search

crowdsecurity / cs-cloudflare-bouncer

A CrowdSec Bouncer that syncs the decisions made by CrowdSec with CloudFlare's firewall. Manages multi user, multi account, multi zone setup. Supports IP, Country and AS scoped decisions.
MIT License
50 stars 7 forks source link

Duplicate Account Handling #112

Closed michacassola closed 1 year ago

michacassola commented 1 year ago

Hey, when running my script that uses a seperate cloudflare api token for each zone/domain I get:

time="06-11-2022 19:51:20" level=fatal msg="the account '12345f4b2a26dbd12345ea27022fcc5' is duplicated"

The two domains are on the same account, but the WAF would still need to be set up by cs-bouncer seperately for each domain/zone.

Here part of the generated conf file with changed tokens, ids and domains:

cloudflare_config:
    accounts:
        - id: 12345f4b2a26dbd12345ea27022fcc5 #ACCOUNT-NAME
          zones:
            - zone_id: 12345d1488f407f11234517b20a1cb40 #domain.com
              actions:
                - managed_challenge
            - zone_id: 12345bf4f3aa6da3212345cfc15d5fd4 #domain.net
              actions:
                - managed_challenge
          token: 8M7wS6hCpXVc-DoRnPPY_UCWPgy8aea4Wy6kCe5T
          ip_list_prefix: crowdsec
          default_action: managed_challenge
          total_ip_list_capacity: 10000 # only this many latest IP decisions would be kept
        - id: 12345f4b2a26dbd12345ea27022fcc5 #ACCOUNT-NAME
          zones: []
          token: UCWPgy8aea4Wy6kCe5T8M7wS6hCpXVc-DoRnPPY_
          ip_list_prefix: crowdsec
          default_action: managed_challenge
          total_ip_list_capacity: 10000 # only this many latest IP decisions would be kept
    update_frequency: 10s

Herer's my bash function handling this:

    separator=''
    cf_crowdsec_tokens=$(for json in /var/opt/qycli/cloudflare/*/cf_token_crowdsec_and_dns.json; do
        echo -n "$separator""$(yq .result.value "$json")"
        separator=','
    done)

    crowdsec-cloudflare-bouncer -d
    crowdsec-cloudflare-bouncer -g "$cf_crowdsec_tokens" -o /etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
    crowdsec-cloudflare-bouncer -s
    systemctl restart crowdsec-cloudflare-bouncer
sbs2001 commented 1 year ago

@michacassola the bouncer is complaining because you have specified same account twice.

Something like: 

cloudflare_config:
    update_frequency: 10s
    accounts:
        - id: 12345f4b2a26dbd12345ea27022fcc5 #ACCOUNT-NAME
          zones:
            - zone_id: 12345d1488f407f11234517b20a1cb40 #domain.com
              actions:
                - managed_challenge
            - zone_id: 12345bf4f3aa6da3212345cfc15d5fd4 #domain.net
              actions:
                - managed_challenge
          token: 8M7wS6hCpXVc-DoRnPPY_UCWPgy8aea4Wy6kCe5T
          ip_list_prefix: crowdsec
          default_action: managed_challenge
          total_ip_list_capacity: 10000 # only this many latest IP decisions would be kept

should work

michacassola commented 1 year ago

So, it cannot handle this kind of thing. Ok. I changed to account level tokens, for all zones, and it works. But, the IP list at cloudflare is empty. Posted in Discord yesterday already about it. Thanks.