maxlerebourg / crowdsec-bouncer-traefik-plugin Goto Github PK
View Code? Open in Web Editor NEWTraefik plugin for Crowdsec - WAF and IP protection
License: Apache License 2.0
Traefik plugin for Crowdsec - WAF and IP protection
License: Apache License 2.0
So, this is not a bug-report :)
But i'm strugling a bit on how Live-mode actually work compared to Stream-mode.
When i run my instance in stream-mode (with Redis, thanks for adding the password!), Crowdsec will block IP's when they do something they shouldn't according to the collections i run. This seems to work great.
But when i run my Traefik instance in Live-mode, it never blocks any IP's. But i see that all of the IP's trying to connect to my instance gets a cache:hit, but maybe they are never forwarded to Crowdsec when they are hit in the cache, so that the buckets in Crowdsec will never fill up?
So, when i run Live-mode, will this plugin still send the IP's trying to connect to Crowdsec, or is that only every 60sec? In the latter case, that means it will "never" be triggered by Crowdsec for a ban?
Describe the bug
Hi, I tried to add several IP networks as trusted IPs within the docker-compose.yml
file but neither worked
- "traefik.http.middlewares.crowdsec.plugin.bouncer.clienttrustedips=192.168.a.0/24, 172.16.b.0/24"
- "traefik.http.middlewares.crowdsec.plugin.bouncer.clienttrustedips=192.168.a.0/24 172.16.b.0/24 "
- "traefik.http.middlewares.crowdsec.plugin.bouncer.clienttrustedips=[192.168.a.0/24, 172.16.b.0/24]"
What would be the correct syntax at all?
Quick thought, it might be a good idea to have this variable readable from a file on the local filesystem, since dynamic traefik configurations usually reside in git repositories, and pushing API keys to git services is a big no no.
Hello,
Thanks for trying to get RedisPasswords to work.
It seems like the plugin can get an connection to the Redis-instance as i get AUTH-messages in my Redis-instance, but i don't get any GET, SET or DELETE-messages, and the log of Redis says:
This is the settings used:
redisCacheEnabled: true
redisCacheHost: Redis:6379
redisCachePassword: REDACTED
logLevel: DEBUG
Sometimes it happens my crowdsec dies, or something else happens.
It would be better if the plugin wouldn't log within traefik logs, every single host that attempts to connect:
ERROR: CrowdsecBouncerTraefikPlugin: 2023/02/12 10:08:48 ServeHTTP isCrowdsecStreamHealthy:false ip:[REDACTED]
... Million more lines for 1 hour that crowdsec was dead.
Because the journal just becomes unreadable.
It would be okay for it to be like the above in DEBUG mode, but the regular logging should be something like:
DATE - Failed to connect to crowdsec...
DATE - Regained connection...
And maybe set some flap time between the above two logs, eg. 5 minutes before retrying, or maybe have this as a user customizable variable.
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
hello, first of all great work. I already starred you.
This is much better than the old way.
But I got one Problem. Communication between CrowdSec and the Plugin does not work.
Here my config:
traefi.yml
plugins:
crowdsec-bouncer-traefik-plugin:
moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
version: "v1.1.7"
(back to 1.1.7 because i wanted to test whether the problem comes from the beta)
my middleware
crowdsec-bouncer:
plugin:
crowdsec-bouncer-traefik-plugin:
Enabled: "true"
crowdsecLapiHost: 10.10.100.36:8080
crowdsecMode: none
CrowdsecLapiKey: myapikey
none because i want to test each query for the beginning.
When I try to access the page (working without the middleware) it takes some seconds then I get a blank page and thats in my syslog of traefik:
Jan 4 20:21:07 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:07 getTLSConfigCrowdsec:CrowdsecLapiScheme not https
Jan 4 20:21:08 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:08 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan 4 20:21:11 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:11 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan 4 20:21:13 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:13 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan 4 20:21:18 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:18 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Jan 4 20:21:18 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:18 ServeHTTP ip:10.10.20.54 isTrusted:false
Jan 4 20:21:21 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:21 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Jan 4 20:21:23 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:23 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Jan 4 20:21:28 traefik traefik[674]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/04 20:21:28 ServeHTTP:handleNoStreamCache ip:10.10.20.54 crowdsecQuery url:http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true Get "http://10.10.100.36:8080/v1/decisions?ip=10.10.20.54&banned=true": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
I turned off all firewalls for testing.
Hi, i use traefik as a SMTP reverse proxy via proxy protocol tcp,
it would be great if the bouncer would also support blockings in the tcp middleware section.
Describe the bug ๐
How do you connect to a Redis instance with a Redis password? and chose Redis DB?
Expected behavior ๐
Connection established.
