
          crowdsecMode: stream
          crowdsecLapiHost: crowdsec-host:1234
          crowdsecLapiKeyFile: /etc/traefik/crowdsecLapiKey
          crowdsecLapiScheme: https
          crowdsecLapiTLSInsecureVerify: true # if the CA below is in the system trust store, do I need this as true or can it be false?
          crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/certs/selfSignedCA.pem

crowdsec config:

api:
  client:
    insecure_skip_verify: true
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 0.0.0.0:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    tls:
      cert_file: /etc/crowdsec/certs/server.pem #Server side cert
      key_file: /etc/crowdsec/certs/server-key.pem #Server side key
      ca_cert_path: /etc/crowdsec/certs/selfSignedCA.pem #CA used to verify the client certs

Also, a strange thing happens when I edit /etc/crowdsec/local_api_credentials.yaml.
Even if I add a client generated cert to the file and https:

url: https://localhost:8080
ca_cert_path: /tmp/inter.pem #CA to trust the server certificate
key_path: /tmp/agent-key.pem #Client key
cert_path: /tmp/agent.pem #Client cert

That file gets overwritten every time the container starts, leading to endless restarts:

url: http://0.0.0.0:8080/
login: localhost
password: 1234

Anyone have it working on kubernetes?

I have the plugin configured (I think) but am not sure if I will see the plugin in my local traefik dashboard or not?

Being a plugin I am also not clear on how to debug it, as the logs seem fine.

I ask as I configured my middleware without an api key and the traefik hub is showing the plugin as connected and healthy?

Apologies for the noob questions.

[BUG] Change Stream mode to Live mode without Traefik restart

Describe the bug 🐛
I start Traefik with the middleware in stream mode
I change the middleware to live mode
It still queries for the blocklist as if stream was enabled

Expected behavior 👀
When a crowdsec mode change it should not use old mode.

Version (please complete the following information):

OS: [e.g. Ubuntu, Debian, Docker] docker desktop 4.17
Traefik version: [e.g. 2.9., 3.0.] 2.9.6
Plugin version: [e.g. 1.1.*] main
Redis ? : [e.g. 7.0.*] N/A

To Reproduce
Steps to reproduce the behavior:

