Cloudflare bouncer cannot connect to LAPI

Hi,

I installed Crowdsec and Crowdsec firewall bouncer on Home Assistant, and it is working great. Thank you for that.

I am using Cloudflare Tunnel for remote access to Home Assistant.

I would like to use the Cloudflare bouncer as a Home Assistant add-on to block on the edge and not HA itself

I forked the add-on repo and created a new add-on cloudflare bouncer add-on based on the cloudflare firewall bouncer add-on.
https:// GitHub - krisbogaerts/home-assistant-addons: Home Assistant Crowdsec Addons

I switched to Debian package installation because of problems with the assisted installs and package versions.

Currently, it installs successfully on arm64 but the LAPI connection fails

time=“02-09-2022 07:35:23” level=fatal msg=“LAPI can’t be reached”

The connectivity itself is working, a telnet to the configured address on port 8080 connects

Manually running crowdsec-cloudflare-bouncer -s from docker also creates the Cloudflare rules

This is the generated config file:

CrowdSec Config

crowdsec_lapi_url: http://424ccef4-crowdsec:8080/
crowdsec_lapi_key: –
crowdsec_update_frequency: 10s
include_scenarios_containing: # ignore IPs banned for triggering scenarios not containing either of provided word, eg [“ssh”, “http”]
exclude_scenarios_containing: # ignore IPs banned for triggering scenarios containing either of provided word
only_include_decisions_from: # only include IPs banned due to decisions orginating from provided sources. eg value [“cscli”, “crowdsec”]

#Cloudflare Config.
cloudflare_config:
accounts:

  • id: -
    token: -
    ip_list_prefix: crowdsec
    default_action: managed_challenge
    total_ip_list_capacity: # only this many latest ip scoped decisions would be kept

    zones:
    - actions:
    - managed_challenge # valid choices are either of managed_challenge, js_challenge, block
    zone_id: 20d74e6ea99388e7edcf5f09051279a7

update_frequency: 30s # the frequency to update the cloudflare IP list

Bouncer Config

daemon: true
log_mode: file
log_dir: /var/log/
log_level: info # valid choices are either debug, info, error
log_max_size: 40
log_max_age: 30
log_max_backups: 3
compress_logs: true

prometheus:
enabled: false
listen_addr: 127.0.0.1

Trying to understand why it does not use the LAPI URL from the config file?

root@8ceb5262-crowdsec-cloudflare-bouncer:/# crowdsec-cloudflare-bouncer -c /etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
time=“02-09-2022 07:49:30” level=fatal msg=“LAPI can’t be reached”

Hello,

The error message can be a little deceiving in some situations; it can also mean that the bouncer could not authenticate successfully to LAPI.

Can you check the crowdsec add-on logs? You will see all requests made to LAPI and see if you have any requests to /v1/decisions/stream that return a code other than 200 (or any request at all, this will confirm the bouncer is at least able to open a connection to LAPI).

If you see a 403 error in LAPI logs, make sure the API key used by the cloudflare bouncer is correct (you can generate a new one by running cscli bouncers add cloudflare-bouncer in the crowdsec container)

If you do not see any requests made by the cloudflare bouncer, set the bouncer log level to debug, it should display more information about the HTTP requests to LAPI and give us more insights into what is happening.

Hi,

Thank you for helping me out here!
It was indeed 403 error. I made a typo in the HA add-on configuration file for the key.

It seems to working fine now

Gr
Kris