search

fbonalair / traefik-crowdsec-bouncer

A http service to verify request and bounce them according to decisions made by CrowdSec.
MIT License
272 stars 22 forks source link

Bypassing Crowdsec for local IPs? #38

Closed rwjack closed 2 years ago

rwjack commented 2 years ago

Hello,

I was wondering if anyone has managed to do this / if it's possible at all currently?

I know local IPs can be excluded from rate limiting in crowdsec, but I would like it if local devices can access local services via traefik, but without going through crowdsec.

I presume this would require traefik to have some sort of arithmetic with and's and if's for middlewares, though I'm not completely sure.

rwjack commented 2 years ago

Looking at the logs, during the night when backups are in progress, the VM on which traefik-crowdsec-bouncer is running on, starts sending out 403's for a couple of minutes (exactly when it's getting backed up, which then triggers other false-positive infrastructure stories that all services are down, when in fact it's only the bouncer that's blocking access to the services):

{"level":"warn","error":"Get \"http://crowdsec:8080/v1/decisions?type=ban&ip=10.2.3.4\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)","time":"2022-10-20T01:37:43Z","message":"An error occurred while checking IP \"\""}

rwjack commented 2 years ago

I personally don't care for a few minutes of downtime, but I would like to bypass those downtime notifications, and one way of doing that is by having this bouncer not send a check IP request to the crowdsec container, if the IP comes from a private range.

In other words I would let traefik handle internal security whitelists, while using crowdsec only for external access flood control.

yfhyou commented 2 years ago

I would think this a traefik configuration rather than a crowdsec one. The way I can think of doing it is by having a seperate router in traefik for local IPs that don't have the traefik-crowdsec middleware in them. You could also add your local IP range to the crowdsec whitelist perhaps?

rwjack commented 2 years ago

The way I can think of doing it is by having a seperate router in traefik for local IPs that don't have the traefik-crowdsec middleware in them.

That would mean having 20+ new routers in my case, not quite viable/scalable...

Also, I don't add the bouncer middleware to my routers, I just add it to the :443 entrypoint which basically adds it to all the routers.

You could also add your local IP range to the crowdsec whitelist perhaps?

That wouldn't work because apparently the bouncer becomes unavailable during the backup so traefik just gives back 403's. I'm just trying to have requests completely evade the bouncer if they're coming from localnet, for which apparently, traefik middleware logic is required.

rwjack commented 2 years ago

I'm gonna give this a try: https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin

yfhyou commented 2 years ago

I'm gonna give this a try: https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin

looks very promising!

rwjack commented 2 years ago

Closing in favor of https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/issues/28