Context ๐
Trying to connect to my Redis instance which is running AUTH with password. Tried different connectionstrings, but noone seems to work.
t.ex:
redis://:PASSWORD@redis:6379/5
redis://:PASSWORD@redis:6379/5
:PASSWORD@redis:6379
:PASSWORD@redis:6379/5
Version (please complete the following information):
Describe the bug ๐
The plugin is loaded according to the traefik debug logs:
{"level":"debug","msg":"loading of plugin: crowdsec-bouncer-traefik-plugin: github.com/maxlerebourg/[email protected]","time":"2023-04-14T14:45:31+02:00"}
All routers then report that the plugin "bouncer" is unknown:
{"entryPointName":"websecure","level":"error","msg":"plugin: unknown plugin type: bouncer","routerName":"paperless-paperless-ingress-bd6074e47e859bbe5ad9@kubernetescrd","time":"2023-04-14T14:45:32+02:00"}
Expected behavior ๐
The plugin type should be known as the plugin is loaded.
Context ๐
See "To Reproduce"
Version (please complete the following information):
To Reproduce
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
namespace: traefik
labels:
app: traefik
spec:
replicas: 3
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
terminationGracePeriodSeconds: 60
containers:
- name: traefik
image: traefik:v2.9.10
env:
- name: TZ
value: Europe/Zurich
volumeMounts:
- name: varlog
mountPath: /var/log
args:
- --global.sendanonymoususage=false
- --global.checknewversion=false
- --entryPoints.web.proxyProtocol.trustedIPs=192.168.1.0/24
- --entryPoints.web.proxyProtocol.insecure=true
# https
- --entryPoints.websecure.proxyProtocol.trustedIPs=192.168.1.0/24
- --entryPoints.websecure.proxyProtocol.insecure=true
- --api.dashboard=true
- --api.insecure=false
- --entrypoints.web.address=:80/tcp
- --entrypoints.websecure.address=:443/tcp
- --entrypoints.websecure.http.middlewares=traefik-default-secure-traefik@kubernetescrd
- --entrypoints.traefik.address=:9000/tcp
- --providers.kubernetescrd
- --providers.kubernetescrd.ingressclass=traefik-external
- --providers.kubernetescrd.allowCrossNamespace=true
- --providers.kubernetesingress
- --entrypoints.web.http.redirections.entryPoint.to=:443
- --entrypoints.web.http.redirections.entryPoint.scheme=https
- --entrypoints.websecure.http.tls=true
- --serversTransport.insecureSkipVerify=true
- --log.format=json
- --log.level=DEBUG
- --accesslog=true
- --accesslog.filepath=/var/log/access.log
- --accesslog.fields.names.StartUTC=drop
- --accesslog.format=json
- --experimental.plugins.crowdsec-bouncer-traefik-plugin.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
- --experimental.plugins.crowdsec-bouncer-traefik-plugin.version=v1.1.11
ports:
- name: web
containerPort: 80
protocol: TCP
- name: websecure
containerPort: 443
protocol: TCP
- name: traefik
containerPort: 9000
protocol: TCP
- name: traefik-access-log
image: busybox:1.28
args: [/bin/sh, -c, 'tail -n+1 -F /var/log/access.log']
volumeMounts:
- name: varlog
mountPath: /var/log
volumes:
- name: varlog
emptyDir: {}
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: default-secure-traefik
namespace: traefik
spec:
chain:
middlewares:
- name: default-header
- name: errorpage-nginx-middleware
namespace: errorpage
- name: bouncer
namespace: crowdsec
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: crowdsec
spec:
plugin:
bouncer:
enabled: "true"
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiScheme: http
crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
CrowdsecLapiKey: MY-SECRET-API
Deployed Crowdsec with the Helm chart and following values:
container_runtime: containerd
tls:
enabled: true
bouncer:
secret: "traefik-certificate"
agent:
tolerations:
- key: node-role.kubernetes.io/control-plane
operator: Equal
effect: NoSchedule
# Specify each pod whose logs you want to process
acquisition:
# The namespace where the pod is located
- namespace: traefik
# The pod name
podName: traefik-*
# as in crowdsec configuration, we need to specify the program name to find a matching parser
program: traefik
env:
- name: PARSERS
value: "crowdsecurity/cri-logs"
- name: COLLECTIONS
value: "crowdsecurity/traefik"
persistentVolume:
config:
enabled: false
lapi:
dashboard:
enabled: true
persistentVolume:
config:
enabled: false
Apply above manifest to a cluster and let all pods be created (ignore the other two middlewares). All pods will start but Traefik will report that the plugin is unknown and no router using it will work. If you remove the bouncer middleware everything works great again.
Some logs:
{"level":"debug","msg":"Propagating new UP status","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"tracing","middlewareType":"TracingForwarder","msg":"Added outgoing tracing middleware sonarr-sonarr-ingress-486104bc5adb2e24936e","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-whitelist@kubernetescrd","middlewareType":"IPWhiteLister","msg":"Creating middleware","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-whitelist@kubernetescrd","middlewareType":"IPWhiteLister","msg":"Setting up IPWhiteLister with sourceRange: [192.168.1.0/24]","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-whitelist@kubernetescrd","msg":"Adding tracing to middleware","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"traefik-default-secure-traefik@kubernetescrd","middlewareType":"Chain","msg":"Creating middleware","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"error","msg":"plugin: unknown plugin type: bouncer","routerName":"sonarr-sonarr-ingress-486104bc5adb2e24936e@kubernetescrd","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","middlewareName":"pipelining","middlewareType":"Pipelining","msg":"Creating middleware","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","msg":"Creating load-balancer","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","msg":"Creating server 0 http://10.42.4.60:80","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serverName":0,"serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"child http://10.42.4.60:80 now UP","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"Propagating new UP status","time":"2023-04-14T14:45:31+02:00"}
{"entryPointName":"websecure","level":"debug","msg":"Creating server 1 http://10.42.1.41:80","routerName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d@kubernetescrd","serverName":1,"serviceName":"errorpage-errorpage-nginx-ingress-ecdfac5635deacb1b36d","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"child http://10.42.1.41:80 now UP","time":"2023-04-14T14:45:31+02:00"}
{"level":"debug","msg":"Still UP, no need to propagate","time":"2023-04-14T14:45:31+02:00"}
What did I miss while setting up the plugin?
