New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Not working - Probably configuration issue ? #136
Comments
Hey @luckylinux, I looked at your configuration and I tried to make a minimal/simplified working example for you.
version: '3.9'
networks:
traefik:
external: true
services:
traefik:
image: traefik:latest
# hostname: ra.MYDOMAIN.TLD
# domainname: MYDOMAIN.TLD
restart: unless-stopped
container_name: traefik
ports:
- 80:80
- 443:443
- 8080:8080
# - 8443:8443
networks:
- traefik
volumes:
- /run/user/1001/podman/podman.sock:/var/run/docker.sock:ro
- ~/data/traefik/letsencrypt:/letsencrypt
# - ~/config/traefik/traefik.yml:/etc/traefik/traefik.yml:ro # Command line arguments, static configuration file and environment variables are mutually exclusive: https://doc.traefik.io/traefik/getting-started/configuration-overview/#the-static-configuration
- ./whoami.yml:/whoami.yml
- ~/certificates/traefik:/certificates
# - ~/log/traefik:/log
- "logs:/var/log/traefik"
command:
## Logging
# Server Log
- "--log.level=DEBUG"
# - "--log.level=INFO"
- "--log.filePath=/log/server/traefik.log"
# Error Log
- "--accesslog=true"
- "--accesslog.filePath=/log/access/access.log"
## Dashboard & API
- "--api"
- "--api.insecure=true" # production = false , development = true
- "--api.dashboard=true"
## EntryPoints
# Unsecure Connection - Redirect to Secure
- "--entrypoints.web.address=:80"
# - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
# - "--entryPoints.web.http.redirections.entrypoint.scheme=https"
# - "--entrypoints.web.http.redirections.entrypoint.permanent=true"
## Docker / Podman Intergration
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--providers.docker.watch=false"
- "--providers.docker.swarmMode=false"
- "--providers.docker.endpoint=unix:///var/run/docker.sock"
- "--providers.file.filename=/whoami.yml"
# Crowdsec Plugin
- "--experimental.plugins.crowdsec-bouncer-traefik-plugin.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
- "--experimental.plugins.crowdsec-bouncer-traefik-plugin.version=v1.2.0" # Version Must be manually updated
## Other
# ...
- "--serversTransport.insecureSkipVerify=true"
# No Telemetry
- "--global.sendAnonymousUsage=false"
whoami1:
image: traefik/whoami
container_name: "simple-service-foo"
networks:
- traefik
crowdsec:
image: crowdsecurity/crowdsec:v1.6.0
container_name: "crowdsec"
hostname: crowdsec
restart: unless-stopped
environment:
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching
CUSTOM_HOSTNAME: crowdsec
# We need to register one api key per service we will use
BOUNCER_KEY_test: XXXXXXXXXXXXXXXXXXXXXXX
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
- logs:/var/log/traefik:ro
labels:
- "traefik.enable=false"
networks:
- traefik
volumes:
logs:
# Dynamic configuration
http:
routers:
my-router:
rule: PathPrefix(`/foo`)
service: service-foo
entryPoints:
- web
middlewares:
- crowdsec
services:
service-foo:
loadBalancer:
servers:
- url: http://172.18.0.3:80
middlewares:
crowdsec:
plugin:
crowdsec-bouncer-traefik-plugin:
enabled: true
logLevel: DEBUG
updateIntervalSeconds: 60
defaultDecisionSeconds: 60
httpTimeoutSeconds: 10
crowdsecMode: live
crowdsecAppsecEnabled: false
crowdsecAppsecHost: crowdsec:7422
crowdsecAppsecFailureBlock: true
crowdsecLapiKey: XXXXXXXXXXXXXXXXXXXXXXX
crowdsecLapiHost: crowdsec:8080
crowdsecLapiScheme: http
Create thoses 3 files and launch a terminal in the same path. ``虁` docker-compose logs traefik -f docker-compose logs crowdsec -f Then access: http://localhost/foo to test the whoami service In Traefik logs you should see something like this:
In Crowdsec you might see logs like this:
Please tell us if that work for you and if not could you add log files for traefik and crowdsec. Best, |
Hi @mathieuHa . Thank you for your quick reply. I hope I can try it tomorrow in the morning. What is |
Hey, It's used by Crowdsec in the docker-compose as a file mounted for basic configuration to enable traefik log parsing and appsec enablement like this:
|
Just for context, in Traefik logs:
At first I had a 403 between traefik and crowdsec because my configuration had a wrong token, but then I fixed and checked it so last part of log shows working request. |
OK super, I'll check tomorrow 馃憤 . I'm still a bit skeptical about the part of configuring the middleware in each container instead as part of traefik dynamic configuration. Something doesn't feel right there. Like if I have 10 containers that need to use crowdsec I would need to configure 10 middleware all with the same settings in 10 different files. That's why I thought that defining it once in the (dynamic) traefik config would have been enough. But maybe I miss something ... |
I gave it a try ... I am also a bit confused about the part
per service ? I thought BOUNCER_KEY_TRAEFIK was a "reserved name".