Traefik logs of change mode

DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:22 handleStreamCache:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:22 New initialized mode:stream
time="2023-03-12T10:23:22Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-03-12T10:23:39Z" level=debug msg="Provider event received {Status:die ID:b74972eb975113a26a09455925a5a0171319612746b175adda7b07c9b143ecb3 From:traefik/whoami Type:container Action:die Actor:{ID:b74972eb975113a26a09455925a5a0171319612746b175adda7b07c9b143ecb3 Attributes:map[com.docker.compose.config-hash:b02b65441240c682f3988bf5c97964f471cac8cd02c2121bdc397123aadada0d com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:420d3c2af3570ad1ced363bce5b284a4c662cf7ee178e261ae42b7d750d488a4 com.docker.compose.oneoff:False com.docker.compose.project:crowdsec-bouncer-traefik-plugin com.docker.compose.project.config_files:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin/docker-compose.local.yml com.docker.compose.project.working_dir:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin com.docker.compose.service:whoami-foo com.docker.compose.version:2.15.1 desktop.docker.io/wsl-distro:Ubuntu exitCode:2 image:traefik/whoami name:simple-service-foo org.opencontainers.image.created:2022-10-15T13:46:19Z org.opencontainers.image.description:Tiny Go webserver that prints OS information and HTTP request to output org.opencontainers.image.revision:e59736736851ca955cf8734fe4ea6d0c71ddbd62 org.opencontainers.image.source:https://github.com/traefik/whoami org.opencontainers.image.title:whoami org.opencontainers.image.version:1.8.7 traefik.enable:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiHost:crowdsec:8080 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecMode:stream traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey:40796d93c2958f9e58345514e67740e5 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel:DEBUG traefik.http.routers.router-foo.entrypoints:web traefik.http.routers.router-foo.middlewares:crowdsec-foo@docker traefik.http.routers.router-foo.rule:Path(`/foo`) traefik.http.services.service-foo.loadbalancer.server.port:80]} Scope:local Time:1678616619 TimeNano:1678616619687895043}" providerName=docker
time="2023-03-12T10:23:39Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-crowdsec-bouncer-traefik-plugin-d44b762fca4793c5ef6d5811f9cbd0207fad2ddc4f613ca96add1ae0bb7b2afe
time="2023-03-12T10:23:39Z" level=debug msg="Filtering disabled container" providerName=docker container=crowdsec-crowdsec-bouncer-traefik-plugin-80c9bbde813ec41a6a319db8160e56403c79602fb37d75ff1d595309d5fc5691
time="2023-03-12T10:23:39Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-03-12T10:23:40Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-03-12T10:23:40Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2023-03-12T10:23:40Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2023-03-12T10:23:40Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
time="2023-03-12T10:23:40Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2023-03-12T10:23:40Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2023-03-12T10:23:40Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
time="2023-03-12T10:23:40Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal entryPointName=traefik routerName=dashboard@internal
time="2023-03-12T10:23:40Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2023-03-12T10:23:40Z" level=debug msg="Provider event received {Status:start ID:f14b5cdcdaba6d6a6544fb58eaaa89055f302fd03f896b196f9d7dcf984ace16 From:traefik/whoami Type:container Action:start Actor:{ID:f14b5cdcdaba6d6a6544fb58eaaa89055f302fd03f896b196f9d7dcf984ace16 Attributes:map[com.docker.compose.config-hash:2416f594e8dce35980057c9ec74d0e1d7be81e031decc33904b92acb8467d131 com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:420d3c2af3570ad1ced363bce5b284a4c662cf7ee178e261ae42b7d750d488a4 com.docker.compose.oneoff:False com.docker.compose.project:crowdsec-bouncer-traefik-plugin com.docker.compose.project.config_files:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin/docker-compose.local.yml com.docker.compose.project.working_dir:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin com.docker.compose.service:whoami-foo com.docker.compose.version:2.15.1 desktop.docker.io/wsl-distro:Ubuntu image:traefik/whoami name:simple-service-foo org.opencontainers.image.created:2022-10-15T13:46:19Z org.opencontainers.image.description:Tiny Go webserver that prints OS information and HTTP request to output org.opencontainers.image.revision:e59736736851ca955cf8734fe4ea6d0c71ddbd62 org.opencontainers.image.source:https://github.com/traefik/whoami org.opencontainers.image.title:whoami org.opencontainers.image.version:1.8.7 traefik.enable:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiHost:crowdsec:8080 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecMode:live traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey:40796d93c2958f9e58345514e67740e5 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel:DEBUG traefik.http.routers.router-foo.entrypoints:web traefik.http.routers.router-foo.middlewares:crowdsec-foo@docker traefik.http.routers.router-foo.rule:Path(`/foo`) traefik.http.services.service-foo.loadbalancer.server.port:80]} Scope:local Time:1678616620 TimeNano:1678616620551798983}" providerName=docker
time="2023-03-12T10:23:40Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-crowdsec-bouncer-traefik-plugin-d44b762fca4793c5ef6d5811f9cbd0207fad2ddc4f613ca96add1ae0bb7b2afe
time="2023-03-12T10:23:40Z" level=debug msg="Filtering disabled container" providerName=docker container=crowdsec-crowdsec-bouncer-traefik-plugin-80c9bbde813ec41a6a319db8160e56403c79602fb37d75ff1d595309d5fc5691
time="2023-03-12T10:23:41Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"router-foo\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"crowdsec-foo@docker\"],\"service\":\"service-foo\",\"rule\":\"Path(`/foo`)\"}},\"services\":{\"service-foo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.22.0.3:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"crowdsec-foo\":{\"plugin\":{\"bouncer\":{\"crowdsecLapiHost\":\"crowdsec:8080\",\"crowdsecMode\":\"live\",\"crowdseclapikey\":\"40796d93c2958f9e58345514e67740e5\",\"enabled\":\"true\",\"loglevel\":\"DEBUG\"}}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-03-12T10:23:42Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-03-12T10:23:42Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=api@internal entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2023-03-12T10:23:42Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal middlewareName=tracing
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
time="2023-03-12T10:23:42Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2023-03-12T10:23:42Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2023-03-12T10:23:42Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" routerName=router-foo@docker serviceName=service-foo middlewareName=pipelining middlewareType=Pipelining entryPointName=web
time="2023-03-12T10:23:42Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=router-foo@docker serviceName=service-foo
time="2023-03-12T10:23:42Z" level=debug msg="Creating server 0 http://172.22.0.3:80" serverName=0 routerName=router-foo@docker serviceName=service-foo entryPointName=web
time="2023-03-12T10:23:42Z" level=debug msg="child http://172.22.0.3:80 now UP"
time="2023-03-12T10:23:42Z" level=debug msg="Propagating new UP status"
time="2023-03-12T10:23:42Z" level=debug msg="Added outgoing tracing middleware service-foo" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=router-foo@docker
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 No IP provided for ForwardedHeadersTrustedIPs
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 No IP provided for ClientTrustedIPs
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 getTLSConfigCrowdsec:CrowdsecLapiScheme https:no
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 cache:New initialized isRedis:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 New initialized mode:live
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:24:22 cache:GetDecision ip:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:24:22 cache:SetDecision ip:updated isBanned:false duration:59s
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:24:22 handleStreamCache:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:25:22 cache:GetDecision ip:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:25:22 cache:SetDecision ip:updated isBanned:false duration:59s
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:25:22 handleStreamCache:updated

