Traefik Bouncer

GitHub - fbonalair/traefik-crowdsec-bouncer: A http service to verify request and bounce them according to decisions made by CrowdSec.GitHub

The aim here is to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with client IP.

If the client IP is on the ban list, it will get an HTTP code 403 response. Otherwise, the request will continue as usual.

Flow of information

What is a parser?

Parsers take log formats and break them down into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.​​

What is a bouncer?

Bouncers react to decisions made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IPs. It will do this by connecting back to the mothership to get the information required to make the decisions locally. Check out available bouncers on the hub​

Check out available bouncers on the hub

What is a Scenario?

A scenario is a behavior, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviors.

Enable the Bouncer

Go inside the CrowdSec Docker console and run

cscli bouncers add traefik-bouncer

Go to the apps tab, and download the container crowdsec-traefik-bouncer.

1. Get the API Key that we generated above and past it on this option

2. leave it as it is

3. Put the CrowdSec Container IP with port

Traefik

Enable Logging

Edit your traefik static configuration file (traefik.yml) in your traefik appdata folder. (use nano command or code server, very useful, tutorial here https://www.youtube.com/watch?v=7FMCBjUVaYQ&t=1s )

nano /mnt/user/appdata/traefik/traefik.yml

accessLog:
  filePath: "/var/log/crowdsec/traefik.log"
  bufferingSize: 50

If your logs don't show the external IP of the users hitting the Traefik proxy and only show the IP of the docker gateway (eg.: 172.19.x.x in this case) then edit the traefik.yml file and your docker gateway IP under trusted IPs.

entryPoints:
  # Not used in apps, but redirect everything from HTTP to HTTPS
  http:
    address: :80
    forwardedHeaders:
      trustedIPs: &trustedIps
        # Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
        - 172.19.0.0/16 #ADD YOUR DOCKER NETWORK HERE!!!
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22
        - 2400:cb00::/32
        - 2606:4700::/32
        - 2803:f800::/32
        - 2405:b500::/32
        - 2405:8100::/32
        - 2a06:98c0::/29
        - 2c0f:f248::/32
        # End of Cloudlare public IP list

Create a path mapping in your traefik template, so that the log file is written in the shared folder previously created.

Add the CrowdSec Middleware

Once again, edit your traefik static configuration file (traefik.yml), then edit your dynamic configuration file (fileConfig.yml)

nano /mnt/user/appdata/traefik/traefik.yml

      middlewares:
        - securityHeaders@file
        - crowdsec-bouncer@file

nano /mnt/user/appdata/traefik/fileConfig.yml

    crowdsec-bouncer:
      forwardauth:
        address: http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth
        trustForwardHeader: true

Restart CrowdSec and Traefik