Cloudflare Worker Multiple Workers

Hello,

I have Crowdsec and Cloudflare’s worker bouncer working and it’s working fantastic! I have now come to the time where I want to protect another server with a specific route. The issue I am running into is both bouncers are fighting for the name crowdsec-cloudflare-worker-bouncer in cloudflare so they overwrite each other. I looked through the documentation but I don’t see anywhere to set a custom name for the worker name. Is that something that is supported?

I believe my WIP PR should fix this wip: expose worker options by LaurenceJJones · Pull Request #30 · crowdsecurity/cs-cloudflare-worker-bouncer · GitHub

As currently the worker options are not exposed in the settings and you can override the name of the script inside this PR

Thanks @iiAmLoz. I will wait for that pr to be merged. I am not the best when it comes to pulling down code and compiling it by hand other wise I would help test the change. Thanks!

@iiAmLoz I believe I was able to get your pr downloaded and compiled but I am running into an issue starting the bouncer.

config

# Config generated by using /etc/crowdsec/bouncers/crowdsec-cloudflare-worker-bouncer.yaml as base
cloudflare_config:
    worker: 
accounts:
- id: redacted
ban_template: "" # template to use for ban action, set empty to use default
zones:
- zone_id: redacted
actions: # supported actions for this zone. eg value ["ban", "captcha"]
- captcha
default_action: captcha
routes_to_protect:
- 'subdomain.redacted/*'
turnstile: # Turnstile must be enabled if captcha action is used.
enabled: true
rotate_secret_key: true
rotate_secret_key_every: 168h0m0s
mode: managed
token: redacted
account_name: redacted
crowdsec_config:
    lapi_url: http://127.0.0.1:8080
    lapi_key: redacted
    update_frequency: 10s
    include_scenarios_containing: [] # ignore IPs banned for triggering scenarios not containing either of provided word
    exclude_scenarios_containing: [] # ignore IPs banned for triggering scenarios containing either of provided word
    only_include_decisions_from: [] # only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]
    key_path: ""
    cert_path: ""
    ca_cert_path: ""
daemon: false
log_level: info
log_mode: ""
log_dir: /var/log/
prometheus:
    enabled: true
    listen_addr: 127.0.0.1
    listen_port: "2112"

It seems to be complaining on the worker: line when I try to start it. Is there any information that I am missing in the yaml file?

the yaml seems all over the place could just be website formatting but in short you just needed to add

cloudflare_config:
    worker:
        script_name: the-script-name-for-all-zones-in-this-file
    accounts:
...

Thanks I will try that. Agreed on the formatting being the site. It looks okay to me from within vim. I will report back with what I find.

I was able to get it working and I saw my worker get created but I am running into the issue when I try to go to the site. I am trying to dig into the Cloudflare logs.

Screenshot 2024-04-26 1225351093×460 21.8 KB

I am still looking but I am not sure if this means anything.

  "scriptName": "custom-crowdsec-cloudflare-worker-bouncer",
  "diagnosticsChannelEvents": [],
  "exceptions": [
    {
      "stack": "    at getRemediationForRequest (worker.mjs:6749:49)\n    at Object.fetch (worker.mjs:6787:29)",
      "name": "TypeError",
      "message": "Cannot read properties of undefined (reading 'get')",
      "timestamp": 1714151198252
    }
  ],

Yes i see the issue and will push a fix

Edit: i pushed a fix which now allows it to work the issue was the worker is hardcoded to use a single namespace and the worker push code didnt know about this

Thanks @iiAmLoz! I ahould be able to give it a test later today. I will let you know my results once i do.

@iiAmLoz Sorry it took me so long to get back to you.

I complied the new version but when run install.sh it is failing.

[root@host crowdsec-cloudflare-worker-bouncer-v0.0.6-16-g24cfbe1]# ./install.sh 
Installing crowdsec-cloudflare-worker-bouncer
'./crowdsec-cloudflare-worker-bouncer' -> '/usr/local/bin/crowdsec-cloudflare-worker-bouncer'
cscli found, generating bouncer api key.
API Key: key
Job for crowdsec-cloudflare-worker-bouncer.service failed because the control process exited with error code.
See "systemctl status crowdsec-cloudflare-worker-bouncer.service" and "journalctl -xeu crowdsec-cloudflare-worker-bouncer.service" for details.

Here is the output of journalctl.

May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: panic: runtime error: invalid memory address or nil pointer dereference
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xb635ab]
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: goroutine 1 [running]:
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/pkg/cfg.(*CloudflareWorkerCreateParams).setDefaults(...)
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]:         github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/pkg/cfg/config.go:59
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/pkg/cfg.NewConfig({0xeb4260, 0xc000592000})
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]:         github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/pkg/cfg/config.go:181 +0x50b
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/cmd.getConfigFromPath({0x7ffc491a5edf?, 0x41a038?})
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]:         github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/cmd/root.go:82 +0xd8
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/cmd.Execute(0xc0000e0150?, 0xc0000bc050?, 0x1?, 0x0?, 0xc00051c079, 0xc00051c07a, 0xc00051c07b, 0xc00051c07c)
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]:         github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/cmd/root.go:130 +0x2d1
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]: main.main()
May 02 12:12:29 host crowdsec-cloudflare-worker-bouncer[19067]:         github.com/crowdsecurity/crowdsec-cloudflare-worker-bouncer/main.go:21 +0x212
May 02 12:12:29 host systemd[1]: crowdsec-cloudflare-worker-bouncer.service: Control process exited, code=exited, status=2/INVALIDARGUMENT

go version

[root@host crowdsec-cloudflare-worker-bouncer-v0.0.6-16-g24cfbe1]# go version
go version go1.22.2 linux/amd64

Thanks for the help!

• Delgado

Apologies, there is not alot of tests written for this program so it was never picked up that if you dont define a worker node it will be nil causing a nil pointer. Made this not a pointer by default so shouldnt panic and wrote some basic tests to ensure this moving forward.

No worries. I will pull that latest change and see ow it goes. Thanks!

@iiAmLoz Things seem to be working now. Thanks for your help! i will keep running your branch for now and upgrade once new rpms are pushed.