Setting up CrowdSec with Nginx Proxy Manager

crowdsec
1

Hi guys,

I recently decided to use CrowdSec with my Nginx Proy Manager instance (no Docker, just a Debian 11 LXC) and, to be honest, I’m a bit lost.

Now, the installation itself ran absolutely smooth. The agent is installed, and it is registered with the CrowdSec console, reporting an active agent and 33 scenarios.

Of course, CrowdSec covers Nginx as well as Nginx Proxy Manager, and that’s where the confusion starts with all the agents, configurations, collections and bouncers. :see_no_evil:

During the installation, the agent recognized two services: Nginx and Linux. It also activated two collections, crowdsecurity/linux and crowdsecurity/nginx. However, it did NOT activate crowdsecurity/nginx-proxy-manager, which is what I would have thought. So, this is the first question: Is it correct to have both active or should I deactivate crowdsecurity/nginx and switch to crowdsecurity/nginx-proxy-manager?

Then, there are configurations, namely nginx-logs, nginx-mail-logs, nginx-proxy-manager-logs and nginx-req-limit-exceeded, none of which are mentioned in the installation wiki, so I’m not sure if those are essential or not.

At last, there are bouncers. A boatload of firewall ones with similar names, and exactly one with Nginx in it: cs-nginx-bouncer. Mind you, it doesn’t specifically say cs-nginx-proxy-manager-bouncer. So, that’s another point that has me puzzled if it’s even the right one. The problem is, installing it also means installing Nginx – which is already there as a part of Nginx Proxy Manager. sighs

Sorry for being the noob of the year, but I’d really appreciate if anybody could lift me out of this hole.

2

So lets break down your questions

However, it did NOT activate crowdsecurity/nginx-proxy-manager

Crowdsec at the moment cannot serpeate nginx-proxy-manager and nginx as there not two different technologies they are both nginx under the hood. One has a gui other does not. We are working on better detection, however, in this use case it would be near impossible for us to ever know if you are using nginx-proxy-manager as stated it the same web server under the hood.

So to move forward on the top point you would have to manually install nginx-proxy-manager collection and setup the file paths under the acquis.yaml

At last, there are bouncers. A boatload of firewall ones with similar names, and exactly one with Nginx in it: cs-nginx-bouncer. Mind you, it doesn’t specifically say cs-nginx-proxy-manager-bouncer. So, that’s another point that has me puzzled if it’s even the right one. The problem is, installing it also means installing Nginx – which is already there as a part of Nginx Proxy Manager. sighs

Now the bouncers is quite a different topic especially when it comes to nginx-proxy-manager as you said it tries to install normal nginx. It would take a custom nginx-proxy-manager image to achieve this some of the community has already done this Docker

However, this is not an official support package by us or nginx-proxy-manager themselves so it up to the community member to keep this updated.

If you are using a standard VM with no proxy infront like cloudflare for example you can use the firewall bouncer and turn on DOCKER-USER chain as by default docker ignores any firewall rules infront of it.

3

Thanks for getting back to me! :grinning:

Crowdsec at the moment cannot serpeate nginx-proxy-manager and nginx as there not two different technologies they are both nginx under the hood. One has a gui other does not. We are working on better detection, however, in this use case it would be near impossible for us to ever know if you are using nginx-proxy-manager as stated it the same web server under the hood.

Yes, that makes perfect sense. Thing is, I’m not aware of the intricacies. It’s both nginx, but it may be installed across varying folders in order to cater to npm.

In the end, I did manage to install the nginx-proy-manager collection and added the respective logs to my acquis.yaml. I also installed the crowdsec-firewall-bouncer-nftables.

As you said, there is no specific bouncer for npm. That’s fine, you can’t expect the devs to consider every configuration under the sun and deliver tailor-made solutions for the most minute deviations from standards.

What confuses me is, that there is an nginx-proy-manager collection, which doesn’t make sense to me without a respective bouncer. Or would the crowdsec-firewall-bouncer-nftables work just fine as long as it gets results through the collection? I guess that’s where I just don’t understand yet how the single parts work together exactly.

Also, my /var/log/syslog just won’t get parsed for some reason.

And yes, it’s a Debian LXC container with a bare metal npm install. It does route to a different container that runs my Docker images, though. Would I still need that DOCKER-USER option and where would I need to place it if you don’t mind me asking?

4

I have a very similar configuration to yours. What log file did you put in acquis.yaml for NPM? By default the nginx logs: /usr/local/openresty/nginx/logs/error.log, however this file is empty.

5

NPM has different log files which can include logs for npm and all the proxy hosts. A best practice will be configuring crowdsec to read all those log files and parse them for the Nginx proxy manager collections.

Open your acquis.yaml and add the config below;

filenames:

  • /path/to/npm/logs/*.log
    labels:
    type: nginx-proxy-manager

Obviously replace the path with the path to your npm logs but make sure you set *.log so it reads all log files npm creates.

Note: the forum replaces dash before the path with a period for some reason.