search

maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
260 stars 14 forks source link

Getting "Client.Timeout exceeded while awaiting headers" error in traefik log #165

Closed rama31244 closed 6 months ago

rama31244 commented 6 months ago

Describe the bug πŸ› I run crowdsec as a docker container on my unraid server and have recently found I often get the crowdsec ban page when I'm trying to access my applications externally. There is no decision against my IP though and refreshing often brings the page up correctly. When I check the traefik log, I see the following error:

ERROR: CrowdsecBouncerTraefikPlugin: 2024/05/12 10:31:14 crowdsecQuery url:http://crowdsec:8080/v1/decisions/stream?startup=false Get "http://crowdsec:8080/v1/decisions/stream?startup=false": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Expected behavior πŸ‘€ Being able to access my applications without Crowdsec ban pages coming up

Context πŸ”Ž Before posting, make sure to use the logLevel: DEBUG of the plugin and see if you can fix the error yourself. If not, post your plugin configuration file (anonimize IP and secret key) and a partial logs file where the error is encountered.

Version (please complete the following information):

To Reproduce Steps to reproduce the behavior:

  1. Go to 'https://application.mydomain.com and crowdsec ban page sometimes comes up
  2. Check traefik log and see the Client.Timeout error
  3. Refresh or try different browser/device and application works

Any help would be appreciated, thanks

mathieuHa commented 6 months ago

Hi @rama31244,

You may try to increase the HTTPTimeoutSeconds settings, it is the Default timeout in seconds for contacting Crowdsec LAPI.

When you can't reach it, then it is the expected behavior to be blocked.

In a futur release, (1.3.1) the setting UpdateMaxFailure (Used only in stream and alone mode, the maximum number of time we can not reach Crowdsec before blocking traffic (set -1 to never block)) can be used to temporise before blocking when LAPI is unreachable.

To help you debug further, we need more informations: Debug logs from Traefik startup, docker-compose.

rama31244 commented 6 months ago

Ok I've tried increasing the http timeout to 20, hopefully it works Another random question, what's the advantage of using the redis cache rather than the native file cache? Thanks

maxlerebourg commented 6 months ago

Hello Rama, The Redis cache is usefull in a cluster of traefik instances to share the list of IP between more than one Traefik OR To persist the cache between multiple reboot of traefik (if you have the need to reboot it) OR To see what is in the cache to debug it

The first reason is the real usecase in production environment with high availability. And voila πŸ‘

rama31244 commented 6 months ago

Ok thanks for the comprehensive reply , I'll still to the file cache then. Also I haven't seen a client timeout error for a while so think your solution may have worked too