[HELP] ForwardedHeadersTrustedIPs

[alberk8]

I have this question regarding the IP address of the ForwardedHeardersTrustedIps for Cloudflare Tunnel. In the example here.

As far as I know, the IP keeps changing. Is there a way to keep this static?

[LaurenceJJones]

I have this question regarding the IP address of the ForwardedHeardersTrustedIps for Cloudflare Tunnel. In the example here.

As far as I know, the IP keeps changing. Is there a way to keep this static?

I don't know if you can keep it static (most likely if you defined it was compose it will), but the ForwardedHeardersTrustedIps accepts a range aswell so you can defined 172.16.0.0/12 and that will cover all ranges used by default docker setup.

[maxlerebourg]

Another thing to know, you can add more IP by adding them with comma like this: 10.0.0.1,10.1.1.2/12,10.2.2.3

[mathieuHa]

I have this question regarding the IP address of the ForwardedHeardersTrustedIps for Cloudflare Tunnel. In the example here.

As far as I know, the IP keeps changing. Is there a way to keep this static?

With the IP keeps changing, you mean the IP from docker or the IP from Cloudflare ?

For the first one, like @LaurenceJJones said, you can specify a range like the range of IPs used by docker, or in the cloudflare case, you can use a list like @maxlerebourg said. I think it's not changing so often for Cloudflare IP's.

[adilson0888]

Hi everyone.

I have a question related to the original post (OP). I’m using CF Tunnel and have successfully added the Docker IP range to the TrustedIPs in both Traefik and the CrowdSec bouncer as follows: ` forwardedHeaders: trustedIPs:

• 127.0.0.1/32
• 172.19.0.0/16
• 192.168.1.0/24 `

After configuring this, I manually blocked my smartphone's local IP and the carrier IP. Below are the access logs for your review:

{"ClientAddr":"172.19.0.1:56184","ClientHost":"200.43.149.144","ClientPort":"56184","ClientUsername":"-","DownstreamContentSize":87615,"DownstreamStatus":200,"Duration":31199214,"OriginContentSize":87615,"OriginDuration":19476147,"OriginStatus":200,"Overhead":11723067,"RequestAddr":"pdf.mydomain.com","RequestContentSize":0,"RequestCount":39,"RequestHost":"pdf.mydomain.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"s-pdf@docker","ServiceAddr":"172.19.0.16:8080","ServiceName":"s-pdf@docker","ServiceURL":"http://172.19.0.16:8080","StartLocal":"2024-10-03T14:54:36.407348757Z","StartUTC":"2024-10-03T14:54:36.407348757Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-10-03T14:54:36Z"}

{"ClientAddr":"192.168.10.50:33428","ClientHost":"192.168.10.50","ClientPort":"33428","ClientUsername":"-","DownstreamContentSize":11383,"DownstreamStatus":403,"Duration":708384,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":708384,"RequestAddr":"pdf.mydomain.com","RequestContentSize":0,"RequestCount":23,"RequestHost":"pdf.mydomain.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"s-pdf@docker","StartLocal":"2024-10-03T14:53:02.282972125Z","StartUTC":"2024-10-03T14:53:02.282972125Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-10-03T14:53:02Z"}

Only the local requests were successfully blocked. Any ideas what can I've done wrong ?

Thanks.

[mathieuHa]

Hi @adilson0888,

You may run the plugin with debug log enabled, so you can inspect which IP it is transferring to Crowdsec. If you see a private IP for a public access, then there is an issue, and you gotta work on some X-Forwarder-for header or conf related

[adilson0888]

Hello @mathieuHa

The issue was with my forwardedHeadersCustomName, which I copied from the GitHub Dynamic Configuration example without paying attention. I initially used "X-Custom-Header," but after updating it to "X-Forwarded-For," everything started working as expected, allowing me to block local and public IPs.

Thank you for your help!

[l4rm4nd]

Personally, I just define all private class IP ranges:

   crowdsec:
      plugin:
        bouncer:
          enabled: true
          updateIntervalSeconds: 60
          updateMaxFailure: 0
          defaultDecisionSeconds: 60
          httpTimeoutSeconds: 10
          crowdsecMode: live
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecUnreachableBlock: true
          crowdsecLapiKey: FIXME
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http
          crowdsecLapiTLSInsecureVerify: false
          forwardedHeadersTrustedIPs:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
          clientTrustedIPs:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16