search

fbonalair / traefik-crowdsec-bouncer

A http service to verify request and bounce them according to decisions made by CrowdSec.
MIT License
272 stars 22 forks source link

Bouncer can't send ban request to crowdsec #18

Closed phamleduy04 closed 2 years ago

phamleduy04 commented 2 years ago

I honestly don't know if this is bouncer issue or crowdsec. I tried to ddos my own website and check if bouncer block it. I saw some requests from bouncer but show error below. my logs file: 

2022-03-02T02:45:07Z WRN An error occurred while checking IP "" error="Get \"http://crowdsec:8080/v1/decisions?type=ban&ip=MYIP\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
phamleduy04 commented 2 years ago

also my profiles.yaml:

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
 #- Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
notifications:
 - http_default
on_success: break
---
name: default_AS_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "As"
decisions:
 - type: ban
   duration: 4h
notifications:
 - http_default
on_success: break
fbonalair commented 2 years ago

From what I get you have two issues:

Most important you have a "Timeout exceeded while awaiting headers", I am guessing the bouncer couldn't reach CrowdSec at the URL "http://crowdsec:8080/". How did you put those containers in your environment ? You should verify your configuration since, from the bouncer point of view, it can't reach Crowdsec at the configured URL. If using docker-compose maybe you have renamed crowdsec's container ?

Secondly, the bouncer is requesting the IP "MYIP" to CrowdSec, which is not a valid IP. This value is extracted from the incoming request to the bouncer, usually Traefik. I would say an error come from there, or the web framework (Gin).

phamleduy04 commented 2 years ago

this is my docker-compose file:

version: '3.8'
services:
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    ports:
      - 8080:8080
    environment:
      GID: "${GID-1000}"
      #Dominic-Wagner/vaultwarden-bf Dominic-Wagner/vaultwarden-logs
      COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/whitelist-good-actors crowdsecurity/whitelists"
    volumes:
      - ./config/acquis.yaml:/etc/crowdsec/acquis.yaml
      - crowdsec-db:/var/lib/crowdsec/data/
      - crowdsec-config:/etc/crowdsec
      - traefik_traefik-logs:/var/log/traefik/:ro
    networks:
      - proxy
    restart: unless-stopped

  bouncer-traefik:
    image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: <REMOVED_API_KEY>
      CROWDSEC_AGENT_HOST: crowdsec:8080
    networks:
      - proxy
    depends_on:
      - crowdsec
    restart: unless-stopped

  dashboard:
    image: phamleduy04/crowdsec-dashboard:latest
    container_name: crowdsec-dashboard
    ports:
      - 3030:3000
    environment:
      MB_DB_FILE: /data/metabase.db
      MGID: "${GID-1000}"
    depends_on:
      - 'crowdsec'
    volumes:
      - crowdsec-db:/metabase-data/
    restart: unless-stopped

networks:
  proxy:
    external: true

volumes:
  crowdsec-db:
  crowdsec-config:
  traefik_traefik-logs:
    external: true

MYIP is my public IP address so I renamed it. The logs show my real IP address. I tried to expose port 8080 and send requests directly through the machine's private IP but still not working either.

tinolin commented 2 years ago

Sorry if I don't understand... but the "bouncer" is not the one that filters, it filters through the "traefik" logs, the bouncer only consults it, or not?

phamleduy04 commented 2 years ago

My bad, I found out that I have to write my own scenario for my own purpose. Thank you for your response :)