search

crowdsecurity / cs-cloudflare-worker-bouncer

A CrowdSec Bouncer that syncs the decisions made by CrowdSec with CloudFlare's firewall using cloudflare workers. Manages multi user, multi account, multi zone setup. Supports IP, Country and AS scoped decisions.
https://doc.crowdsec.net/docs/next/bouncers/cloudflare-workers
MIT License
3 stars 6 forks source link

Docker container restart issue #50

Closed modem7 closed 3 weeks ago

modem7 commented 3 weeks ago

When I try to restart the container, it tries to clean up the worker but fails. 

time="2024-11-08T19:53:30Z" level=info msg="Using API key auth"
time="2024-11-08T19:53:31Z" level=info msg="Cleaning up existing workers" account=myaccount@mydomain.com
time="2024-11-08T19:53:33Z" level=fatal msg="unable to cleanup existing workers: remove namespace: 'namespace has associated scripts: crowdsec-cloudflare-worker-bouncer' (10052) for account myaccount@mydomain.com"
  # CrowdSec Bouncer - Cloudflare
  # sudo docker exec crowdsec cscli bouncer add cloudflare-worker-bouncer
  # To recover: docker run --rm -it -v "$(pwd)"/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-worker-bouncer.yaml --name WorkerBouncerRecovery 'crowdsecurity/cloudflare-worker-bouncer' -d
  cloudflare-worker-bouncer:
    image: crowdsecurity/cloudflare-worker-bouncer
    container_name: Crowdsec-Cloudflare-Worker-Bouncer
    networks:
      pihole:
        ipv4_address: '172.22.0.125'
    # ports:
    #  - "2112:2112"
    volumes:
      - $USERDIR/Crowdsec/cloudflare-worker-bouncer/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-worker-bouncer.yaml
      # - $USERDIR/Crowdsec/cloudflare-worker-bouncer/cf-bouncer:/cf-bouncer
    # labels:
    #   - "backup"
    security_opt:
      - no-new-privileges:true
    logging:
      driver: "local"
      options:
        max-size: 10m
        max-file: "3"
    restart: always
    mem_limit: 500m
    mem_reservation: 50m
    depends_on:
      - crowdsec

image

blotus commented 3 weeks ago

Hello,

This seems to come from a change on cloudflare side.

I've just pushed a fix that resolves the issue.

I've made a new pre-release (v0.0.12) with the fix, the docker image will be available in about 30 minutes (with the v0.0.12 tag, latest will be updated when we turn it into an actual release, which will not happen before next week).

If you switch to the v0.0.12 image for testing, note that this new version also includes support for usage metrics and now creates a D1 database to store them. Because your token does not have any permissions on D1, you'll see a warning when the bouncer starts, but you can safely ignore it (you can refer to this documentation PR if you want to set it up: https://github.com/crowdsecurity/crowdsec-docs/pull/651/files)

modem7 commented 3 weeks ago

Hi @blotus - Thank you very much for the fast response and turnaround!

All confirmed working on crowdsecurity/cloudflare-worker-bouncer:v0.0.12.

Sincerely appreciated!