When Crowdsec enables TLS Traefik cannot talk to him if the certificates are not signed by a public CA.
Following the documentation of Crowdsec on setting up TLS auth certificates are signed by an unknown authority
traefik.log
Nov 27 14:20:36 debian11.localdomain traefik[2621]: INFO: CrowdsecBouncerTraefikPlugin: 2022/11/27 14:20:36 error while fetching https://localhost:8080/v1/decisions/stream?startup=true: Get "https://localhost:8080/v1/decisions/stream?startup=true": x509: certificate signed by unknown authority
Nov 27 14:21:36 debian11.localdomain traefik[2621]: DEBUG: CrowdsecBouncerTraefikPlugin: 2022/11/27 14:21:36 handleStreamCache
We need to offer the option to trust the CA when connecting or to ignore self signed certificates
Describe the solution you'd like โจ
More clear code
If you like the plugin, please consider starring it, so you can get updates and we get some more visibility โจ
Currently every instance of the middleware create a local cache and makes a recurring call to Crowdsec.
If this is possible, use the shared cache and use a synchronization process that feed the cache only once for all instances.
Rework the code so we can use a share deported cache like redis.
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
When #18 is resolved, it will be easy to deal with shared cache.
This can be usefull if the cache is filled with many IP or if we want to use it for many Traefik instances using the same crowdsec and redis cache instance.
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Currently before every release we do a manual series of tests.
The ideas is to write unit tests and integration tests to ease the release process
My setup:
Right after upgrading to v1.1.1 every request is very slow (45+ seconds). Services are unusable in that state.
I have verified the redis cache and IPs successfully get cached in it with a "f"
value, so the connection is working, but something is wrong and I could not figure out what it is.
When I revert to v1.1.0 everything goes back to normal.
With redisCacheEnabled: false
on version v1.1.1, the issue doesn't appear.
It's definitely something to do when redis gets involved.
Hello,
I am a new user of the traefik bouncer plugin in a (stable) docker environment and I have unexplained errors in the logs:
time="2022-12-06T18:33:12+01:00" level=error msg="plugins-storage/sources/gop-3552147530/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/bouncer.go:176:6: panic" plugin=plugin-bouncer module=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
I have activated the DEBUG log level but nothing appears in the logs, error surrounding lines are these ones but they also appear outside of the error context so I don't think they are directly related:
DEBUG: CrowdsecBouncerTraefikPlugin: 2022/12/06 18:33:12 ServeHTTP ip:82.xxx.xxx.xxx isTrusted:true
Apart from that, everything seems to be working (as far as my recent experience of the product goes) and I don't know what this error causes if anything.
I have found no way to reproduce the error.
Traefik version 2.9.5
Plugin version 1.1.5
Thanks.
Plugin configuration:
middlewares-traefik-bouncer:
plugin:
bouncer:
enabled: true
logLevel: DEBUG
crowdsecMode: live
crowdsecLapiScheme: http
crowdsecLapiHost: crowdsec:8080
crowdsecLapiKey: xxxx
clientTrustedIPs:
- 192.168.0.0/24
- 82.xxx.xxx.xxx
forwardedHeadersTrustedIPs:
# Cloudflare IP Ranges
# https://www.cloudflare.com/ips/
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/13
- 104.24.0.0/14
- 172.64.0.0/13
- 131.0.72.0/22
Hi there
I have got your plugin working now with kubernetes but noticed an odd occurrence
Cache is currently disabled;
redisCacheEnabled: false
But manually added ips remain banned due to cache hits?
cache:hit isBanned:true
How can that be with cache disabled?
Also, is crowdsecMode set to none when redis is disabled?
Thanks :)
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to load readme: failed to get the readme file: GET https://api.github.com/repos/maxlerebourg/crowdsec-bouncer-traefik-plugin/readme?ref=v0.1.0-alpha: 404 Not Found []
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Currently the IP from the user is fetched using the X-Forwarded-For Header.
Some solutions hooked up in front of traefik might provided a custom header.
Add the option to use this custom header instead
Dec 26 22:55:11 hostname traefik[3734797]: ERROR: CrowdsecBouncerTraefikPlugin: 2022/12/26 22:55:11 cache:miss
Hey, I just noticed I've been having this error logged every single second for the past week, effectively the plugin was not working at all. When I add my desktop to the ban list, I can still access everything behind the proxy. Any ideas on how to troubleshoot? Also occurs on 1.1.5.
Using traefik 2.9.5.
