search

maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
258 stars 13 forks source link

[Requesting INFO] plugin not communicating with Crowdsec #179

Closed selenias closed 4 months ago

selenias commented 4 months ago

Version (please complete the following information):

Context Not sure where else i can ask this, but i don't really understand the live vs stream mode.

Last few days i've been trying to get the plugin working to little avail. That was until i switched to stream mode.

To summarize, i added the static config and dynamic config to my traefik container (As instructed on the plugin page) I created an API key via cscli bouncer add nameOfBouncer and added that to the dynamic configuration. Restarted both containers and tried to verify if the bouncer was being registered.

This is were things got confusing. Mainly because i didn't know how to verify if it was working or not. (To add: I also have the firewall-bouncer running on my Host (which works)).

When i check my bouncers cscli bouncers list, i get the following list

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                 IP Address  Valid  Last API pull         Type                       Version                                                       Auth Type 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 firewall-bouncer     172.22.0.1  ✔️     2024-06-25T17:34:02Z  crowdsec-firewall-bouncer  v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6  api-key   
                                                                                          728e5                                                                   
 traefik-bouncer                  ✔️     2024-06-25T17:20:33Z                                                                                           api-key   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

This makes me think the treafik-bouncer is not communicating with Crowdsec (since it wasn't getting an IP address or Type). And no matter how long i wait, the latter bouncer won't change.

When checking the metrics cscli metrics i only get this bouncer result

Local API Bouncers Metrics:
╭──────────────────┬──────────────────────┬────────┬──────╮
│      Bouncer     │         Route        │ Method │ Hits │
├──────────────────┼──────────────────────┼────────┼──────┤
│ firewall-bouncer │ /v1/decisions/stream │ GET    │ 244  │
╰──────────────────┴──────────────────────┴────────┴──────╯

I've enabled DEBUG on both Traefik and the plugin, but i don't see anything strange. To be fair, i don't have much traffic happening (as its a TEST environment right now). From a clean install, i at least am not getting any errors nor warnings. Crowdsec logs only show these 2 entries in intervals

time="2024-06-25T16:47:42Z" level=info msg="172.22.0.1 - [Tue, 25 Jun 2024 16:47:42 UTC] \"GET /v1/decisions/stream HTTP/1.1 200 11.769394ms \"crowdsec-firewall-bouncer/v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5\" \""
time="2024-06-25T16:47:45Z" level=info msg="127.0.0.1 - [Tue, 25 Jun 2024 16:47:45 UTC] \"GET /v1/heartbeat HTTP/1.1 200 4.215194ms \"crowdsec/v1.6.2-16bfab86-docker\" \""

This tells me that at least the firewall-bouncer is communicating.

and traefik is loading the plugin

{"level":"debug","msg":"loading of plugin: crowdsec-bouncer-traefik-plugin: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin@v1.3.2","time":"2024-06-25T17:15:11Z"}

At some point, i figured i would dumb down on the options and try to use the bare minimum of dynamic configurations for the plugin. It was when i switch to Stream that i suddenly saw a change.

    mw-crowdsecTraefikBouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          enabled: true
          # Log level (default INFO) DEBUG > INFO > ERROR
          logLevel: DEBUG
          crowdsecMode: stream
#          defaultDecisionSeconds: 60
#          httpTimeoutSeconds: 10
#          crowdsecLapiScheme: http
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiKey: LuQ48Hf6zlayeZmp7LHZEthykdfYGCROOrpg+cxgGQg
#          crowdsecLapiKey: {{env "BOUNCER_KEY_TRAEFIK"}}
#          crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
#          clientTrustedIPs:
#            - 192.168.1.0/24
#            - 172.12.0.0/12

This was the result cscli bouncers list

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                 IP Address  Valid  Last API pull         Type                       Version                                                       Auth Type 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 firewall-bouncer     172.22.0.1  ✔️     2024-06-25T17:50:12Z  crowdsec-firewall-bouncer  v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6  api-key   
                                                                                          728e5                                                                   
 traefik-bouncer      172.22.0.2  ✔️     2024-06-25T17:49:44Z  Go-http-client             1.1                                                           api-key   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

cscli metrics also listed the bouncer now

Local API Bouncers Metrics:
╭──────────────────┬──────────────────────┬────────┬──────╮
│      Bouncer     │         Route        │ Method │ Hits │
├──────────────────┼──────────────────────┼────────┼──────┤
│ firewall-bouncer │ /v1/decisions/stream │ GET    │ 183  │
│ traefik-bouncer  │ /v1/decisions/stream │ GET    │ 11   │
╰──────────────────┴──────────────────────┴────────┴──────╯

To be honest, i've been reading the description of live and stream dozens of times now, but i can't really put it in works to explain the difference for myself. Especially relating to my issue above. It's like the cache is somehow preventing the API to connect?

am i doing something wrong? Or am i simple misunderstanding things? Why does using Live not connect the plugin with Crowdsec? (both containers can ping one another).

maxlerebourg commented 4 months ago

Hello @selenias Have you read our README, there are mermaid schemas just below the explanation table of different modes.

image

I hope you can use it to understand the difference.

But the point is this: In live mode, if you're not testing any services protected by our plugin, there's no call to crowdsec. In stream mode, the plugin asks Crowdsec for the list of IPs every X seconds, so there's a call to crowdsec.

Thanks to use our plugin !

selenias commented 4 months ago

Hi @maxlerebourg Thanks for getting back. I saw the mermaid workflows. Honestly, i understand the flow. Just not how that represented in the interface.

To be fair, this is the first time i am using a Traefik plugin and i probably have some preconceived expectancy of seeing the plugin added to crowdsec after adding it (even in live mode). I had a feeling that, because i was in a testing environment but not having much traffic, had something to do with not seeing the live mode communicating with Crowdsec. Just didn't know if this was an issue on my end or misunderstanding things.

In live mode, if you're not testing any services protected by our plugin, there's no call to crowdsec.

That makes more sense than the explanation on the site haha ;)

All in all, thanks for the feedback. I got a better understanding now. keep up the good work (it's quite a product)!