From 600484b16efe0f01047d45a05d13c3be1a20dae9 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Tue, 18 May 2021 14:03:16 +0200 Subject: [PATCH] crowdsec - fix bugs and update example --- confs/global/crowdsec.conf | 9 ------- confs/global/init-lua.conf | 11 +++++++++ confs/global/nginx.conf | 3 --- entrypoint/global-config.sh | 4 ++-- examples/crowdsec/acquis.yaml | 3 +-- examples/crowdsec/bouncer_key.sh | 2 +- examples/crowdsec/docker-compose.yml | 35 +++++++++++++++++++++++----- examples/crowdsec/syslog-ng.conf | 18 ++++++++++++++ 8 files changed, 62 insertions(+), 23 deletions(-) delete mode 100644 confs/global/crowdsec.conf mode change 100644 => 100755 examples/crowdsec/bouncer_key.sh create mode 100644 examples/crowdsec/syslog-ng.conf diff --git a/confs/global/crowdsec.conf b/confs/global/crowdsec.conf deleted file mode 100644 index 617788f..0000000 --- a/confs/global/crowdsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -init_by_lua_block { - local cs = require "crowdsec.CrowdSec" - local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf") - if ok == nil then - ngx.log(ngx.ERR, "[Crowdsec] " .. err) - error() - end - ngx.log(ngx.NOTICE, "[Crowdsec] Initialisation done") -} diff --git a/confs/global/init-lua.conf b/confs/global/init-lua.conf index 531377c..38e9350 100644 --- a/confs/global/init-lua.conf +++ b/confs/global/init-lua.conf @@ -7,6 +7,7 @@ local use_abusers = %USE_ABUSERS% local use_tor_exit_nodes = %USE_TOR_EXIT_NODES% local use_user_agents = %USE_USER_AGENTS% local use_referrers = %USE_REFERRERS% +local use_crowdsec = %USE_CROWDSEC% if use_proxies then dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) @@ -28,4 +29,14 @@ if use_referrers then dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data) end +if use_crowdsec then + local cs = require "crowdsec.CrowdSec" + local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf") + if ok == nil then + ngx.log(ngx.ERR, "[CROWDSEC] " .. err) + error() + end + ngx.log(ngx.ERR, "[CROWDSEC] *NOT AN ERROR* initialisation done") +end + } diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index 9fce78e..2ba2432 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -91,9 +91,6 @@ http { %BLOCK_REFERRERS% %BAD_BEHAVIOR% - # crowdsec init - %USE_CROWDSEC% - # shared memory zone for limit_req %LIMIT_REQ_ZONE% diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index 0d63d05..1ec0a41 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -229,9 +229,9 @@ fi # CrowdSec setup if [ "$(has_value USE_CROWDSEC yes)" != "" ] ; then - replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;" + replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "true" else - replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "" + replace_in_file "/etc/nginx/init-lua.conf" "%USE_CROWDSEC%" "false" fi # API diff --git a/examples/crowdsec/acquis.yaml b/examples/crowdsec/acquis.yaml index 1238e66..c58f202 100644 --- a/examples/crowdsec/acquis.yaml +++ b/examples/crowdsec/acquis.yaml @@ -1,6 +1,5 @@ filenames: - - /var/log/access.log - - /var/log/error.log + - /var/log/nginx.log labels: type: nginx --- diff --git a/examples/crowdsec/bouncer_key.sh b/examples/crowdsec/bouncer_key.sh old mode 100644 new mode 100755 index 068dd89..ee42e7e --- a/examples/crowdsec/bouncer_key.sh +++ b/examples/crowdsec/bouncer_key.sh @@ -11,7 +11,7 @@ sleep 10 docker-compose exec mycrowdsec cscli bouncers add MyBouncer # enter the key into the CROWDSEC_KEY environment variable -read -p -s "edit CROWDSEC_KEY env var in docker-compose.yml file and press enter" +read -p "edit CROWDSEC_KEY env var in docker-compose.yml file and press enter" edited # start all services docker-compose up -d diff --git a/examples/crowdsec/docker-compose.yml b/examples/crowdsec/docker-compose.yml index b2080d5..ccca0b5 100644 --- a/examples/crowdsec/docker-compose.yml +++ b/examples/crowdsec/docker-compose.yml @@ -3,8 +3,18 @@ version: '3' services: mywww: - image: bunkerity/bunkerized-nginx + image: debug restart: always + # mandatory for crowdsec : + # you need to redirect Docker logs to the syslog server + logging: + driver: syslog + options: + syslog-address: "udp://10.10.10.254:514" + depends_on: + - mysyslog + - myapp1 + - myapp2 ports: - 80:8080 - 443:8443 @@ -13,7 +23,6 @@ services: volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt - - nginx_logs:/var/log environment: - SERVER_NAME=app1.website.com app2.website.com # replace with your domains - MULTISITE=yes @@ -24,15 +33,15 @@ services: - USE_GZIP=yes - USE_CROWDSEC=yes - CROWDSEC_HOST=http://mycrowdsec:8080 - - CROWDSEC_KEY= # you need to generate it (see bouncer_key.sh) + - CROWDSEC_KEY= # you need to generate it (see bouncer_key.sh) - app1.website.com_REMOTE_PHP=myapp1 - app1.website.com_REMOTE_PHP_PATH=/app - app2.website.com_REMOTE_PHP=myapp2 - app2.website.com_REMOTE_PHP_PATH=/app networks: - - net0 - - net1 - - net2 + net0: + net1: + net2: mycrowdsec: image: crowdsecurity/crowdsec:v1.0.13 @@ -46,6 +55,16 @@ services: networks: - net0 + mysyslog: + image: balabit/syslog-ng + restart: always + volumes: + - ./syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf + - nginx_logs:/var/log + networks: + net0: + ipv4_address: 10.10.10.254 + myapp1: image: php:fpm restart: always @@ -64,6 +83,10 @@ services: networks: net0: + ipam: + driver: default + config: + - subnet: 10.10.10.0/24 net1: net2: diff --git a/examples/crowdsec/syslog-ng.conf b/examples/crowdsec/syslog-ng.conf new file mode 100644 index 0000000..9609387 --- /dev/null +++ b/examples/crowdsec/syslog-ng.conf @@ -0,0 +1,18 @@ +@version: 3.31 + +source s_net { + udp( + ip("0.0.0.0") + ); +}; + +template t_imp { + template("$MSG\n"); + template_escape(no); +}; + +destination d_file { + file("/var/log/nginx.log" template(t_imp)); +}; + +log { source(s_net); destination(d_file); };