search

crowdsecurity / cs-cloudflare-worker-bouncer

A CrowdSec Bouncer that syncs the decisions made by CrowdSec with CloudFlare's firewall using cloudflare workers. Manages multi user, multi account, multi zone setup. Supports IP, Country and AS scoped decisions.
https://doc.crowdsec.net/docs/next/bouncers/cloudflare-workers
MIT License
3 stars 6 forks source link

Worker re-deployment at service restart causes worker settings to revert to defaults #24

Closed dreary-ennui closed 4 months ago

dreary-ennui commented 10 months ago

I set up CloudFlare Logpush on the worker and was ingesting the worker logs to my local Elastic instance for statistics and log analysis. Was working great.

Restarted the system the worker was on, the worker re-deployed, CloudFlare Logpush is now disabled.

Looks like the worker re-deploys its infrastructure every time the service starts. Because of this, worker settings do not persist across service restarts.

Proposing one of the following solutions:

1) Workers only re-deploy when necessary (would have to figure out how to tell that?) and can use existing deployments, so customizations to the workers (and workers themselves?) persist across service restarts 2) Service reads existing worker settings prior to cleanup and sets them back after re-deployment 3) Service provides worker options management in config yml

I'm sure there are other ways to tackle this, these were just the first things that came to mind.

This impacted me for Logpush settings, but this probably impacts other worker settings: CPU limit, usage model, placement, etc.

dreary-ennui commented 9 months ago

@LaurenceJJones just wondering if Crowdsec has reviewed this issue yet. Thanks!

LaurenceJJones commented 9 months ago

@LaurenceJJones just wondering if Crowdsec has reviewed this issue yet. Thanks!

Sorry with holidays and launch of 1.6 we havent been able to review it yet.

LaurenceJJones commented 9 months ago

Stated looking into it, we should provide additional params to the zone worker

from this struct https://github.com/cloudflare/cloudflare-go/blob/ffa96c9e3b43bfe62c918a56536c2b6ab2c55003/workers.go#L24-L65

https://github.com/crowdsecurity/cs-cloudflare-worker-bouncer/blob/fbedd358b49a088dcac7b5315ca6a48d4da9fdeb/pkg/cloudflare/cloudflare.go#L203C1-L214C4

I dont know cloudflare much but all the docs are pointing it to be as simple as, allowing you to set true/false 🤷🏻

dreary-ennui commented 9 months ago

allowing you to set true/false 🤷🏻

I'd be perfectly happy with an option in the bouncer config .yml that I can just set to Logpush: true

dreary-ennui commented 8 months ago

@LaurenceJJones Hey Laurence - sorry to bug you :) Just wondering if this is on the radar.