[BUG] CrowdsecAppsecFailureBlock false should also not block when crowdsec is down

maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection

Apache License 2.0

260 stars 14 forks source link

[BUG] CrowdsecAppsecFailureBlock false should also not block when crowdsec is down #173

Closed trunneml closed 5 months ago

trunneml commented 5 months ago

Describe the bug 🐛 Setting CrowdsecAppsecFailureBlock to false works for 500, but if a connection to crowdsec is not possible crowdsec-bouncer-traefik-plugin still returns 403

Expected behavior 👀 When crowdsec api is not available and CrowdsecAppsecFailureBlock is set to false Traefik should just work as normal.

To Reproduce Steps to reproduce the behavior:

Configure crowdsec-bouncer-traefik-plugin with CrowdsecAppsecFailureBlock set to false
Stop crowdsec
Try to open a service behinde Traefik
See error

mathieuHa commented 5 months ago

Hi we'll look into it.
In the mean time could you provide some informations like the version of the plugin, runtime (docker, kubernetes, binary, vm..).

maxlerebourg commented 5 months ago

Hey @trunneml I looked into the code, the CrowdsecAppsecFailureBlock: false handle the appsec response status code 500 only. We followed the protocol from Crowdsec to implement our plugin.

I don't know if it's smart to totally bypass our plugin when crowdsec is unreachable.

We could add a new variable CrowdsecAppsecUnreachableBlock to handle this case, and by default is true.

What do you think ?

trunneml commented 5 months ago

An extra flag fixes my problem. Background: Croudsec LAPI is in an different network segment.