Added support for crowdsec openresty bouncer.

[LePresidente]

https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1131

It can be enabled by setting the environment variable CROWDSEC_BOUNCER=1 The config file crowdsec-openresty-bouncer.conf will be available in /config/ for editing.

[baudneo]

I built your Docker image and followed all instructions but the openresty bouncer only does the initial check-in and then never hits the crowdsec Local API after initially being added?

• Docker logs for your image ->

  [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
  [s6-init] ensuring user provided files have correct perms...exited 0.
  [fix-attrs.d] applying ownership & permissions fixes...
  [fix-attrs.d] done.
  [cont-init.d] executing container initialization scripts...
  [cont-init.d] 00-app-niceness.sh: executing...
  [cont-init.d] 00-app-niceness.sh: exited 0.
  [cont-init.d] 00-app-script.sh: executing...
  [cont-init.d] 00-app-script.sh: exited 0.
  [cont-init.d] 00-app-user-map.sh: executing...
  [cont-init.d] 00-app-user-map.sh: exited 0.
  [cont-init.d] 00-clean-logmonitor-states.sh: executing...
  [cont-init.d] 00-clean-logmonitor-states.sh: exited 0.
  [cont-init.d] 00-clean-tmp-dir.sh: executing...
  [cont-init.d] 00-clean-tmp-dir.sh: exited 0.
  [cont-init.d] 00-set-app-deps.sh: executing...
  [cont-init.d] 00-set-app-deps.sh: exited 0.
  [cont-init.d] 00-set-home.sh: executing...
  [cont-init.d] 00-set-home.sh: exited 0.
  [cont-init.d] 00-take-config-ownership.sh: executing...
  [cont-init.d] 00-take-config-ownership.sh: exited 0.
  [cont-init.d] 00-xdg-runtime-dir.sh: executing...
  [cont-init.d] 00-xdg-runtime-dir.sh: exited 0.
  [cont-init.d] 90-db-upgrade.sh: executing...
  [cont-init.d] 90-db-upgrade.sh: exited 0.
  [cont-init.d] 99-crowdsec.sh: executing...
  [cont-init.d] 99-crowdsec.sh: exited 0.
  [cont-init.d] nginx-proxy-manager.sh: executing...
  ❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/default.conf
  ❯ /etc/nginx/conf.d/production.conf
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/crowdsec_openresty.conf
  ❯ Enabling IPV6 in hosts: /config/nginx
  ❯ /config/nginx/resolvers.conf
  ❯ /config/nginx/ip_ranges.conf
  [cont-init.d] nginx-proxy-manager.sh: exited 0.
  [cont-init.d] done.
  [services.d] starting services
  [services.d] starting s6-fdholderd...
  [services.d] starting statusmonitor...
  [services.d] starting logmonitor...
  [statusmonitor] no file to monitor: disabling service...
  [logmonitor] no file to monitor: disabling service...
  [services.d] starting nginx...
  [services.d] starting cert_cleanup...
  [services.d] starting app...
  [nginx] starting...
  [app] starting Nginx Proxy Manager...
  [cert_cleanup] starting...
  [services.d] done.
  nginx: [alert] [lua] init_by_lua:8: [Crowdsec] Initialisation done
  [cert_cleanup] ----------------------------------------------------------
  [cert_cleanup] Let's Encrypt certificates cleanup - 2022/02/18 06:00:32
  [cert_cleanup] ----------------------------------------------------------
  [cert_cleanup] 0 file(s) kept.
  [cert_cleanup] 0 file(s) deleted.
  [2/18/2022] [6:00:32 AM] [Global   ] › ℹ  info      Manual db configuration already exists, skipping config creation from environment variables
  [2/18/2022] [6:00:34 AM] [Migrate  ] › ℹ  info      Current database version: none
  [2/18/2022] [6:00:35 AM] [Setup    ] › ℹ  info      Logrotate Timer initialized
  [2/18/2022] [6:00:35 AM] [Setup    ] › ℹ  info      Logrotate completed.
  [2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
  [2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
  [2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
  [2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
  [2/18/2022] [6:00:35 AM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
  [2/18/2022] [6:00:35 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
  [2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
  [2/18/2022] [6:00:35 AM] [Global   ] › ℹ  info      Backend PID 636 listening on port 3000 ...
  [2/18/2022] [6:00:37 AM] [Nginx    ] › ℹ  info      Reloading Nginx
  [2/18/2022] [6:00:37 AM] [SSL      ] › ℹ  info      Renew Complete

