crowdsec - move as external plugin

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "bunkerized-nginx-crowdsec"]
+	path = examples/crowdsec/bunkerized-nginx-crowdsec
+	url = https://github.com/bunkerity/bunkerized-nginx-crowdsec

confs/global/init-lua.conf

@@ -9,7 +9,6 @@ local use_abusers		= {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}fal
 local use_tor_exit_nodes	= {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%}
 local use_user_agents		= {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%}
 local use_referrers		= {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%}
-local use_crowdsec		= {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif +%}
 
 if use_proxies then
 	dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
@@ -31,16 +30,6 @@ if use_referrers then
 	dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
 end
 
-if use_crowdsec then
-	local cs = require "crowdsec.CrowdSec"
-	local ok, err = cs.init("/etc/nginx/crowdsec.conf")
-	if ok == nil then
-		logger.log(ngx.ERR, "CROWDSEC", err)
-		error()
-	end
-	logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
-end
-
 -- Load plugins
 ngx.shared.plugins_data:safe_set("plugins", nil, 0)
 local p = io.popen("find /opt/bunkerized-nginx/plugins -maxdepth 1 -type d ! -path /opt/bunkerized-nginx/plugins")
@@ -54,14 +43,24 @@ for dir in p:lines() do
 			ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0)
 		end
 		file:close()
-		-- store plugin
+		-- call init
-		local plugins, flags = ngx.shared.plugins_data:get("plugins")
+		local plugin = require(data.id .. "/" .. data.id)
-		if plugins == nil then
+		local init = true
-			ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
+		if plugin["init"] ~= nil then
-		else
+			init = plugin.init()
-			ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
+		end
+		-- store plugin
+		if init then
+			local plugins, flags = ngx.shared.plugins_data:get("plugins")
+			if plugins == nil then
+				ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
+			else
+				ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
+			end
+			logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
+		else
+			logger.log(ngx.ERR, "PLUGINS", "init failed for plugin " .. data.name .. "/" .. data.version)
 		end
-		logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
 	else
 		logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json")
 	end

confs/site/main-lua.conf

@@ -25,9 +25,6 @@ local use_referrers		= {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% end
 -- countries
 local use_country		= {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif +%}
 
--- crowdsec
-local use_crowdsec		= {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif +%}
-
 -- antibot
 local use_antibot_cookie	= {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif +%}
 local use_antibot_javascript	= {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif +%}
@@ -238,18 +235,6 @@ if use_dnsbl and not dnsbl.cached() then
 	end
 end
 
--- check if IP is in CrowdSec DB
-if use_crowdsec then
-	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
-	if ok == nil then
-		logger.log(ngx.ERR, "CROWDSEC", err)
-	end
-	if not ok then
-		logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
-		ngx.exit(ngx.HTTP_FORBIDDEN)
-	end
-end
-
 -- cookie check
 if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
 	if not cookie.is_set("uri") then

examples/crowdsec/bunkerized-nginx-crowdsec

@@ -0,0 +1 @@
+Subproject commit 6dadb32c011971789d0cb02ec6cce6ad6dda90c0

examples/crowdsec/docker-compose.yml

@@ -23,6 +23,7 @@ services:
     volumes:
       - ./web-files:/www:ro
       - ./letsencrypt:/etc/letsencrypt
+      - ./bunkerized-nginx-crowdsec:/plugins/crowdsec # edit plugin.json
     environment:
       - SERVER_NAME=app1.example.com app2.example.com # replace with your domains
       - MULTISITE=yes
@@ -31,9 +32,6 @@ services:
       - DISABLE_DEFAULT_SERVER=yes
       - USE_CLIENT_CACHE=yes
       - USE_GZIP=yes
-      - USE_CROWDSEC=yes
-      - CROWDSEC_HOST=http://mycrowdsec:8080
-      - CROWDSEC_KEY=                                # you need to generate it (see bouncer_key.sh)
       - app1.example.com_REMOTE_PHP=myapp1
       - app1.example.com_REMOTE_PHP_PATH=/app
       - app2.example.com_REMOTE_PHP=myapp2

helpers/install.sh

@@ -586,17 +586,6 @@ CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make INC_PATH=-I/opt/
 echo "[*] Install luasec"
 CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make LUACPATH=/opt/bunkerized-nginx/deps/lib/lua LUAPATH=/opt/bunkerized-nginx/deps/lib/lua install
 
-# Download and install lua-cs-bouncer
-echo "[*] Clone crowdsecurity/lua-cs-bouncer"
-git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
-echo "[*] Install lua-cs-bouncer"
-if [ ! -d /opt/bunkerized-nginx/deps/lib/lua/crowdsec ] ; then
-	do_and_check_cmd mkdir /opt/bunkerized-nginx/deps/lib/lua/crowdsec
-fi
-do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua-cs-bouncer/lib/* /opt/bunkerized-nginx/deps/lib/lua/crowdsec
-do_and_check_cmd sed -i 's/require "lrucache"/require "resty.lrucache"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua
-do_and_check_cmd sed -i 's/require "config"/require "crowdsec.config"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua
-
 # Download and install lua-resty-iputils
 echo "[*] Clone hamishforbes/lua-resty-iputils"
 git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4

settings.json

@@ -493,38 +493,6 @@
             }
         ]
     },
-    "CrowdSec": {
-        "id": "use-crowdsec",
-        "params": [
-            {
-                "context": "multisite",
-                "default": "no",
-                "env": "USE_CROWDSEC",
-                "id": "use-crowdsec",
-                "label": "Use crowdsec",
-                "regex": "^(yes|no)$",
-                "type": "checkbox"
-            },
-            {
-                "context": "global",
-                "default": "",
-                "env": "CROWDSEC_HOST",
-                "id": "crowdsec-host",
-                "label": "CrowdSec host",
-                "regex": "^(https?://[\\S]+:?\\d*)?$",
-                "type": "text"
-            },
-            {
-                "context": "global",
-                "default": "",
-                "env": "CROWDSEC_KEY",
-                "id": "crowdsec-key",
-                "label": "CrowdSec key",
-                "regex": "^([\\S])*$",
-                "type": "text"
-            }
-        ]
-    },
     "DNSBL": {
         "id": "dnsbl",
         "params": [