Crowdsec logs of changed mode:

time="12-03-2023 10:23:22" level=warning msg="new IP address detected for bouncer 'TRAEFIK_1': 172.22.0.4 (old: 172.21.0.4)"
time="12-03-2023 10:23:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:23:22 UTC] \"GET /v1/decisions/stream?startup=true HTTP/1.1 200 10.149134ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:23:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:23:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.734345ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:24:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:24:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 5.011383ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:24:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:24:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 6.219707ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:25:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:25:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 5.201463ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:25:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:25:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.387602ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:26:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:26:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 4.518322ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:26:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:26:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.342889ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:27:19" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:27:19 UTC] \"GET /v1/decisions?ip=172.22.0.1&banned=true HTTP/1.1 200 1.000792ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:27:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:27:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 10.754631ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:27:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:27:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.604232ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:28:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:28:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 9.717702ms \"Go-http-client/1.1\" \""

If you like the plugin, please consider starring it, so you can get updates and we get some more visibility ✨

✨Add standalone mode back

Crowdsec has added rate limit.

We can add back this mode.

[FEATURE] Update CI to remove depreciations warnings

Is your feature request related to a problem? Please describe. 🐛

Warning in the CI:

Describe the solution you'd like ✨
No Warnings

Additional context
N/A

If you like the plugin, please consider starring it, so you can get updates and we get some more visibility ✨

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.

How to verify setup and configurations?

Used the docker-compose in repo as baseline.
Any way to verify my setup? Like, to find out if the setup is actually working. The bouncers appear in app.crowdsec.net and an additional KEY_TRAEFIK_... is added to the bouncers tab.

[Traefik Plugin Catalog] Plugin Analyzer has detected a problem.

The plugin was not imported into Traefik Plugin Catalog.

Cause:

failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty

Traefik Plugin Analyzer will restart when you will close this issue.

If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.

cscli delete decisions -> no unban if live?

Describe the bug 🐛

Removing all decisions related to an IP from cscli does not remove the ban if crowdsecMode = live

Expected behavior 👀

What I have observed by changing crowdsecMode:

none: real-time ban / unban
live: ok ban / no unban
stream: ok ban / ok unban

where ok = up to 1 minute

I would expect the live mode to behave like stream.

