From 2da252ed37789b0e67449dae89c37edca35d56ba Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Sun, 27 Oct 2024 20:54:03 +0100 Subject: [PATCH 1/2] update doc for cloudflare-worker-bouncer --- .../unversioned/bouncers/cloudflare-workers.mdx | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx b/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx index 48ac0bc26..2bca981ff 100644 --- a/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx +++ b/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx @@ -115,7 +115,7 @@ sudo systemctl start crowdsec-cloudflare-worker-bouncer # the Remediation Compon #### From source -:warning: requires go >= 1.20 +:warning: requires go >= 1.23 ```bash git clone https://github.com/crowdsecurity/cs-cloudflare-worker-bouncer @@ -137,7 +137,13 @@ The Remediation Component does the following: 1. Create a Cloudflare Worker and a Worker KV per configured account. 2. Create a Worker Route(s) per configured zone. Any request matching the route would be handled by the worker. 3. For every matching incoming request, the worker checks whether it's IP, Country and AS have a decision against. It checks for this in it's KV store. If found it performs the corresponding remediation. -4. The Remediation Component also periodically updates the KV store with the latest decisions from CrowdSec. +4. The Remediation Component also periodically updates the KV store with the latest decisions from CrowdSec. + +If your Cloudflare token has permission on D1, the remediation component will also automatically create a database to track: + - Number of requests processed + - Number of requests blocked + +Those metrics are exposed through the prometheus endpoint and automatically sent to crowdsec for visualisation with `cscli`. ## Configuration @@ -193,7 +199,7 @@ For obtaining the `token`: 1. Sign in as a user who has access to the desired account. -Then click [this link](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22challenge_widgets%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22user_details%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22workers_kv_storage%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_routes%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%20%7B%22key%22%3A%20%22dns%22%2C%20%22type%22%3A%22read%22%7D%5D&name=) and create the token. +Then click [this link](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22challenge_widgets%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22user_details%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22workers_kv_storage%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_routes%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%20%7B%22key%22%3A%20%22dns%22%2C%20%22type%22%3A%22read%22%7D%2C%20%7B%22key%22%3A%22d1%22%2C%20%22type%22%3A%22edit%22%7D%5D&name=) and create the token. Alternatively, you can go to [Tokens](https://dash.cloudflare.com/profile/api-tokens) and create the token. @@ -205,6 +211,7 @@ The Remediation Component requires the following permissions to function: | Account | Workers KV Storage | Edit | | Account | Workers Scripts | Edit | | Account | Account Settings | Read | +| Account | D1 | Edit | | User | User Details | Read | | Zone | DNS | Read | | Zone | Workers Routes | Edit | From 6b99f807b6bdbedfa57ee28c2b7bc22a59edb949 Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Sat, 9 Nov 2024 00:22:52 +0100 Subject: [PATCH 2/2] up --- .../bouncers/cloudflare-workers.mdx | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx b/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx index 2bca981ff..a13b9b539 100644 --- a/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx +++ b/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx @@ -145,6 +145,8 @@ If your Cloudflare token has permission on D1, the remediation component will al Those metrics are exposed through the prometheus endpoint and automatically sent to crowdsec for visualisation with `cscli`. +Metrics are stored in a D1 database to allow for easy retrieval by the remediation component. If your token does not have access to D1, a warning will be logged and metrics will be disabled. + ## Configuration @@ -177,6 +179,13 @@ cloudflare_config: mode: managed # Supported Modes "managed"|"invisible"|"non-interactive" token: account_name: owner@example.com + worker: + log_only: false # If true, allow all requests, but still keep track of what would have been blocked in the metrics + script_name: "" + logpush: null + tags: [] + compatibility_date: "" + compatibility_flags: [] log_level: info log_media: "stdout" @@ -470,6 +479,41 @@ Cloudflare account token. Account name. +#### `worker.log_only` +> bool + +If true, allow all requests but keep track of what would have been blocked in the metrics. + +Defaults to `false` + +#### `worker.script_name` +> string + +Name to use for the worker script. + +Default to `crowdsec-cloudflare-worker-bouncer`. + +#### `worker.logpush` +> bool + +Enable logpush for the worker. + +Default to no value. + +#### `worker.compatibility_date` +> string + +See https://developers.cloudflare.com/workers/configuration/compatibility-dates/. + +Default to no value + +#### `worker.compatibility_flags` +> list of strings + +See https://developers.cloudflare.com/workers/configuration/compatibility-flags/. + +Default to no value. + #### `ban_template_path` > string