Crowdsec add Bouncer to Traefik in Docker container

Hello,
i try since many hours to get the crowdsec bouncer for https to work - but I failed. With that configuration below, whoami doesnt work anymore.

Can anybody tell me, what I should do different?

Traefik static yml

experimental:
  plugins:
    bouncer:
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
      version: v1.2.0-rc1

Traefik dynamic yml:

http:
    middlewares:
        crowdsec:
            plugin:
                bouncer:
                    enabled: true
                    logLevel: DEBUG
                    CrowdsecMode: live
                    CrowdsecAppsecEnabled: true
                    CrowdsecAppsecHost: crowdsec:7422
                    CrowdsecLapiScheme: https
                    CrowdsecLapiTLSInsecureVerify: true
                    CrowdsecLapiHost: crowdsec:8080
                    CrowdsecLapiKey: xxx
                    CrowdsecAppsecFailureBlock: true

    services:
      service-whoami:
        loadBalancer:
          servers:
            - url: http://whoami:80


    routers:
      # Define the router for the whoami service
      router-whoami:
        rule: "Host(`url.net`) && PathPrefix(`/whoami`)"
        service: service-whoami
        entryPoints:
          - websecure
        middlewares:
          - crowdsec
        tls:
          certResolver: myresolver

Whoami compose:

version: "3.9"

services:
  whoami:
    image: "traefik/whoami"
    container_name: "whoami"

    labels:
      traefik.enable: true
      traefik.http.routers.router-whoami.rule: Host(`url.net`) && PathPrefix(`/whoami`)
      traefik.http.routers.router-whoami.entrypoints: websecure
      traefik.http.routers.router-whoami.tls.certresolver: myresolver
      traefik.http.routers.router-whoami.middlewares: crowdsec

    networks:
      - traefik_ingress
networks:
  traefik_ingress:
    external: true

Thanks a lot
Tbs

Have you setup TLS within crowdsec?

Also including the logs that traefik spits out might help us dig down

Sorry for missing that.

In the dashboard it shows one http error: middleware “crowdsec@docker” does not exist

The full traefik.log will come in the next post as soon as a staff member checked that.

The crowdsec compose file from crowdsec is:

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    ports:
    - "8080:8080"
    - "7422:7422"
    environment:
      PGID: "1000"
      GID: "1000"
      TZ: "Europe/Berlin"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/http-dos crowdsecurity/base-http-scenarios crowdsecurity/iptables crowdsecurity/linux crowdsecurity/pgsql crowdsecurity/nextcloud crowdsecurity/sshd crowdsecurity/sshd-impossible-travel crowdsecurity/whitelist-good-actors"
      BOUNCER_KEY_TRAEFIK: "key"
    volumes:
      - ./crowdsec/data:/var/lib/crowdsec/data
      - ./crowdsec:/etc/crowdsec  
      - ./crowdsec/logs/web:/logs/web:ro
      - /var/log/:/var/log/:ro 

    restart: always
    network_mode: host

To your question, if I have setup TLS within crowdsec. I dont think so :frowning: How can I do that?

You need to configure the tls section of the config

And I am staff so I will review the post, however, if you havent setup TLS in the first place that is most likely the first issue

1 Like

Thanks for that hint. I updated the config.yaml but I am not sure if that is correct (sorry, I am here a totally beginner):

cscli:
  output: human
db_config:
  log_level: info
  type: sqlite
  db_path: /var/lib/crowdsec/data/crowdsec.db
  flush:
    max_items: 5000
    max_age: 7d
  use_wal: false
api:
  client:
    insecure_skip_verify: false
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 0.0.0.0:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    enable: true
    tls:
       cert_file: /var/lib/crowdsec/data/crowdsec-cert.pem
       key_file: /var/lib/crowdsec/data/crowdsec-key.pem
       client_verification: "NoClientCert"
prometheus:
  enabled: true
  level: full
  listen_addr: 0.0.0.0
  listen_port: 6060

Br
Tbs

So these files are mounted into the container?

Yes correct, I mounted them via compose file to the container.

The error in the dashboard is still: middleware “crowdsec@docker” does not exist

Then I advise to debug and see if traefik is actually loading the middlewares. I dont use traefik so I dont know how to debug that specific error