To Reproduce

(all versions are latest)

create a cluster
install crowdsec, helloworld, traefik, plugin
hit helloworld with nikto
wait 1 min
verify ban (403)
remove all 5 decisions
wait more than 1 min
verify still banned (403)

I have noticed this behavior while finishing a tutorial for our blog, so I can add full scripts and configuration to reproduce exactly but I'm waiting for publication.

Plugin won't start, needs additional Linux Capabilities

time="2022-11-03T16:56:07+01:00" level=error msg="Plugins are disabled because an error has occurred." error="mkdir plugins-storage: permission denied"

systemd unit:

[Unit]
Description=traefik proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal
EnvironmentFile=/etc/traefik/.env

; User and group the process will run as.
User=traefik
Group=traefik

; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
ExecStart=/opt/traefik/traefik --configfile=/etc/traefik/traefik.yml

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576

; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/opt/traefik/plugins-storage
ReadWritePaths=/etc/traefik/acme/acme.json

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE #################################### NEEDS MODIFYING
AmbientCapabilities=CAP_NET_BIND_SERVICE ###################################### ALSO
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

I'm guessing the 2 highlighted lines need modifying, any ideas?

Feature: Add and Example with Nomad

Add a working exemple with a JOB containing 3 groups / tasks

Whoami
Traefik
Crowdsec

Feature - Clean README doc

Is your feature request related to a problem? Please describe.
The Readme is begining to be long and complicated

Describe the solution you'd like
Split the README and transfert context of exemples in each folder.

Describe alternatives you've considered
N/A

Additional context
Maybe remove some duplicated parameters with file

Instant 403 Block when Plugin activated

Describe the bug
As soon as I enable the plugin, i do not have access to my services anymore. They display 403.
When I set Enabled: "False" and restart traefik, I regain access.

To Reproduce
Steps to reproduce the behavior:

Install Traefik Plugin
Start Plugin

Expected behavior
Access :)

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: Debian 11
Browser Edge

Thanks!

Feature: Add issue templates in the project

The idea is to help users provide essentials informations in order for us to investigate any issue.

Please @maxlerebourg follow the documentation linked below:
https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository

I do not seem to have enough permission in the repository to access the setting panel

You may use the following branch for the commit 47-feature-add-issue-templates-in-the-project

Potential bug Using 1.1.9 panic in Kubernetes environnement

Describe the bug 🐛
If i use the 1.1.9 i get this error in the traefik logs:
time="2023-01-26T22:23:15Z" level=error msg="plugins-storage/sources/gop-2633054613/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/bouncer.go:169:6: panic" plugin=plugin-crowdsec-bouncer-traefik-plugin module=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin

Environment: Kubernetes
Traefik version: 2.9.6
Crowdsec version:

crowdsec -version
2023/01/26 23:34:56 version: v1.4.5-debian-pragmatic-a9a2186a76af63551352aa3bc296bdbe80ca4893
2023/01/26 23:34:56 Codename: alphaga
2023/01/26 23:34:56 BuildDate: 2023-01-19_15:05:10
2023/01/26 23:34:56 GoVersion: 1.19.2
2023/01/26 23:34:56 Platform: linux
2023/01/26 23:34:56 Constraint_parser: >= 1.0, <= 2.0
2023/01/26 23:34:56 Constraint_scenario: >= 1.0, < 3.0
2023/01/26 23:34:56 Constraint_api: v1
2023/01/26 23:34:56 Constraint_acquis: >= 1.0, < 2.0

Middleware:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
    name: crowdsec-bouncer
    namespace: treafik
spec:
    plugin:
        crowdsec-bouncer-traefik-plugin:
            crowdsecLapiHost: 10.10.1.1:8080
            CrowdsecLapiKey: APIKEY
            Enabled: "true"

maxlerebourg / crowdsec-bouncer-traefik-plugin Goto Github PK

crowdsec-bouncer-traefik-plugin's People

Contributors

Stargazers

Watchers

Forkers

crowdsec-bouncer-traefik-plugin's Issues

Recommend Projects

Recommend Topics

Recommend Org