Skip to content

ingress-nginx: add appsec config options #734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 27, 2025
Merged

ingress-nginx: add appsec config options #734

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions crowdsec-docs/unversioned/bouncers/ingress-nginx.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,20 @@ controller:
value: /etc/nginx/lua/plugins/crowdsec/templates/ban.html
- name: CAPTCHA_TEMPLATE_PATH
value: /etc/nginx/lua/plugins/crowdsec/templates/captcha.html
## Appsec configuration, optional.
## Remove this section if not using appsec
- name: APPSEC_URL
value: "http://appsec-service.crowdsec.svc.cluster.local:7422" # if using our helm chart, and running the appsec in the "crowdsec" namespace
- name: APPSEC_FAILURE_ACTION
value: passthrough # What to do if the appsec is down, optional
- name: APPSEC_CONNECT_TIMEOUT # connection timeout to the appsec, in ms, optionial
value: 100
- name: APPSEC_SEND_TIMEOUT # write timeout to the appsec, in ms, optional
value: 100
- name: APPSEC_PROCESS_TIMEOUT # max processing duration of the request, in ms, optional
value: 1000
- name: ALWAYS_SEND_TO_APPSEC
value: false # always send requests to the appsec, even if there's a decision against the IP, optional
command: ['sh', '-c', "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"]
volumeMounts:
- name: crowdsec-bouncer-plugin
Expand Down Expand Up @@ -345,3 +359,69 @@ CAPTCHA_EXPIRATION=3600
```

The time for which the captcha will be validated. After this duration, if the decision is still present in CrowdSec local API, the IPs address will get a captcha again.

### `APPSEC_URL`
> string

```bash
APPSEC_URL=http://<ip>:<port>
```

If set, enable appsec mode and forward the request to this endpoint for analysis.

Use `http://appsec-service.crowdsec.svc.cluster.local:7422` if you are using our helm chart to deploy crowdsec in the `crowdsec` namespace

### `APPSEC_FAILURE_ACTION`
> passthrough | deny

```bash
APPSEC_FAILURE_ACTION=passthrough # default
```

Behavior when the AppSec Component return a 500. Can let the request passthrough or deny it.

### `ALWAYS_SEND_TO_APPSEC`
> boolean

```bash
ALWAYS_SEND_TO_APPSEC=false # default
```

Send the request to the AppSec Component even if there is a decision for the IP.

### `SSL_VERIFY`
> boolean

```bash
SSL_VERIFY=false # default
```

Verify the AppSec Component SSL certificate validity.

### `APPSEC_CONNECT_TIMEOUT`
> int (milliseconds)

```bash
APPSEC_CONNECT_TIMEOUT=100 # default
```

The timeout of the connection between the Remediation Component and AppSec Component.


### `APPSEC_SEND_TIMEOUT`
> int (milliseconds)

```bash
APPSEC_SEND_TIMEOUT=100 # default
```

The timeout to send data from the Remediation Component to the AppSec Component.

### `APPSEC_PROCESS_TIMEOUT`
> int (milliseconds)

```bash
APPSEC_PROCESS_TIMEOUT=500 # default
```

The timeout to process the request from the Remediation Component to the AppSec Component.