Closed LePresidente closed 2 years ago
I built your Docker image and followed all instructions but the openresty bouncer only does the initial check-in and then never hits the crowdsec Local API after initially being added?
Docker logs for your image ->
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-app-niceness.sh: executing...
[cont-init.d] 00-app-niceness.sh: exited 0.
[cont-init.d] 00-app-script.sh: executing...
[cont-init.d] 00-app-script.sh: exited 0.
[cont-init.d] 00-app-user-map.sh: executing...
[cont-init.d] 00-app-user-map.sh: exited 0.
[cont-init.d] 00-clean-logmonitor-states.sh: executing...
[cont-init.d] 00-clean-logmonitor-states.sh: exited 0.
[cont-init.d] 00-clean-tmp-dir.sh: executing...
[cont-init.d] 00-clean-tmp-dir.sh: exited 0.
[cont-init.d] 00-set-app-deps.sh: executing...
[cont-init.d] 00-set-app-deps.sh: exited 0.
[cont-init.d] 00-set-home.sh: executing...
[cont-init.d] 00-set-home.sh: exited 0.
[cont-init.d] 00-take-config-ownership.sh: executing...
[cont-init.d] 00-take-config-ownership.sh: exited 0.
[cont-init.d] 00-xdg-runtime-dir.sh: executing...
[cont-init.d] 00-xdg-runtime-dir.sh: exited 0.
[cont-init.d] 90-db-upgrade.sh: executing...
[cont-init.d] 90-db-upgrade.sh: exited 0.
[cont-init.d] 99-crowdsec.sh: executing...
[cont-init.d] 99-crowdsec.sh: exited 0.
[cont-init.d] nginx-proxy-manager.sh: executing...
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
❯ /etc/nginx/conf.d/default.conf
❯ /etc/nginx/conf.d/production.conf
❯ /etc/nginx/conf.d/include/force-ssl.conf
❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
❯ /etc/nginx/conf.d/include/assets.conf
❯ /etc/nginx/conf.d/include/block-exploits.conf
❯ /etc/nginx/conf.d/include/proxy.conf
❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
❯ /etc/nginx/conf.d/crowdsec_openresty.conf
❯ Enabling IPV6 in hosts: /config/nginx
❯ /config/nginx/resolvers.conf
❯ /config/nginx/ip_ranges.conf
[cont-init.d] nginx-proxy-manager.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] starting s6-fdholderd...
[services.d] starting statusmonitor...
[services.d] starting logmonitor...
[statusmonitor] no file to monitor: disabling service...
[logmonitor] no file to monitor: disabling service...
[services.d] starting nginx...
[services.d] starting cert_cleanup...
[services.d] starting app...
[nginx] starting...
[app] starting Nginx Proxy Manager...
[cert_cleanup] starting...
[services.d] done.
nginx: [alert] [lua] init_by_lua:8: [Crowdsec] Initialisation done
[cert_cleanup] ----------------------------------------------------------
[cert_cleanup] Let's Encrypt certificates cleanup - 2022/02/18 06:00:32
[cert_cleanup] ----------------------------------------------------------
[cert_cleanup] 0 file(s) kept.
[cert_cleanup] 0 file(s) deleted.
[2/18/2022] [6:00:32 AM] [Global ] › ℹ info Manual db configuration already exists, skipping config creation from environment variables
[2/18/2022] [6:00:34 AM] [Migrate ] › ℹ info Current database version: none
[2/18/2022] [6:00:35 AM] [Setup ] › ℹ info Logrotate Timer initialized
[2/18/2022] [6:00:35 AM] [Setup ] › ℹ info Logrotate completed.
[2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
[2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
[2/18/2022] [6:00:35 AM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[2/18/2022] [6:00:35 AM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[2/18/2022] [6:00:35 AM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[2/18/2022] [6:00:35 AM] [Global ] › ℹ info Backend PID 636 listening on port 3000 ...