Not sure, but at least looking at the traefik logs, it seems to load it ? I cannot access through localhost as this is hosted through a VPS, I had to access through xx.MYDOMAIN.TLD/foo. From within the VPS I tried to run After trying with CURL from within the VPS I get a bit different result (isBanned: false).
|
You're absolutely right.
I believe it's better to declare it outside of a service so you can use it in multiple services without confusion. I'll adapt the docker-compose from my comment tonight with this addition |
You can see in the entrypoint of Crowdsec container https://github.com/crowdsecurity/crowdsec/blob/8e9e091656f2a72a37e21c173ed0c2015e97e726/docker/docker_start.sh#L387 or in the dockerhub README if you prefer From this log:
|
This is normal when the plugin cannot reach crowdsec as a security mesure everything is blocked (configurable with a configuration var in the plugin) |
OKay I see from your crowdsec logs time="2024-02-27T06:23:49Z" level=info msg="loading acquisition file : /etc/crowdsec/acquis.yaml" Crowdsec is crashing and restarting so that cannot help Traefik contact him Here the problem is the mounting option, podman attach aquis.yaml as a directory and not only the file.
is enough, but you might create a directory crowdsec and add the file in it and then bind mount the folder I'll let you read some info on others ways to override conf in Crowdsec doc: https://docs.crowdsec.net/docs/configuration/crowdsec_configuration/#overriding-values |
I just checked and the conf I proposed in the previous comments was already independent from any services and thus can be used in any service. Example like this foo and bar whoami.
This is a something that should have disapeared a long time ago, as it is not true. |
Describe the bug 馃悰
IP Banning not working. Middleware loads into traefik dashboard for a few seconds (if at all), then disappears. Traefik probably crashes and restarts without middleware ???
Expected behavior 馃憖
IP Banning working, middleware correctly and permanently listed in traefik dashboard.
Context 馃攷
At first I thought that the issue was related to this, since the plugin type wasn't recognized. As such, I applied the same fix as suggested by @ jLemmings in #95.
I am not sure whether I need to just set the dynamic configuration or if I need to define a middleware with a different name each time for each container in their own compose.yml file. I tried both approaches, with the per-container defined middleware to usually load into traefik dashboard then disappear a few seconds later (and unsure if traefik crashed in the meantime ...).
As such I find the example in the documentation for the
whoami
container a bit confusing/misleading: aren't we already configuring the middleware (including the LAPI Key) in the traefik dynamic configuration file ? Or probably something (obvious) which I fail to see ...Version (please complete the following information):
To Reproduce
Unsure to be honest.
This is what I have used.
Traefik configured via
compose.yml
fileDynamic traefik configuration (based on stock config - only replaced plugin name based on jLemmings findings in #95)
Example of container
compose.yml
configuration for Headscale:The text was updated successfully, but these errors were encountered: