maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
260 stars 14 forks source link

[BUG] Second bouncer missing information #103

Closed lordraiden closed 1 year ago

lordraiden commented 1 year ago

Describe the bug 🐛 I have registered 2 Apps using the bouncer each with it's own middleware but only one of the look like proper registered

imagen

Expected behavior 👀 IP and type columns fill out with info

Context 🔎

http:

# Home Assistant
  routers:

    homeassistant:
      entryPoints:
        - https443
      rule: 'Host(`ha.subzerocloud.com.es`)'
      service: homeassistant
      middlewares:
        - traefik-ha-csbouncer

    plex:
      entryPoints:
        - https443
      rule: 'Host(`plex.subzerocloud.com.es`)'
      service: plex
      middlewares:
        - traefik-plex-csbouncer

  services:

    homeassistant:
      loadBalancer:
        servers:
          - url: http://10.10.10.100:8123/

    plex:
      loadBalancer:
       servers:
          - url: http://10.10.50.20:32400/

  ## MIDDLEWARES ##
  middlewares:

    # Only Allow Local networks
    local-ipwhitelist:
      ipWhiteList:
        sourceRange: 
          - 10.10.10.1/24 # localhost

    traefik-ha-csbouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          enabled: true
          logLevel: INFO
          updateIntervalSeconds: 30 # stream mode only
          #defaultDecisionSeconds: 60 # live mode only
          crowdsecMode: stream
          crowdsecLapiKey: ssgsdgfsdfgdfgsdfgs# Api key for 'traefik-ha'
          crowdsecLapiHost: 10.10.50.11:8080
          crowdsecLapiScheme: http
          crowdsecLapiTLSInsecureVerify: false
          #forwardedHeadersTrustedIPs:   # List of IPs of trusted Proxies that are in front of traefik (ex: Cloudflare)
          clientTrustedIPs: 
            - 10.10.10.1/24
          forwardedHeadersCustomName: X-Forwarded-For
          #redisCacheEnabled: false
          #redisCacheHost: "redis:6379"
          #redisCachePassword: password
          #redisCacheDatabase: "5"

    traefik-plex-csbouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          enabled: true
          logLevel: INFO
          updateIntervalSeconds: 30 # stream mode only
          #defaultDecisionSeconds: 60 # live mode only
          crowdsecMode: stream
          crowdsecLapiKey: fgdgfdsfdgsdfgsdgfgfdssfgd# Api key for 'traefik-ha'
          crowdsecLapiHost: 10.10.50.11:8080
          crowdsecLapiScheme: http
          crowdsecLapiTLSInsecureVerify: false
          #forwardedHeadersTrustedIPs:   # List of IPs of trusted Proxies that are in front of traefik (ex: Cloudflare)
          clientTrustedIPs: 
            - 10.10.10.1/24
          forwardedHeadersCustomName: X-Forwarded-For
          #redisCacheEnabled: false
          #redisCacheHost: "redis:6379"
          #redisCachePassword: password
          #redisCacheDatabase: "5"

Version (please complete the following information): Traefik 2.10 Docker compose Plugins latest

Is this the right behavior? I have tested plex domain and If I add my local IP to the list it blocking me so it's working.

mathieuHa commented 1 year ago

Hey,

Is this the right behavior?

Yes it is!

You are using the stream mode: Stream Streaming mode allows you to keep in the local cache only the Banned IPs, every requests that does not hit the cache is authorized. Every minute, the cache is updated with news from the Crowdsec LAPI.

The plugin has to query crowdsec for updates (New IPs added and removed) periodically. It does so every minute by default and update the cache in Memory or in Redis.

The cache either in memory or in redis is shared between all instances of the middleware.
This is by design.

Only one instance will query the crowdsec LAPI and update the cache. This avoids duplication of the IP in the cache.

You can use the same instance of the middleware to protect multiple services.

Best, Mathieu

lordraiden commented 1 year ago

But I understood by this that I need to create a new middleware with an exclusive API key for each service to be protected

imagen

So can I use the middleware "traefik-ha-csbouncer" to protect more than 1 service? then what is the real meaning of the screenshot above? Or by service means by traefik instance?

mathieuHa commented 1 year ago

Yes you are right.

The documentation is unclear. You can use multiple bouncer keys, but only one will be use to fetch update when using the stream mode. I will update the exemples and readme to clarify this.

So you can use the same middleware instance to protect any number of services.

vnghia commented 1 year ago

I see the same phenomenon. Is there any difference between using one instance and multiple instances of the plugin, like performance ?

mathieuHa commented 1 year ago

I see the same phenomenon. Is there any difference between using one instance and multiple instances of the plugin, like performance ?

Hey, there is no difference.
Actually, we only use one of the stream instance to download the updates from the LAPI. We will made it more clear in the readme that in stream mode, only one instance is really needed.

Best,