Hello,
I was wondering if this is possible at all with the current implementation?
I know local IPs can be excluded from rate limiting in crowdsec itself, but I would like it if localnet IPs could access services behind traefik, without the bouncer plugin querying crowdsec at all.
I'm guessing some sort of permanent cache would be the solution here (In the case of stream mode), and perhaps even in live mode, the plugin could read IPs from that same "permanent cache".
Currently none of the CI have ever passed.
Code is using go 1.18, and CI is set to 1.17
There is some lint option we need to tweak to be able to pass CI
Prepare the CI for added tests later
Currently the bouncer reads the IP address from RemoteAddr
. If traefik is behind a load balancer (in my case cloudflared
tunnel) that IP will be the IP address of the load balancer.
In that case, the bouncer should try to read the IP address from X-Forwarded-For
or X-Real-Ip
headers to obtain the real IP address.
The other solution is to have a setting in the traefik configuration to define the header which the IP address will be read from.
Hey @mathieuHa, just wanted to let you know that I'm having some issues accessing services from the outside.
Now everyone gets 403 responses. Disabling the bouncer from the traefik static config fixes the issue, meaning the plugin is definitely the culprit.
Consider that everything on localnet is 172.16.1.1/24
I've set:
clientTrustedIPs:
- 172.16.1.1/24
And this works as expected, these clients are not rate limited and don't go through crowdsec.
Though when adding - 0.0.0.0/0
, I have access all services externally.
It seems now that only clientTrustedIPs are allowed to connect, regardless of what crowdsec says.
Any thoughts?
I'm using Traefik 2.8.4, and the latest commit of this plugin (deployed in the plugins-local dir). I don't use redis for now. I'll look into debug mode a bit later, if it's even required at all, though this seems like some sort of funny semantic issue :)
Describe the bug ๐
Unfortunately I do not have exact details but i got this case already multiple times.
I am not 100% sure what triggers the bug but i think it happened everytime I made a config mistake in traefik, I corrected it and restarted the traefik service. Then the plugin is not blocking anymore.
I have uptimekuma running and I banned the ip of the container. Like this uptimekuma can check for Code 403 and I see, if it is working.
I checked it with wget from the container aswell to verify the result and I get a Code 200.
Switching the middleware from stream
to none
works instantly and i get a Code 403.
Yes I always waited the time to sync the banlist again and much longer. I also reduced polling time to 15 s.
The logs look like the plugin is first serving then checking?!
The Debug Log of the pluging with stream
is:
Jan 30 09:25:09 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:25:09 ServeHTTP ip:10.10.100.38 isTrusted:false
Jan 30 09:25:09 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:25:09 cache:GetDecision ip:10.10.100.38
Jan 30 09:25:09 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:25:09 ServeHTTP:getDecision ip:10.10.100.38 isBanned:true cache:miss
Logs tell me in Stream mode isBanned:true
but the website is served
This is what it looks like, when i switch to none
and wget the page:
Jan 30 09:39:45 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:39:45 ServeHTTP ip:10.10.100.38 isTrusted:false
Jan 30 09:39:45 traefik traefik[1757]: DEBUG: CrowdsecBouncerTraefikPlugin: 2023/01/30 09:39:45 ServeHTTP:handleNoStreamCache ip:10.10.100.38 isBanned:true handleNoStreamCache:banned
Output of cscli decisions list
on crowdsec is this
โ 1290066 โ cscli โ Ip:10.10.100.38 โ kumacheck โ ban โ | โ 1 โ 999986h15m18.041025541s โ 349
Expected behavior ๐
When the logs tell me in Stream mode isBanned:true
the client should be blocked.
Context ๐
My Config:
experimental:
plugins:
bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.1.9
### crowdsec ###
crowdsec-bouncer:
plugin:
bouncer:
enabled: true
logLevel: DEBUG
crowdsecLapiHost: <host>:<port>
crowdsecMode: stream
updateIntervalSeconds: 15
crowdsecLapiKey: <key>
clientTrustedIPs:
- 10.10.1.0/24
- 10.10.20.0/24
To Reproduce
Like I wrote I do not have an exact trigger, maybe I will find it in the next days.
There are a lot of exemples, and for each release we need to go through each of them and update Traefik version, plugin version, and crowdsec version
We should add a recipe in make that will take 3 args (versions) and update all at once before each release
Purpose is to use a consitent logging pattern
name of the bouncer, name of the function, action and sometimes more context
Describe the bug
I have installed the traefik and crowdsec charts and they are working correctly. I added the plugin to the traefik deployment config as documented. However I don't see an IP address for the bouncer when I restart traefik, I also don't see anything in the traefik logs to indicate that the plugin is doing anything. When I block my own IPs nothing happens.
I have traefik loglevel to DEBUG.
Maybe I am misunderstanding how it should work?
To Reproduce
Steps to reproduce the behavior:
see above
Expected behavior
I would expect the bouncer to block my IP when I load the site. in the crowdsec agent I would expect to see details on the bouncer, but they are blank.
