Traefik Bouncer
The aim here is to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with client IP.
If the client IP is on the ban list, it will get an HTTP code 403 response. Otherwise, the request will continue as usual.
Flow of information
What is a parser?
Parsers take log formats and break them down into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.
What is a bouncer?
Bouncers react to decisions made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IPs. It will do this by connecting back to the mothership to get the information required to make the decisions locally. Check out available bouncers on the hub
Check out available bouncers on the hub
What is a Scenario?
A scenario is a behavior, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviors.
Enable the Bouncer
Go inside the CrowdSec Docker console and run
cscli bouncers add traefik-bouncerGo to the apps tab, and download the container crowdsec-traefik-bouncer.
Get the API Key that we generated above and past it on this option
leave it as it is
Put the CrowdSec Container IP with port
Traefik
Enable Logging
Edit your traefik static configuration file (traefik.yml) in your traefik appdata folder. (use nano command or code server, very useful, tutorial here https://www.youtube.com/watch?v=7FMCBjUVaYQ&t=1s )
nano /mnt/user/appdata/traefik/traefik.ymlaccessLog:
filePath: "/var/log/crowdsec/traefik.log"
bufferingSize: 50If your logs don't show the external IP of the users hitting the Traefik proxy and only show the IP of the docker gateway (eg.: 172.19.x.x in this case) then edit the traefik.yml file and your docker gateway IP under trusted IPs.
entryPoints:
# Not used in apps, but redirect everything from HTTP to HTTPS
http:
address: :80
forwardedHeaders:
trustedIPs: &trustedIps
# Start of Clouflare public IP list for HTTP requests, remove this if you don't use it
- 172.19.0.0/16 #ADD YOUR DOCKER NETWORK HERE!!!
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# End of Cloudlare public IP list
Create a path mapping in your traefik template, so that the log file is written in the shared folder previously created.
Add the CrowdSec Middleware
Once again, edit your traefik static configuration file (traefik.yml), then edit your dynamic configuration file (fileConfig.yml)
nano /mnt/user/appdata/traefik/traefik.yml middlewares:
- securityHeaders@file
- crowdsec-bouncer@filenano /mnt/user/appdata/traefik/fileConfig.yml crowdsec-bouncer:
forwardauth:
address: http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth
trustForwardHeader: trueRestart CrowdSec and Traefik
Last updated
Was this helpful?