• Output on my corwdsec local API from cscli bouncers list right after adding crowdsec URL and API key

  ❯ cscli bouncers list
  -----------------------------------------------------------------------------------------------------------------------------------------------------------
  NAME              IP ADDRESS  VALID  LAST API PULL         TYPE                         VERSION
  -----------------------------------------------------------------------------------------------------------------------------------------------------------
  ZM-IPtables       10.0.0.30   ✔️      2022-02-18T06:00:37Z  crowdsec-firewall-bouncer    v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
  Local-cloudflare  ::1         ✔️      2022-02-18T06:00:34Z  crowdsec-cloudflare-bouncer  v0.0.8-debian-pragmatic-38768ad6e47bc7ce058668ef286de303f897d705
  Local-IPtables    ::1         ✔️      2022-02-18T06:00:36Z  crowdsec-firewall-bouncer    v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
  proxmox-iptables  10.0.0.4    ✔️      2022-02-18T06:00:31Z  crowdsec-firewall-bouncer    v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
  npm-openresty                 ✔️      2022-02-18T06:00:07Z
  -----------------------------------------------------------------------------------------------------------------------------------------------------------

• Output after waiting a few minutes to see if the openresty bouncer keeps polling for decisions

  -----------------------------------------------------------------------------------------------------------------------------------------------------------
  NAME              IP ADDRESS  VALID  LAST API PULL         TYPE                         VERSION
  -----------------------------------------------------------------------------------------------------------------------------------------------------------
  ZM-IPtables       10.0.0.30   ✔️      2022-02-18T06:06:37Z  crowdsec-firewall-bouncer    v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
  Local-cloudflare  ::1         ✔️      2022-02-18T06:06:44Z  crowdsec-cloudflare-bouncer  v0.0.8-debian-pragmatic-38768ad6e47bc7ce058668ef286de303f897d705
  Local-IPtables    ::1         ✔️      2022-02-18T06:06:36Z  crowdsec-firewall-bouncer    v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
  proxmox-iptables  10.0.0.4    ✔️      2022-02-18T06:06:41Z  crowdsec-firewall-bouncer    v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
  npm-openresty                 ✔️      2022-02-18T06:00:07Z
  -----------------------------------------------------------------------------------------------------------------------------------------------------------

As far as I am aware the bouncer should be polling the local API every 30 seconds by default.

[LePresidente]

just to confirm after you edited /config/crowdsec-openresty-bouncer.conf you restarted the docker container?

[baudneo]

Yes, I did a --force-recreate as well after just to be triple sure. Can you confirm that your openresty bouncer keeps polling your local API? I had the same issue on bare metal with the openresty bouncer -> https://github.com/crowdsecurity/cs-openresty-bouncer/issues/13

[LePresidente]

it takes a while to sync also you need to connect to a website hosted on NPM for it to kick in by the looks of things

time="18-02-2022 08:24:48" level=warning msg="new IP address detected for bouncer 'nginxtest': 172.17.0.1 (old: 172.17.0.4)"

time="18-02-2022 08:24:48" level=info msg="172.17.0.1 - [Fri, 18 Feb 2022 08:24:48 SAST] \"GET /v1/decisions/stream?startup=true HTTP/1.1 200 278.549815ms \"crowdsec-openresty-bouncer/v0.0.1\" \""
time="18-02-2022 08:24:58" level=info msg="172.17.0.1 - [Fri, 18 Feb 2022 08:24:58 SAST] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 67.167224ms \"crowdsec-openresty-bouncer/v0.0.1\" \""

[baudneo]

Awesome, thats the first time ive seen confirmation the openresty bouncer works!

[LePresidente]

I'm going to close this and rework it not a fan of how it's currently implemented.