Screenshots
traefik config
spec:
containers:
- args:
- --global.checknewversion
- --global.sendanonymoususage
- --entrypoints.metrics.address=:9100/tcp
- --entrypoints.traefik.address=:9000/tcp
- --entrypoints.web.address=:8000/tcp
- --api.dashboard=true
- --ping=true
- --metrics.prometheus=true
- --metrics.prometheus.entrypoint=metrics
- --providers.kubernetescrd
- --providers.kubernetesingress=true
- --log.level=DEBUG
- --accesslog=true
- --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,10.137.0.0/16,143.110.0.0/16,146.190.0.0/16,159.203.0.0/16,159.203.0.0/16,165.227.0.0/16,167.99.0.0/16
- --accesslog.fields.headers.defaultmode=keep
- --serversTransport.insecureSkipVerify=true
- --entryPoints.web.forwardedHeaders.insecure
- --experimental.plugins.crowdsec-bouncer-traefik-plugin.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
- --experimental.plugins.crowdsec-bouncer-traefik-plugin.version=v1.1.6
image: traefik:v2.9.6
Traefik middleware
spec:
plugin:
crowdsec-bouncer-traefik-plugin:
CrowdsecLapiKey: f0000000000000000000000
Enabled: "true"
crowdsecLapiHost: sec-crowdsec:8080
crowdsecLapiScheme: http
crowdsecMode: live
defaultDecisionSeconds: 60
forwardedHeadersCustomName: X-Custom-Header
forwardedHeadersTrustedIPs:
- 157.230.0.0/16
- 10.137.0.0/16
- 167.99.0.0/16
- 165.227.0.0/16
- 159.203.0.0/16
- 146.190.0.0/16
logLevel: DEBUG
updateIntervalSeconds: 60
Desktop (please complete the following information):
Kubernetes client
Additional context
Any idea of what I am doing wrong?
Setup a quick lab and release an exemple for binary traefik version
This will help us debug issues like #41
Describe the bug ๐
Expected behavior ๐
Traefik fails, then it retries after one minutes and eventually when Crowdsec is ready, it becomes healthy
Context ๐
Before posting, make sure to use the logLevel: DEBUG
of the plugin and see if you can fix the error yourself.
If not, post your plugin configuration file (anonimize IP and secret key) and a partial logs file where the error is encountered.
Version (please complete the following information):
To Reproduce
Steps to reproduce the behavior:
change docker-compose.local.yml
version: "3.8"
services:
traefik:
image: "traefik:v2.9.6"
container_name: "traefik"
restart: unless-stopped
command:
- "--log.level=DEBUG"
- "--accesslog"
- "--accesslog.filepath=/var/log/traefik/access.log"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- logs-local:/var/log/traefik
- ./:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
ports:
- 80:80
- 8080:8080
depends_on:
- crowdsec
whoami-foo:
image: traefik/whoami
container_name: "simple-service-foo"
restart: unless-stopped
labels:
- "traefik.enable=true"
- "traefik.http.routers.router-foo.rule=Path(`/foo`)"
- "traefik.http.routers.router-foo.entrypoints=web"
- "traefik.http.routers.router-foo.middlewares=crowdsec-foo@docker"
- "traefik.http.services.service-foo.loadbalancer.server.port=80"
- "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled=true"
- "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecMode=stream"
- "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiHost=crowdsec:8080"
- "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel=DEBUG"
- "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
crowdsec:
image: crowdsecurity/crowdsec:v1.4.6
container_name: "crowdsec"
restart: unless-stopped
environment:
COLLECTIONS: crowdsecurity/traefik
CUSTOM_HOSTNAME: crowdsec
BOUNCER_KEY_TRAEFIK_1: 40796d93c2958f9e58345514e67740e5
BOUNCER_KEY_TRAEFIK_2: 44c36dac5c4140af9f06f397508e82c7
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- logs-local:/var/log/traefik:ro
- crowdsec-db-local:/var/lib/crowdsec/data/
- crowdsec-config-local:/etc/crowdsec/
labels:
- "traefik.enable=false"
volumes:
logs-local:
crowdsec-db-local:
crowdsec-config-local:
docker-compose -f docker-compose.local.yml up -d
Go to http://localhost:8080/dashboard/#/http/routers/router-foo@docker
If you like the plugin, please consider starring it, so you can get updates and we get some more visibility โจ
Hey, I'm having some issues with the crowdsec container.
When I enable the tls
option in config.yml
, and place server certificates generated using mkcert
into /etc/crowdsec/certs
of the container, crowdsec keeps crashing and won't start.
I don't need client cert auth, the API key will do fine. But I'm guessing then the crowdsec container still needs to have server side certificates?
middleware config:
crowdsec:
plugin:
bouncer:
enabled: true
#logLevel: DEBUG
updateIntervalSeconds: 60
crowdsecMode: stream
crowdsecLapiHost: crowdsec-host:1234
crowdsecLapiKeyFile: /etc/traefik/crowdsecLapiKey
crowdsecLapiScheme: https
crowdsecLapiTLSInsecureVerify: true # if the CA below is in the system trust store, do I need this as true or can it be false?
crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/certs/selfSignedCA.pem
crowdsec config:
api:
client:
insecure_skip_verify: true
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 0.0.0.0:8080
profiles_path: /etc/crowdsec/profiles.yaml
trusted_ips: # IP ranges, or IPs which can have admin API access
- 127.0.0.1
- ::1
online_client: # Central API credentials (to push signals and receive bad IPs)
credentials_path: /etc/crowdsec/online_api_credentials.yaml
tls:
cert_file: /etc/crowdsec/certs/server.pem #Server side cert
key_file: /etc/crowdsec/certs/server-key.pem #Server side key
ca_cert_path: /etc/crowdsec/certs/selfSignedCA.pem #CA used to verify the client certs
Also, a strange thing happens when I edit /etc/crowdsec/local_api_credentials.yaml
.
