Traefik Bouncer

GitHub - fbonalair/traefik-crowdsec-bouncer: A http service to verify request and bounce them according to decisions made by CrowdSec.
GitHub
The aim here is to implement a CrowdSec bouncer for the router Traefik to block malicious IP to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and query CrowdSec with client IP. If the client IP is on ban list, it will get a http code 403 response. Otherwise, request will continue as usual.
Flow of information
What is a parser?
Parsers take log formats and breaks it into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.
Source: https://docs.crowdsec.net/docs/parsers/intro​
What is a bouncer?
Bouncers react to decision made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IP's. It will do this by connecting back to the mothership to get the information required to make the decisions locally.
Check out available bouncers on the hub​
What is a Scenario?
A scenario is a behaviour, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviours.
Source: https://docs.crowdsec.net/docs/scenarios/intro​
Enable the Bouncer
docker exec crowdsec cscli bouncers add traefik-bouncer
PLEASE NOTE
This is the only time the api will be shown, make sure to note down this API key somewhere safe.
Adding the API and Collection
Now we need to add the Traefik collection to the CrowdSec compose file and also the bouncer install along with the API key.
version: "3.4"
​
services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped
​
  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YourSuperSecureAPIKey
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped
​
networks:
  default:
    external: true
    name: proxy
Mapping the Log Files
sudo nano /opt/appdata/crowdsec/acquis.yaml
filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog
Traefik
Enable Logging
sudo nano /opt/appdata/traefik/traefik.yml
accessLog:
  filePath: "/var/log/crowdsec/traefik.log"
  bufferingSize: 50
Add the CrowdSec Middleware
sudo nano /opt/appdata/traefik/traefik.yml
      middlewares:
        - [email protected]
        - crowdsec-[email protected]
sudo nano /opt/appdata/traefik/fileConfig.yml
    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true
Add the Log file Volume Mapping
sudo nano /opt/appdata/traefik/docker-compose.yml
    volumes:
      - /opt/appdata/traefik/:/etc/traefik/
      - /var/log/crowdsec/:/var/log/crowdsec/
Restart CrowdSec and Traefik
cd /opt/appdata/traefik; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d

Docker Compose

Authelia Collection

Last modified 1yr ago