search

maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
260 stars 14 forks source link

[BUG] Block Acces #181

Closed skyguy2002 closed 4 months ago

skyguy2002 commented 4 months ago

Describe the bug 🐛 As soon as I activate the middleware, I no longer have access to the page, although nothing is displayed according to the “cscli decisions list”

Expected behavior 👀 Actually, since my IP is not blocked, I should have access

Context 🔎 Middleware file:

http:
  middlewares:
    crowdsec:
      plugin:
        bouncer:
          enabled: true
          logLevel: INFO
          crowdsecMode: none
          crowdsecLapiScheme: http
          crowdsecLapiHost: localhost:8000
          crowdsecLapiKey: 01747c4972397ebc94ac0ce94281583f

Service file:

http:
  routers:
    traefik:
      entryPoints:
      - websecure
      middlewares:
      - basicauth
      - crowdsec
      tls: {}
      service: api@internal
      rule: “Host(`traefik.XXX.de`)”

Version (please complete the following information):

To Reproduce Steps to reproduce the behavior:

  1. add middleware
  2. configure as described above
  3. add LapiKey and URL
  4. try to get to the page
skyguy2002 commented 4 months ago

I figured it out myself, the mode must be set to stream, otherwise it won't work

mathieuHa commented 4 months ago

Hi @skyguy2002,

Sorry for the delay,

From the README, the mode none and stream works the following: Mode Description
none If the client IP is on ban list, it will get a http code 403 response. Otherwise, request will continue as usual. All request call the Crowdsec LAPI

... | stream | Stream Streaming mode allows you to keep in the local cache only the Banned IPs, every requests that does not hit the cache is authorized. Every minute, the cache is updated with news from the Crowdsec LAPI. | ...

What I think is that you might have had a configuration issue.
Because in none mode, every request is sent to the LAPI for a verificatiob of the IP, if you cannot reach LAPI, or if LAPI auth is denied then it can cause 403 even if no decisions exists.

I'm not sure how stream mode would have resolved it.
However, if you want we can check that your setup is done correctly: I would just need Traefik middleware debug logs (from start) and maybe corresponding logs from Crowdsec to see the Stream exchanges).

You may activate debug logs in the plugin with logLevel: DEBUG.

Best,

skyguy2002 commented 4 months ago

that was absolutely my mistake, however i had imported the same plugin twice under two names, this made the whole middleware file invalid or that's why traefik ignored the whole midddleware, looked once in the log and everything worked immediately. Thanks!

mathieuHa commented 4 months ago

Alright thanks for the feedback! I'm closing this now