Closed azertylr closed 3 months ago
@azertylr: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
Where have you configured caddy to log?
Because it seems there is no acquisition configuration for caddy logs, the only webserver I see is apache2
I'm using github.com/caddyserver/transform-encoder to transform Caddy log as apache2 log
I've tried crowdsec caddy parser but I have this problem https://github.com/crowdsecurity/crowdsec/issues/2921
I'm using github.com/caddyserver/transform-encoder to transform Caddy log as apache2 log
I've tried crowdsec caddy parser but I have this problem #2921
Okay, it seems the bucket is pouring, however, the test seems to be using the same http path so it doesnt satisfy the distinct constraint
time="2024-08-05T20:01:42Z" level=debug msg="bucket 'crowdsecurity/http-probing' is poured" cfg=purple-moon name=crowdsecurity/http-probing
time="2024-08-05T20:01:42Z" level=debug msg="Uniq(/) : ko, discard event" bucket_id=dry-snow cfg=purple-moon name=crowdsecurity/http-probing partition=3671c134e830f40dab5b16ed453aa1a1fd52413c
https://app.crowdsec.net/hub/author/crowdsecurity/configurations/http-probing
distinct: "evt.Meta.http_path"
How are you testing it? each path needs to be unique for example
for i in {1..20}; do curl -s http://example.com/$i ;done
oh ok, I was querying the same url.
I've tried with different url, but same problem.
it seems that caddy doesn't output the path in the log with 403 or 404 error:
caddy access log
0000 - - [06/Aug/2024:08:41:15 +0000] "GET / HTTP/3.0" 403 3 "-" "Mozilla/5.0 (Android 14; Mobile; rv:129.0) Gecko/129.0 Firefox/129.0"
0000 - - [06/Aug/2024:08:41:17 +0000] "GET / HTTP/3.0" 403 3 "-" "Mozilla/5.0 (Android 14; Mobile; rv:129.0) Gecko/129.0 Firefox/129.0"
0000 - - [06/Aug/2024:08:41:19 +0000] "GET / HTTP/3.0" 403 3 "-" "Mozilla/5.0 (Android 14; Mobile; rv:129.0) Gecko/129.0 Firefox/129.0"
0000 - - [06/Aug/2024:08:42:06 +0000] "GET /api/endpoints/2/docker/containers/4be1d10e0537bf4a43a571d92d8aeae39f93ce7d8596bb4c1a26f1e7a213bb8d/logs?since=0&stderr=1&stdout=1&tail=100×tamps=0 HTTP/2.0" 200 17107 "https://www.mydomain/" "Mozilla/5.0 (Android 14; Mobile; rv:129.0) Gecko/129.0 Firefox/129.0
my Caddyfile:
{
debug
order crowdsec first
crowdsec {
api_url http://crowdsec:8080
api_key
ticker_interval 15s
}
}
*.{$MY_DOMAIN} {
log {
level DEBUG
format transform `{request>remote_ip} - {user_id} [{ts}] "{request>method} {request>uri} {request>proto}" {status} {size} "{request>headers>Referer>[0]}" "{request>headers>User-Agent>[0]}"` {
time_format "02/Jan/2006:15:04:05 0000"
}
output file /var/log/caddy/access.log
}
tls {
dns ovh {
}
}
route {
crowdsec
@www host www.{$MY_DOMAIN}
handle @www {
reverse_proxy www:4533
}
@unknown host *.{$MY_DOMAIN}
handle @unknown {
respond * "403" 403
}
respond * "Access Deny" 403
}
}
it seems that caddy doesn't output the path in the log with 403 or 404 error:
Hmmm then the scenario will never trigger in that case as we rely on the http path being logged, for 403
it should trigger this scenario only for POST
requests. For 404
as long as its a GET
request it will trigger this scenario but has to be quite aggressive.
You can ultimately just remove the distinct
restraint from the scenario locally but if it doesnt log the correct values there isnt much for us to go on from the log itself.
thanks, I will see with Caddy team why the logs doesn't have the path of the requested file :)
What happened?
Hello,
I've just installed crowdsec with Caddy 2.8.4 and I don't manage to make it works properly (I used to have nginx and it was fine)
When I generate several 403 error from a client, http-probing is not triggered.
What did you expect to happen?
http-probing triggered when I generate 10* 404 or 403 errors in 10s with the same device
How can we reproduce it (as minimally and precisely as possible)?
install caddy 2.8.4 + crowdsec with the config below that request a 403 error
Anything else we need to know?
Caddy 2.8.4 with https://github.com/hslatman/caddy-crowdsec-bouncer
I tried to trigger authelia-bf and it works. The ip is blocked.
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
crowdsec log