Even if I add a client generated cert to the file and https:
url: https://localhost:8080
ca_cert_path: /tmp/inter.pem #CA to trust the server certificate
key_path: /tmp/agent-key.pem #Client key
cert_path: /tmp/agent.pem #Client cert
That file gets overwritten every time the container starts, leading to endless restarts:
url: http://0.0.0.0:8080/
login: localhost
password: 1234
I have the plugin configured (I think) but am not sure if I will see the plugin in my local traefik dashboard or not?
Being a plugin I am also not clear on how to debug it, as the logs seem fine.
I ask as I configured my middleware without an api key and the traefik hub is showing the plugin as connected and healthy?
Apologies for the noob questions.
Describe the bug ๐
I start Traefik with the middleware in stream mode
I change the middleware to live mode
It still queries for the blocklist as if stream was enabled
Expected behavior ๐
When a crowdsec mode change it should not use old mode.
Context ๐
Before posting, make sure to use the logLevel: DEBUG
of the plugin and see if you can fix the error yourself.
If not, post your plugin configuration file (anonimize IP and secret key) and a partial logs file where the error is encountered.
Version (please complete the following information):
To Reproduce
Steps to reproduce the behavior:
Traefik logs of change mode
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:22 handleStreamCache:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:22 New initialized mode:stream
time="2023-03-12T10:23:22Z" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-03-12T10:23:39Z" level=debug msg="Provider event received {Status:die ID:b74972eb975113a26a09455925a5a0171319612746b175adda7b07c9b143ecb3 From:traefik/whoami Type:container Action:die Actor:{ID:b74972eb975113a26a09455925a5a0171319612746b175adda7b07c9b143ecb3 Attributes:map[com.docker.compose.config-hash:b02b65441240c682f3988bf5c97964f471cac8cd02c2121bdc397123aadada0d com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:420d3c2af3570ad1ced363bce5b284a4c662cf7ee178e261ae42b7d750d488a4 com.docker.compose.oneoff:False com.docker.compose.project:crowdsec-bouncer-traefik-plugin com.docker.compose.project.config_files:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin/docker-compose.local.yml com.docker.compose.project.working_dir:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin com.docker.compose.service:whoami-foo com.docker.compose.version:2.15.1 desktop.docker.io/wsl-distro:Ubuntu exitCode:2 image:traefik/whoami name:simple-service-foo org.opencontainers.image.created:2022-10-15T13:46:19Z org.opencontainers.image.description:Tiny Go webserver that prints OS information and HTTP request to output org.opencontainers.image.revision:e59736736851ca955cf8734fe4ea6d0c71ddbd62 org.opencontainers.image.source:https://github.com/traefik/whoami org.opencontainers.image.title:whoami org.opencontainers.image.version:1.8.7 traefik.enable:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiHost:crowdsec:8080 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecMode:stream traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey:40796d93c2958f9e58345514e67740e5 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel:DEBUG traefik.http.routers.router-foo.entrypoints:web traefik.http.routers.router-foo.middlewares:crowdsec-foo@docker traefik.http.routers.router-foo.rule:Path(`/foo`) traefik.http.services.service-foo.loadbalancer.server.port:80]} Scope:local Time:1678616619 TimeNano:1678616619687895043}" providerName=docker
time="2023-03-12T10:23:39Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-crowdsec-bouncer-traefik-plugin-d44b762fca4793c5ef6d5811f9cbd0207fad2ddc4f613ca96add1ae0bb7b2afe
time="2023-03-12T10:23:39Z" level=debug msg="Filtering disabled container" providerName=docker container=crowdsec-crowdsec-bouncer-traefik-plugin-80c9bbde813ec41a6a319db8160e56403c79602fb37d75ff1d595309d5fc5691
time="2023-03-12T10:23:39Z" level=debug msg="Configuration received: {\"http\":{},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-03-12T10:23:40Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-03-12T10:23:40Z" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
time="2023-03-12T10:23:40Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
time="2023-03-12T10:23:40Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
time="2023-03-12T10:23:40Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2023-03-12T10:23:40Z" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2023-03-12T10:23:40Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
time="2023-03-12T10:23:40Z" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal entryPointName=traefik routerName=dashboard@internal
time="2023-03-12T10:23:40Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareType=Recovery middlewareName=traefik-internal-recovery
time="2023-03-12T10:23:40Z" level=debug msg="Provider event received {Status:start ID:f14b5cdcdaba6d6a6544fb58eaaa89055f302fd03f896b196f9d7dcf984ace16 From:traefik/whoami Type:container Action:start Actor:{ID:f14b5cdcdaba6d6a6544fb58eaaa89055f302fd03f896b196f9d7dcf984ace16 Attributes:map[com.docker.compose.config-hash:2416f594e8dce35980057c9ec74d0e1d7be81e031decc33904b92acb8467d131 com.docker.compose.container-number:1 com.docker.compose.depends_on: com.docker.compose.image:sha256:420d3c2af3570ad1ced363bce5b284a4c662cf7ee178e261ae42b7d750d488a4 com.docker.compose.oneoff:False com.docker.compose.project:crowdsec-bouncer-traefik-plugin com.docker.compose.project.config_files:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin/docker-compose.local.yml com.docker.compose.project.working_dir:/home/mathieu/projets/crowdsec-bouncer-traefik-plugin com.docker.compose.service:whoami-foo com.docker.compose.version:2.15.1 desktop.docker.io/wsl-distro:Ubuntu image:traefik/whoami name:simple-service-foo org.opencontainers.image.created:2022-10-15T13:46:19Z org.opencontainers.image.description:Tiny Go webserver that prints OS information and HTTP request to output org.opencontainers.image.revision:e59736736851ca955cf8734fe4ea6d0c71ddbd62 org.opencontainers.image.source:https://github.com/traefik/whoami org.opencontainers.image.title:whoami org.opencontainers.image.version:1.8.7 traefik.enable:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiHost:crowdsec:8080 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecMode:live traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey:40796d93c2958f9e58345514e67740e5 traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled:true traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel:DEBUG traefik.http.routers.router-foo.entrypoints:web traefik.http.routers.router-foo.middlewares:crowdsec-foo@docker traefik.http.routers.router-foo.rule:Path(`/foo`) traefik.http.services.service-foo.loadbalancer.server.port:80]} Scope:local Time:1678616620 TimeNano:1678616620551798983}" providerName=docker
