From 82548378aea482c85cc87443593dc83ec1272346 Mon Sep 17 00:00:00 2001 From: bunkerity Date: Fri, 16 Jul 2021 10:05:53 +0200 Subject: [PATCH] crowdsec - move as external plugin --- .gitmodules | 3 ++ confs/global/init-lua.conf | 35 ++++++++++----------- confs/site/main-lua.conf | 15 --------- examples/crowdsec/bunkerized-nginx-crowdsec | 1 + examples/crowdsec/docker-compose.yml | 4 +-- helpers/install.sh | 11 ------- settings.json | 32 ------------------- 7 files changed, 22 insertions(+), 79 deletions(-) create mode 100644 .gitmodules create mode 160000 examples/crowdsec/bunkerized-nginx-crowdsec diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..ad595ac --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "bunkerized-nginx-crowdsec"] + path = examples/crowdsec/bunkerized-nginx-crowdsec + url = https://github.com/bunkerity/bunkerized-nginx-crowdsec diff --git a/confs/global/init-lua.conf b/confs/global/init-lua.conf index 0cf33a3..18e9449 100644 --- a/confs/global/init-lua.conf +++ b/confs/global/init-lua.conf @@ -9,7 +9,6 @@ local use_abusers = {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}fal local use_tor_exit_nodes = {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%} local use_user_agents = {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%} local use_referrers = {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%} -local use_crowdsec = {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif +%} if use_proxies then dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data) @@ -31,16 +30,6 @@ if use_referrers then dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data) end -if use_crowdsec then - local cs = require "crowdsec.CrowdSec" - local ok, err = cs.init("/etc/nginx/crowdsec.conf") - if ok == nil then - logger.log(ngx.ERR, "CROWDSEC", err) - error() - end - logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done") -end - -- Load plugins ngx.shared.plugins_data:safe_set("plugins", nil, 0) local p = io.popen("find /opt/bunkerized-nginx/plugins -maxdepth 1 -type d ! -path /opt/bunkerized-nginx/plugins") @@ -54,14 +43,24 @@ for dir in p:lines() do ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0) end file:close() - -- store plugin - local plugins, flags = ngx.shared.plugins_data:get("plugins") - if plugins == nil then - ngx.shared.plugins_data:safe_set("plugins", data.id, 0) - else - ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0) + -- call init + local plugin = require(data.id .. "/" .. data.id) + local init = true + if plugin["init"] ~= nil then + init = plugin.init() + end + -- store plugin + if init then + local plugins, flags = ngx.shared.plugins_data:get("plugins") + if plugins == nil then + ngx.shared.plugins_data:safe_set("plugins", data.id, 0) + else + ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0) + end + logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded") + else + logger.log(ngx.ERR, "PLUGINS", "init failed for plugin " .. data.name .. "/" .. data.version) end - logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded") else logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json") end diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf index 1308395..08cf91a 100644 --- a/confs/site/main-lua.conf +++ b/confs/site/main-lua.conf @@ -25,9 +25,6 @@ local use_referrers = {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% end -- countries local use_country = {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif +%} --- crowdsec -local use_crowdsec = {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif +%} - -- antibot local use_antibot_cookie = {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif +%} local use_antibot_javascript = {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif +%} @@ -238,18 +235,6 @@ if use_dnsbl and not dnsbl.cached() then end end --- check if IP is in CrowdSec DB -if use_crowdsec then - local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr) - if ok == nil then - logger.log(ngx.ERR, "CROWDSEC", err) - end - if not ok then - logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr) - ngx.exit(ngx.HTTP_FORBIDDEN) - end -end - -- cookie check if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then if not cookie.is_set("uri") then diff --git a/examples/crowdsec/bunkerized-nginx-crowdsec b/examples/crowdsec/bunkerized-nginx-crowdsec new file mode 160000 index 0000000..6dadb32 --- /dev/null +++ b/examples/crowdsec/bunkerized-nginx-crowdsec @@ -0,0 +1 @@ +Subproject commit 6dadb32c011971789d0cb02ec6cce6ad6dda90c0 diff --git a/examples/crowdsec/docker-compose.yml b/examples/crowdsec/docker-compose.yml index 5e6e9f2..c54f755 100644 --- a/examples/crowdsec/docker-compose.yml +++ b/examples/crowdsec/docker-compose.yml @@ -23,6 +23,7 @@ services: volumes: - ./web-files:/www:ro - ./letsencrypt:/etc/letsencrypt + - ./bunkerized-nginx-crowdsec:/plugins/crowdsec # edit plugin.json environment: - SERVER_NAME=app1.example.com app2.example.com # replace with your domains - MULTISITE=yes @@ -31,9 +32,6 @@ services: - DISABLE_DEFAULT_SERVER=yes - USE_CLIENT_CACHE=yes - USE_GZIP=yes - - USE_CROWDSEC=yes - - CROWDSEC_HOST=http://mycrowdsec:8080 - - CROWDSEC_KEY= # you need to generate it (see bouncer_key.sh) - app1.example.com_REMOTE_PHP=myapp1 - app1.example.com_REMOTE_PHP_PATH=/app - app2.example.com_REMOTE_PHP=myapp2 diff --git a/helpers/install.sh b/helpers/install.sh index c61240b..11bdd9f 100755 --- a/helpers/install.sh +++ b/helpers/install.sh @@ -586,17 +586,6 @@ CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make INC_PATH=-I/opt/ echo "[*] Install luasec" CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make LUACPATH=/opt/bunkerized-nginx/deps/lib/lua LUAPATH=/opt/bunkerized-nginx/deps/lib/lua install -# Download and install lua-cs-bouncer -echo "[*] Clone crowdsecurity/lua-cs-bouncer" -git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0 -echo "[*] Install lua-cs-bouncer" -if [ ! -d /opt/bunkerized-nginx/deps/lib/lua/crowdsec ] ; then - do_and_check_cmd mkdir /opt/bunkerized-nginx/deps/lib/lua/crowdsec -fi -do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua-cs-bouncer/lib/* /opt/bunkerized-nginx/deps/lib/lua/crowdsec -do_and_check_cmd sed -i 's/require "lrucache"/require "resty.lrucache"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua -do_and_check_cmd sed -i 's/require "config"/require "crowdsec.config"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua - # Download and install lua-resty-iputils echo "[*] Clone hamishforbes/lua-resty-iputils" git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4 diff --git a/settings.json b/settings.json index a05109f..6a5023f 100644 --- a/settings.json +++ b/settings.json @@ -493,38 +493,6 @@ } ] }, - "CrowdSec": { - "id": "use-crowdsec", - "params": [ - { - "context": "multisite", - "default": "no", - "env": "USE_CROWDSEC", - "id": "use-crowdsec", - "label": "Use crowdsec", - "regex": "^(yes|no)$", - "type": "checkbox" - }, - { - "context": "global", - "default": "", - "env": "CROWDSEC_HOST", - "id": "crowdsec-host", - "label": "CrowdSec host", - "regex": "^(https?://[\\S]+:?\\d*)?$", - "type": "text" - }, - { - "context": "global", - "default": "", - "env": "CROWDSEC_KEY", - "id": "crowdsec-key", - "label": "CrowdSec key", - "regex": "^([\\S])*$", - "type": "text" - } - ] - }, "DNSBL": { "id": "dnsbl", "params": [