Can't make crowdsec-blocklist-mirror bouncer to connect to LAPI

crowdsec
1

Hi,

I’m trying to install crowdsec-blocklist-mirror bouncer in docker.
The problem is that the bouncer cannot connect to LAPI and then container crashes.

Here are some logs:

crowdsec-blocklist-mirror  | time="25-07-2022 04:42:04" level=info msg="serving blocklist in format plain_text at endpoint /security/blocklist"
crowdsec-blocklist-mirror  | time="25-07-2022 04:42:04" level=info msg="Enabling metrics at endpoint '/metrics' "
crowdsec-blocklist-mirror  | time="25-07-2022 04:42:04" level=info msg="Starting server at 0.0.0.0:41412"
crowdsec-blocklist-mirror  | time="25-07-2022 04:42:04" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 172.26.0.2:8080: connect: connection refused"
crowdsec-blocklist-mirror  | time="25-07-2022 04:42:04" level=error msg="Get \"http://crowdsec:8080/v1/decisions/stream?startup=true\": dial tcp 172.26.0.2:8080: connect: connection refused"
crowdsec-blocklist-mirror  | time="25-07-2022 04:42:04" level=fatal msg="can't access LAPI"

This is when lapi_url is set to: http://crowdsec:8080
When I set lapi_url to host IP (192.168.1.51) log errors are a little different:

crowdsec-blocklist-mirror  | time="25-07-2022 04:41:01" level=info msg="serving blocklist in format plain_text at endpoint /security/blocklist"
crowdsec-blocklist-mirror  | time="25-07-2022 04:41:01" level=info msg="Enabling metrics at endpoint '/metrics' "
crowdsec-blocklist-mirror  | time="25-07-2022 04:41:01" level=info msg="Starting server at 0.0.0.0:41412"
crowdsec-blocklist-mirror  | time="25-07-2022 04:41:01" level=error msg="auth-api: auth with api key failed return nil response, error: read tcp 172.26.0.3:51218->192.168.1.51:8080: read: connection reset by peer"
crowdsec-blocklist-mirror  | time="25-07-2022 04:41:01" level=error msg="Get \"http://192.168.1.51:8080/v1/decisions/stream?startup=true\": read tcp 172.26.0.3:51218->192.168.1.51:8080: read: connection reset by peer"
crowdsec-blocklist-mirror  | time="25-07-2022 04:41:01" level=fatal msg="can't access LAPI"

Here is my docker-compose.yml file:

version: "3"
services:
  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec
    restart: always
    ports:
      - 6060:6060
      - 8080:8080
    environment:
      GID: "${GID-1000}"
    volumes:
      - crowdsec-data:/var/lib/crowdsec/data/
      - crowdsec-config:/etc/crowdsec/

  crowdsec-blocklist-mirror:
    container_name: crowdsec-blocklist-mirror
    image: crowdsecurity/blocklist-mirror
    depends_on:
      - "crowdsec"
    ports:
      - 41412:41412
    environment:
      - API_KEY=*redacted*
    volumes:
      - ./cfg.yaml:/etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml

volumes:
  crowdsec-data:
  crowdsec-config:

And here is my cfg.yaml file, which is simply defaults but with lapi_url set to crowdsec container name:

config_version: v1.0
crowdsec_config:
  lapi_key: ${API_KEY}
  lapi_url: http://crowdsec:8080
  update_frequency: 10s
  include_scenarios_containing: []
  exclude_scenarios_containing: []
  only_include_decisions_from: []
  insecure_skip_verify: false

blocklists:
  - format: plain_text # Supported formats are either of "plain_text"
    endpoint: /security/blocklist
    authentication:
      type: none # Supported types are either of "none", "ip_based", "basic"
      user:
      password:
      trusted_ips: # IP ranges, or IPs which don't require auth to access this blocklist
        - 127.0.0.1
        - ::1

listen_uri: 0.0.0.0:41412
tls:
  cert_file:
  key_file:

metrics:
  enabled: true
  endpoint: /metrics

log_media: stdout
log_level: info

What’s wrong?
Thank you

2

Hey!

I helped a user yesterday with a similar issue, basically, the bouncer is starting before crowdsec is fully running. Could you add restart: always to the docker-compose for the mirror.

3

I had already tried that and it did not work. Tried again but still same thing.

I found a way to make it work.

In cfg.yaml I changed:

  lapi_key: ${API_KEY}

to

  lapi_key: *actualkey*

It now works.
That’s weird because if I do ‘printenv’ command I can see the API_KEY variable.

Any idea why ?

4

The base YAML decoder library for golang does not find and replace it take everything as literal strings. In some bouncer images they have a startup script to support this but mirrorlist does not.

5

Thanks for the info. Yet, so why does the official Crowdsec Docker documentation example show ${API_KEY}?

6

It just a placeholder value we use across the documentation for some of the newer bouncers, the sentence above does state to replace it but its not obvious. I do understand that this format is the same as EG docker but it does not work the same.