time="2023-03-12T10:23:40Z" level=debug msg="Filtering disabled container" providerName=docker container=traefik-crowdsec-bouncer-traefik-plugin-d44b762fca4793c5ef6d5811f9cbd0207fad2ddc4f613ca96add1ae0bb7b2afe
time="2023-03-12T10:23:40Z" level=debug msg="Filtering disabled container" providerName=docker container=crowdsec-crowdsec-bouncer-traefik-plugin-80c9bbde813ec41a6a319db8160e56403c79602fb37d75ff1d595309d5fc5691
time="2023-03-12T10:23:41Z" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"router-foo\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"crowdsec-foo@docker\"],\"service\":\"service-foo\",\"rule\":\"Path(`/foo`)\"}},\"services\":{\"service-foo\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.22.0.3:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"crowdsec-foo\":{\"plugin\":{\"bouncer\":{\"crowdsecLapiHost\":\"crowdsec:8080\",\"crowdsecMode\":\"live\",\"crowdseclapikey\":\"40796d93c2958f9e58345514e67740e5\",\"enabled\":\"true\",\"loglevel\":\"DEBUG\"}}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
time="2023-03-12T10:23:42Z" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
time="2023-03-12T10:23:42Z" level=debug msg="Added outgoing tracing middleware api@internal" routerName=api@internal entryPointName=traefik middlewareName=tracing middlewareType=TracingForwarder
time="2023-03-12T10:23:42Z" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal middlewareName=tracing
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
time="2023-03-12T10:23:42Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2023-03-12T10:23:42Z" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
time="2023-03-12T10:23:42Z" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" routerName=router-foo@docker serviceName=service-foo middlewareName=pipelining middlewareType=Pipelining entryPointName=web
time="2023-03-12T10:23:42Z" level=debug msg="Creating load-balancer" entryPointName=web routerName=router-foo@docker serviceName=service-foo
time="2023-03-12T10:23:42Z" level=debug msg="Creating server 0 http://172.22.0.3:80" serverName=0 routerName=router-foo@docker serviceName=service-foo entryPointName=web
time="2023-03-12T10:23:42Z" level=debug msg="child http://172.22.0.3:80 now UP"
time="2023-03-12T10:23:42Z" level=debug msg="Propagating new UP status"
time="2023-03-12T10:23:42Z" level=debug msg="Added outgoing tracing middleware service-foo" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=router-foo@docker
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 No IP provided for ForwardedHeadersTrustedIPs
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 No IP provided for ClientTrustedIPs
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 getTLSConfigCrowdsec:CrowdsecLapiScheme https:no
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 cache:New initialized isRedis:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:23:42 New initialized mode:live
time="2023-03-12T10:23:42Z" level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=web middlewareName=traefik-internal-recovery
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:24:22 cache:GetDecision ip:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:24:22 cache:SetDecision ip:updated isBanned:false duration:59s
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:24:22 handleStreamCache:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:25:22 cache:GetDecision ip:updated
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:25:22 cache:SetDecision ip:updated isBanned:false duration:59s
DEBUG: CrowdsecBouncerTraefikPlugin: 2023/03/12 10:25:22 handleStreamCache:updated
Crowdsec logs of changed mode:
time="12-03-2023 10:23:22" level=warning msg="new IP address detected for bouncer 'TRAEFIK_1': 172.22.0.4 (old: 172.21.0.4)"
time="12-03-2023 10:23:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:23:22 UTC] \"GET /v1/decisions/stream?startup=true HTTP/1.1 200 10.149134ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:23:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:23:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 5.734345ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:24:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:24:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 5.011383ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:24:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:24:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 6.219707ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:25:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:25:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 5.201463ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:25:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:25:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.387602ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:26:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:26:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 4.518322ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:26:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:26:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.342889ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:27:19" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:27:19 UTC] \"GET /v1/decisions?ip=172.22.0.1&banned=true HTTP/1.1 200 1.000792ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:27:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:27:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 10.754631ms \"Go-http-client/1.1\" \""
time="12-03-2023 10:27:57" level=info msg="127.0.0.1 - [Sun, 12 Mar 2023 10:27:57 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.604232ms \"crowdsec/v1.4.6-linux-5f71037b40c498045e1b59923504469e2b8d0140\" \""
time="12-03-2023 10:28:22" level=info msg="172.22.0.4 - [Sun, 12 Mar 2023 10:28:22 UTC] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 9.717702ms \"Go-http-client/1.1\" \""
If you like the plugin, please consider starring it, so you can get updates and we get some more visibility โจ
Crowdsec has added rate limit.