[2/18/2022] [6:00:37 AM] [Nginx ] › ℹ info Reloading Nginx
[2/18/2022] [6:00:37 AM] [SSL ] › ℹ info Renew Complete
Output on my corwdsec local API from cscli bouncers list
right after adding crowdsec URL and API key
❯ cscli bouncers list
-----------------------------------------------------------------------------------------------------------------------------------------------------------
NAME IP ADDRESS VALID LAST API PULL TYPE VERSION
-----------------------------------------------------------------------------------------------------------------------------------------------------------
ZM-IPtables 10.0.0.30 ✔️ 2022-02-18T06:00:37Z crowdsec-firewall-bouncer v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
Local-cloudflare ::1 ✔️ 2022-02-18T06:00:34Z crowdsec-cloudflare-bouncer v0.0.8-debian-pragmatic-38768ad6e47bc7ce058668ef286de303f897d705
Local-IPtables ::1 ✔️ 2022-02-18T06:00:36Z crowdsec-firewall-bouncer v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
proxmox-iptables 10.0.0.4 ✔️ 2022-02-18T06:00:31Z crowdsec-firewall-bouncer v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
npm-openresty ✔️ 2022-02-18T06:00:07Z
-----------------------------------------------------------------------------------------------------------------------------------------------------------
Output after waiting a few minutes to see if the openresty bouncer keeps polling for decisions
-----------------------------------------------------------------------------------------------------------------------------------------------------------
NAME IP ADDRESS VALID LAST API PULL TYPE VERSION
-----------------------------------------------------------------------------------------------------------------------------------------------------------
ZM-IPtables 10.0.0.30 ✔️ 2022-02-18T06:06:37Z crowdsec-firewall-bouncer v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
Local-cloudflare ::1 ✔️ 2022-02-18T06:06:44Z crowdsec-cloudflare-bouncer v0.0.8-debian-pragmatic-38768ad6e47bc7ce058668ef286de303f897d705
Local-IPtables ::1 ✔️ 2022-02-18T06:06:36Z crowdsec-firewall-bouncer v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
proxmox-iptables 10.0.0.4 ✔️ 2022-02-18T06:06:41Z crowdsec-firewall-bouncer v0.0.22-debian-pragmatic-f64e94b59a948717c3dc848f9abebb27b5974714
npm-openresty ✔️ 2022-02-18T06:00:07Z
-----------------------------------------------------------------------------------------------------------------------------------------------------------
As far as I am aware the bouncer should be polling the local API every 30 seconds by default.
just to confirm after you edited /config/crowdsec-openresty-bouncer.conf you restarted the docker container?
Yes, I did a --force-recreate as well after just to be triple sure. Can you confirm that your openresty bouncer keeps polling your local API? I had the same issue on bare metal with the openresty bouncer -> https://github.com/crowdsecurity/cs-openresty-bouncer/issues/13
it takes a while to sync also you need to connect to a website hosted on NPM for it to kick in by the looks of things
time="18-02-2022 08:24:48" level=warning msg="new IP address detected for bouncer 'nginxtest': 172.17.0.1 (old: 172.17.0.4)"
time="18-02-2022 08:24:48" level=info msg="172.17.0.1 - [Fri, 18 Feb 2022 08:24:48 SAST] \"GET /v1/decisions/stream?startup=true HTTP/1.1 200 278.549815ms \"crowdsec-openresty-bouncer/v0.0.1\" \""
time="18-02-2022 08:24:58" level=info msg="172.17.0.1 - [Fri, 18 Feb 2022 08:24:58 SAST] \"GET /v1/decisions/stream?startup=false HTTP/1.1 200 67.167224ms \"crowdsec-openresty-bouncer/v0.0.1\" \""
Awesome, thats the first time ive seen confirmation the openresty bouncer works!
I'm going to close this and rework it not a fan of how it's currently implemented.
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1131
It can be enabled by setting the environment variable CROWDSEC_BOUNCER=1 The config file crowdsec-openresty-bouncer.conf will be available in /config/ for editing.