Skip to content

Commit cf53770

Browse files
arjunkomatharjunkomath
committed
Add crowdsec
1 parent f27497e commit cf53770

2 files changed

Lines changed: 90 additions & 3 deletions

File tree

proxy/traefik.yaml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,20 +9,32 @@ log:
99
accessLog:
1010
filePath: /var/log/traefik/access.log
1111
format: json
12+
bufferingSize: 0
1213
fields:
1314
defaultMode: keep
1415
headers:
1516
defaultMode: drop
17+
names:
18+
User-Agent: keep
1619

1720
api:
1821
dashboard: false
1922
insecure: false
2023

24+
experimental:
25+
plugins:
26+
bouncer:
27+
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
28+
version: v1.4.2
29+
2130
entryPoints:
2231
web:
2332
address: ":80"
2433
websecure:
2534
address: ":443"
35+
http:
36+
middlewares:
37+
- crowdsec@file
2638

2739
providers:
2840
file:

web/public/setup.sh

Lines changed: 78 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -366,20 +366,32 @@ log:
366366
accessLog:
367367
filePath: /var/log/traefik/access.log
368368
format: json
369+
bufferingSize: 0
369370
fields:
370371
defaultMode: keep
371372
headers:
372373
defaultMode: drop
374+
names:
375+
User-Agent: keep
373376
374377
api:
375378
dashboard: false
376379
insecure: false
377380
381+
experimental:
382+
plugins:
383+
bouncer:
384+
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
385+
version: v1.4.2
386+
378387
entryPoints:
379388
web:
380389
address: ":80"
381390
websecure:
382391
address: ":443"
392+
http:
393+
middlewares:
394+
- crowdsec@file
383395
384396
providers:
385397
file:
@@ -394,7 +406,7 @@ EOF
394406
cat > /etc/systemd/system/traefik.service << 'EOF'
395407
[Unit]
396408
Description=Traefik Reverse Proxy
397-
After=network-online.target
409+
After=network-online.target crowdsec.service
398410
Wants=network-online.target
399411
400412
[Service]
@@ -437,6 +449,67 @@ EOF
437449
echo "✓ iptables-persistent installed and rules saved"
438450
fi
439451
fi
452+
453+
step "Installing CrowdSec..."
454+
if command -v cscli &>/dev/null; then
455+
echo "CrowdSec already installed, skipping package install"
456+
else
457+
curl -s https://install.crowdsec.net | sh
458+
pkg_install crowdsec
459+
fi
460+
if ! cscli version &>/dev/null; then
461+
error "Failed to install CrowdSec"
462+
fi
463+
echo "✓ CrowdSec installed"
464+
465+
cscli collections install crowdsecurity/traefik 2>/dev/null || true
466+
echo "✓ CrowdSec Traefik collection installed"
467+
468+
mkdir -p /etc/crowdsec/acquis.d
469+
cat > /etc/crowdsec/acquis.d/traefik.yaml << 'ACQUIS_EOF'
470+
filenames:
471+
- /var/log/traefik/access.log
472+
labels:
473+
type: traefik
474+
ACQUIS_EOF
475+
echo "✓ CrowdSec log acquisition configured"
476+
477+
systemctl enable crowdsec
478+
systemctl restart crowdsec
479+
sleep 2
480+
if ! systemctl is-active --quiet crowdsec; then
481+
error "Failed to start CrowdSec"
482+
fi
483+
echo "✓ CrowdSec running"
484+
485+
if [ ! -f /etc/traefik/dynamic/crowdsec.yaml ]; then
486+
BOUNCER_KEY=$(cscli bouncers add traefik-bouncer -o raw)
487+
if [ -z "$BOUNCER_KEY" ]; then
488+
error "Failed to generate CrowdSec bouncer key"
489+
fi
490+
cat > /etc/traefik/dynamic/crowdsec.yaml << BOUNCER_EOF
491+
http:
492+
middlewares:
493+
crowdsec:
494+
plugin:
495+
bouncer:
496+
enabled: true
497+
crowdsecMode: stream
498+
updateIntervalSeconds: 15
499+
defaultDecisionSeconds: 60
500+
httpTimeoutSeconds: 10
501+
crowdsecLapiScheme: http
502+
crowdsecLapiHost: 127.0.0.1:8080
503+
crowdsecLapiKey: ${BOUNCER_KEY}
504+
forwardedHeadersTrustedIPs:
505+
- 10.0.0.0/8
506+
- 172.16.0.0/12
507+
- 192.168.0.0/16
508+
BOUNCER_EOF
509+
echo "✓ CrowdSec Traefik bouncer configured"
510+
else
511+
echo "CrowdSec bouncer config exists, skipping"
512+
fi
440513
fi
441514

442515
step "Enabling IP forwarding..."
@@ -517,7 +590,7 @@ if [ "$IS_PROXY" = "true" ]; then
517590
fi
518591

519592
if [ "$IS_PROXY" = "true" ]; then
520-
AFTER_SERVICES="network-online.target traefik.service buildkitd.service"
593+
AFTER_SERVICES="network-online.target crowdsec.service traefik.service buildkitd.service"
521594
else
522595
AFTER_SERVICES="network-online.target buildkitd.service"
523596
fi
@@ -610,7 +683,7 @@ echo "✓ Agent started"
610683
step "Final verification..."
611684

612685
if [ "$IS_PROXY" = "true" ]; then
613-
SERVICES=("traefik" "techulus-agent" "buildkitd")
686+
SERVICES=("crowdsec" "traefik" "techulus-agent" "buildkitd")
614687
else
615688
SERVICES=("techulus-agent" "buildkitd")
616689
fi
@@ -643,6 +716,8 @@ echo "Useful commands:"
643716
echo " View agent logs: journalctl -u techulus-agent -f"
644717
if [ "$IS_PROXY" = "true" ]; then
645718
echo " View Traefik logs: journalctl -u traefik -f"
719+
echo " CrowdSec decisions: cscli decisions list"
720+
echo " CrowdSec alerts: cscli alerts list"
646721
fi
647722
echo " Agent status: systemctl status techulus-agent"
648723
echo " Restart agent: systemctl restart techulus-agent"

0 commit comments

Comments
 (0)