Tbs
1
Hello,
i try since many hours to get the crowdsec bouncer for https to work - but I failed. With that configuration below, whoami doesnt work anymore.
Can anybody tell me, what I should do different?
Traefik static yml
experimental:
plugins:
bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.2.0-rc1
Traefik dynamic yml:
http:
middlewares:
crowdsec:
plugin:
bouncer:
enabled: true
logLevel: DEBUG
CrowdsecMode: live
CrowdsecAppsecEnabled: true
CrowdsecAppsecHost: crowdsec:7422
CrowdsecLapiScheme: https
CrowdsecLapiTLSInsecureVerify: true
CrowdsecLapiHost: crowdsec:8080
CrowdsecLapiKey: xxx
CrowdsecAppsecFailureBlock: true
services:
service-whoami:
loadBalancer:
servers:
- url: http://whoami:80
routers:
# Define the router for the whoami service
router-whoami:
rule: "Host(`url.net`) && PathPrefix(`/whoami`)"
service: service-whoami
entryPoints:
- websecure
middlewares:
- crowdsec
tls:
certResolver: myresolver
Whoami compose:
version: "3.9"
services:
whoami:
image: "traefik/whoami"
container_name: "whoami"
labels:
traefik.enable: true
traefik.http.routers.router-whoami.rule: Host(`url.net`) && PathPrefix(`/whoami`)
traefik.http.routers.router-whoami.entrypoints: websecure
traefik.http.routers.router-whoami.tls.certresolver: myresolver
traefik.http.routers.router-whoami.middlewares: crowdsec
networks:
- traefik_ingress
networks:
traefik_ingress:
external: true
Thanks a lot
Tbs
Have you setup TLS within crowdsec?
Also including the logs that traefik spits out might help us dig down
Tbs
4
Sorry for missing that.
In the dashboard it shows one http error: middleware “crowdsec@docker” does not exist
The full traefik.log will come in the next post as soon as a staff member checked that.
The crowdsec compose file from crowdsec is:
version: "3.4"
services:
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
ports:
- "8080:8080"
- "7422:7422"
environment:
PGID: "1000"
GID: "1000"
TZ: "Europe/Berlin"
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/http-dos crowdsecurity/base-http-scenarios crowdsecurity/iptables crowdsecurity/linux crowdsecurity/pgsql crowdsecurity/nextcloud crowdsecurity/sshd crowdsecurity/sshd-impossible-travel crowdsecurity/whitelist-good-actors"
BOUNCER_KEY_TRAEFIK: "key"
volumes:
- ./crowdsec/data:/var/lib/crowdsec/data
- ./crowdsec:/etc/crowdsec
- ./crowdsec/logs/web:/logs/web:ro
- /var/log/:/var/log/:ro
restart: always
network_mode: host
To your question, if I have setup TLS within crowdsec. I dont think so How can I do that?
You need to configure the tls section of the config
And I am staff so I will review the post, however, if you havent setup TLS in the first place that is most likely the first issue
1 Like
Tbs
6
Thanks for that hint. I updated the config.yaml but I am not sure if that is correct (sorry, I am here a totally beginner):
cscli:
output: human
db_config:
log_level: info
type: sqlite
db_path: /var/lib/crowdsec/data/crowdsec.db
flush:
max_items: 5000
max_age: 7d
use_wal: false
api:
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 0.0.0.0:8080
profiles_path: /etc/crowdsec/profiles.yaml
trusted_ips: # IP ranges, or IPs which can have admin API access
- 127.0.0.1
- ::1
online_client: # Central API credentials (to push signals and receive bad IPs)
credentials_path: /etc/crowdsec/online_api_credentials.yaml
enable: true
tls:
cert_file: /var/lib/crowdsec/data/crowdsec-cert.pem
key_file: /var/lib/crowdsec/data/crowdsec-key.pem
client_verification: "NoClientCert"
prometheus:
enabled: true
level: full
listen_addr: 0.0.0.0
listen_port: 6060
Br
Tbs
So these files are mounted into the container?
Tbs
8
Yes correct, I mounted them via compose file to the container.
The error in the dashboard is still: middleware “crowdsec@docker” does not exist
Then I advise to debug and see if traefik is actually loading the middlewares. I dont use traefik so I dont know how to debug that specific error