We can add back this mode.
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Used the docker-compose in repo as baseline.
Any way to verify my setup? Like, to find out if the setup is actually working. The bouncers appear in app.crowdsec.net and an additional KEY_TRAEFIK_... is added to the bouncers tab.
The plugin was not imported into Traefik Plugin Catalog.
Cause:
failed to run the plugin with Yaegi: failed to create a new plugin instance: CrowdsecLapiKey cannot be empty
Traefik Plugin Analyzer will restart when you will close this issue.
If you believe there is a problem with the Analyzer or this issue is the result of a false positive, please contact us.
Describe the bug ๐
Removing all decisions related to an IP from cscli does not remove the ban if crowdsecMode = live
Expected behavior ๐
What I have observed by changing crowdsecMode:
none: real-time ban / unban
live: ok ban / no unban
stream: ok ban / ok unban
where ok = up to 1 minute
I would expect the live mode to behave like stream.
To Reproduce
(all versions are latest)
I have noticed this behavior while finishing a tutorial for our blog, so I can add full scripts and configuration to reproduce exactly but I'm waiting for publication.
time="2022-11-03T16:56:07+01:00" level=error msg="Plugins are disabled because an error has occurred." error="mkdir plugins-storage: permission denied"
systemd unit:
[Unit]
Description=traefik proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
EnvironmentFile=/etc/traefik/.env
; User and group the process will run as.
User=traefik
Group=traefik
; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
ExecStart=/opt/traefik/traefik --configfile=/etc/traefik/traefik.yml
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; โฆ except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/opt/traefik/plugins-storage
ReadWritePaths=/etc/traefik/acme/acme.json
; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE #################################### NEEDS MODIFYING
AmbientCapabilities=CAP_NET_BIND_SERVICE ###################################### ALSO
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
I'm guessing the 2 highlighted lines need modifying, any ideas?
Add a working exemple with a JOB containing 3 groups / tasks
Is your feature request related to a problem? Please describe.
The Readme is begining to be long and complicated
Describe the solution you'd like
Split the README and transfert context of exemples in each folder.
Describe alternatives you've considered
N/A
Additional context
Maybe remove some duplicated parameters with file
Describe the bug
As soon as I enable the plugin, i do not have access to my services anymore. They display 403.
When I set Enabled: "False" and restart traefik, I regain access.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Access :)
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Thanks!
The idea is to help users provide essentials informations in order for us to investigate any issue.
Please @maxlerebourg follow the documentation linked below:
https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository
I do not seem to have enough permission in the repository to access the setting panel
You may use the following branch for the commit 47-feature-add-issue-templates-in-the-project
Describe the bug ๐
If i use the 1.1.9 i get this error in the traefik logs:
time="2023-01-26T22:23:15Z" level=error msg="plugins-storage/sources/gop-2633054613/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/bouncer.go:169:6: panic" plugin=plugin-crowdsec-bouncer-traefik-plugin module=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
Environment: Kubernetes
Traefik version: 2.9.6
Crowdsec version:
crowdsec -version
2023/01/26 23:34:56 version: v1.4.5-debian-pragmatic-a9a2186a76af63551352aa3bc296bdbe80ca4893
2023/01/26 23:34:56 Codename: alphaga
2023/01/26 23:34:56 BuildDate: 2023-01-19_15:05:10
2023/01/26 23:34:56 GoVersion: 1.19.2
2023/01/26 23:34:56 Platform: linux
2023/01/26 23:34:56 Constraint_parser: >= 1.0, <= 2.0
2023/01/26 23:34:56 Constraint_scenario: >= 1.0, < 3.0
2023/01/26 23:34:56 Constraint_api: v1
2023/01/26 23:34:56 Constraint_acquis: >= 1.0, < 2.0
Middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: crowdsec-bouncer
namespace: treafik
spec:
plugin:
crowdsec-bouncer-traefik-plugin:
crowdsecLapiHost: 10.10.1.1:8080
CrowdsecLapiKey: APIKEY
Enabled: "true"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.