maxlerebourg / crowdsec-bouncer-traefik-plugin

Traefik plugin for Crowdsec - WAF and IP protection
Apache License 2.0
267 stars 14 forks source link

[HELP] missing LAPI endpoint ? #183

Closed mhazan01 closed 2 months ago

mhazan01 commented 4 months ago

Hello all, i'am new at traefik and helm,
i've installed traefik on my k8s cluster, works well. i wanted to add the crowdsec plugin, however, following the "install plugin" instruction it seems that the crowdsec:8080 endpoint is not created ? do i need to install it in a separate helm chart than the traefik one (where the plugin is configured). i've tried with localhost instead of crowdsec for the CrowdsecLapiHost, but same result.

here is the logs in question :
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/07/22 14:16:14 ServeHTTP:handleNoStreamCache ip:x.x.x.x isBanned:t crowdsecQuery:unreachable url:http://localhost:8080/v1/decisions?ip=x.x.x.x&banned=true Get "http://localhost:8080/v1/decisions?ip=x.x.x.x&banned=true": dial tcp [::1]:8080: connect: connection refused

Another question: how do i register the plugin in the crowdsec online dashboard ?

Thanks!

mathieuHa commented 4 months ago

Hi @mhazan01,

You may try our kubernetes example to get started.

The official doc from crowdsec also reference some getting started with K8S+Crowdsec+TraefikPlugin

The error you encounter now is pretty clear, the middleware running in Traefik canno't contact LAPI.

The "localhost" network address is usually never accessible in k8S. Every pod in each namespace is associated a DNS.

For instance if your pod name is crowdsec-lapi-6664db89bd-XXXXX and your namespace crowdsec then Traefik can reach it with the crowdsec-service.crowdsec created by Crowdsec Helm that point to your crowdsec-lapi-6664db89bd-XXXXX container.

I used the example is this repository and setup my Middleware using Traefik CRD

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: bouncer
  namespace: traefik
spec:
  plugin:
    bouncer:
      Enabled: "true"
      logLevel: DEBUG
      crowdsecMode: stream
      crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
      crowdsecLapiScheme: https
      # Use only LAPI_TLS if you have following the setup TLS from the tutorial
      crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/ca.crt
      crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/tls.crt
      crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/tls.key
mathieuHa commented 2 months ago

I'm going to close, feel free to reopen if you get an issue with it