Open thespad opened 4 months ago
Hi,
Thanks for using the plugin.
When we added the support for appsec, we thought about "scheme" to connect to the LAPI and Appsec.
Because we already have a lot of variables we decided to not add support by default for different supported scheme.
We wanted to see if it was really needed before implementing it.
I believe it needs at least 2 variables, scheme + insecure and 2 objects in the bouncer httpClient containing a tlsconfig. It is added to the todolist, we will update you soon
Yeah, I understand the desire not to add a bunch more configuration options but unfortunately the way Crowdsec have implemented their appsec component it's perfectly legitimate to have your bouncer talking to a Central LAPI endpoint for normal decisions but a local crowdsec instance for appsec - and in a docker setup that means that configuring https for that appsec instance is a lot of work for little gain because you can push it all over a private docker network.
In the meantime I'm sending all my appsec traffic back to the central LAPI to keep everything secure, and the latency isn't a huge issue in my setup, but it would be nice to be able to split them up.
Is your feature request related to a problem? Please describe. 🐛 Currently (or rather in the RC) the appsec and LAPI endpoints both use
crowdsecLapiScheme
https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/pull/123/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R79 but there are scenarios where this doesn't work - such as pointing at a central LAPI service served over https and a local appsec service over an internal docker network served over http.Describe the solution you'd like ✨ Allow separate schemes for LAPI and Appsec endpoints