Crowdsec Openresty Bouncer Support

[LePresidente]

This adds support for Nginx Proxy Manager to be a firewall bouncer for Crowdsec

Blog post on what this does https://crowdsec.net/blog/nginx-bouncer-v1/

This has been expanded to be a permanent addon to Nginx Proxy Manager,

There are three Configurations that would be needed to be configurable from Nginx Proxy Manager to configure the crowdsec-openresty-bouncer

File: /config/crowdsec/crowdsec-openresty-bouncer.conf

#Enables/Disables the Proxy (true|false)
ENABLED=false
#URL to the crowdsec api
API_URL=
#APIKEY to the crowdsec api, generated on crowdsec using `cscli bouncers add NPM`
API_KEY=

Idea being this will eventually be editable in Nginx Proxy Manager

[jlesage]

Why not integrating this new feature into Nginx Proxy Manager instead ? The whole point of NPM is to provide a nice UI to ease configuration. Adding a new feature outside NPM is a quick way to implement it, but at the same time, it defeats the goal of the original project.

[LePresidente]

Think this fits more into an Nginx module that expands Nginx-proxy-manager than something Nginx-proxy-manager will handle and install by itself as it's a completely separate project and some people won't even want to enable it unless they have a crowdsec instance on their network.

I have a PR open on the main repo as well https://github.com/NginxProxyManager/nginx-proxy-manager/pull/1875

Maybe we should wait for upstream and see what is said there.

[LePresidente]

Though thinking about this a little more, I think having them separate is better in the long run as updates can be done independently and bug fixes to crowdsec doesn't mean a new docker release for NPM.

[jlesage]

Think this fits more into an Nginx module that expands Nginx-proxy-manager than something Nginx-proxy-manager will handle and install by itself as it's a completely separate project and some people won't even want to enable it unless they have a crowdsec instance on their network.

I think the software should come pre-installed into the container. I agree that it's not the job of NPM to install it. However, the NPM UI should offer an interface to enable and configure the feature. It's similar to Let's Encrypt: this is a piece of software completely independent from Nginx, but it still well integrated into NPM.

Though thinking about this a little more, I think having them separate is better in the long run as updates can be done independently and bug fixes to crowdsec doesn't mean a new docker release for NPM.

I think this method is good for advanced people, but I prefer to have containers that have "fixed" softwares implemented. This way, you provide containers with better predicability, meaning that a specific version "x.y.z" has more chance to behave the same way for everybody, as it does not depend on optional softwares that may or may not be installed. This also has the benefit of allowing people to revert back to a specific version in case of problem with a particular image. And as developer of the image, this provides a better guarantee that a published image will work for everybody.

From the updatability point of view, I prefer to publish a new Docker image every time a software is updated. This eases life of people, since only the container image needs to be update. People don't need to managing multiple different updates. Again, this may not bother some people, but I think that the vast majority don't like to micro-manage their containers.

[LePresidente]

OK I see what you saying. Let me see what i can do.

[LePresidente]

Ok I think that fits the criteria, Waiting on any input in the main nginx proxy manager about how to go about adding the settings into NPM

[arsaboo]

Thanks for your work on this....would love for this to be available soon 👍

[LePresidente]

Ok this is pretty much done, it looks like its going to be added upstream like this as well https://github.com/NginxProxyManager/docker-nginx-full/pull/8

Was added before but found a weird openresty, lua memory bug when loading the whole ca-certs file for the captcha ban scenario

[bmunro-peralex]

i'll rebase this again to a single commit, seems to be getting out of hand.