Resolve issues with Crowdsec

jgwehr commented 1 week ago

Describe the solution you'd like Crowdsec has been a perpetual PITA since I started using it several years ago. While promising (and unique), each update seems to reset the API keys - causing unnecessary maintenance. Additionally it regularly breaks my reverse proxy without any explanation. The Crowdsec logs show no issues while Caddy throws LAPI errors. ~When crowdsec is removed, everything works fine.~

Multiple containers seem to have issues (Tandoor, Rallly especially).

That said, I haven't changed my implementation since I first started. It seems there's been updates to how Caddy+Crowdsec should be implemented: https://github.com/crowdsecurity/example-docker-compose/tree/main/caddy

Describe alternatives you've considered Are there any??

But, I also need to do an end to end trace. Other potential points of failure:

[ ] DuckDNS.org (actual site)
[ ] DuckDNS DDNS container
[ ] Caddy configuration
[ ] Caddy as a tool (vs Zaproxy, Traefik etc)
[ ] Individual containers?

Additional context Add any other context or screenshots about the feature request here.

[ ] Update Caddy Dockerfile
[ ] Homepage configuration (Crowdsec Widget)
[ ] Update README.md
[ ] Install instructions added to Wiki

jgwehr commented 1 week ago

Potential change to Dockerfile:

ARG CADDY_VERSION=2.8.4

FROM caddy:${CADDY_VERSION}-builder-alpine AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/duckdns \
    --with github.com/hslatman/caddy-crowdsec-bouncer/http \
    --with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main

FROM caddy:${CADDY_VERSION} AS caddy

WORKDIR /

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

The current example also includes layer4 support but... I'd like to see if CrowdSec can even be reliable before adding more features.

jgwehr commented 4 days ago

https://github.com/serfriz/caddy-custom-builds/tree/main/caddy-duckdns-crowdsec

jgwehr commented 3 days ago

Investigation continues. Even with CrowdSec removed, there's still regular breaks in http connections. Unfortunately that means I need to do a full E2E investigation.

I've been getting "Let's Encrypt" Staging expiration emails for my subdomains - which should not be the case since I haven't used Staging in several years. This points me towards this thread (https://caddy.community/t/how-to-use-lets-encrypt-staging-endpoint-with-caddy/18514) which hints at a broader issue:

But if Caddy encounters isolated errors in production, it will gracefully fall back to Let’s Encrypt staging endpoint automatically

I'll look into how I've configured Caddy to see if something has been outdated.

jgwehr / homelab-docker

Resolve issues with Crowdsec #103