From ba6b78e90dd67b6c943fbfe986f4ea24d9565b1c Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Fri, 1 Apr 2022 09:37:21 +0200 Subject: [PATCH 1/5] Show when the crowdsec Bouncer has been disabled in the lua config file.. --- openresty/crowdsec_openresty.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openresty/crowdsec_openresty.conf b/openresty/crowdsec_openresty.conf index fc2dd2c..1df237a 100644 --- a/openresty/crowdsec_openresty.conf +++ b/openresty/crowdsec_openresty.conf @@ -8,7 +8,11 @@ init_by_lua_block { ngx.log(ngx.ERR, "[Crowdsec] " .. err) error() end - ngx.log(ngx.ALERT, "[Crowdsec] Initialisation done") + if ok == "Disabled" then + ngx.log(ngx.ALERT, "[Crowdsec] Bouncer Disabled") + else + ngx.log(ngx.ALERT, "[Crowdsec] Initialisation done") + end } access_by_lua_block { From abaffaae09ccd08f19115ae4630877bbd43be526 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Sat, 2 Apr 2022 18:13:17 +0200 Subject: [PATCH 2/5] If installing on Docker remove lua_ssl_trusted_certificate from crowdsec_openresty.conf Fixes https://github.com/crowdsecurity/cs-openresty-bouncer/issues/27 --- install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/install.sh b/install.sh index c9bb63b..cf175c2 100755 --- a/install.sh +++ b/install.sh @@ -157,6 +157,7 @@ install() { sed -i 's|/etc/crowdsec/bouncers|'"${CONFIG_PATH}"'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" #Some docker images like Nginx Proxy Manager has this defined already. [ -z ${DOCKER} ] || sed -i 's|resolver local=on ipv6=off;||' "${NGINX_CONF_DIR}/${NGINX_CONF}" + [ -z ${DOCKER} ] || sed -i '/lua_ssl_trusted_certificate.*/d' "${NGINX_CONF_DIR}/${NGINX_CONF}" } From a0acdb35618a6ad55cd99de3ebbe4e11f30f9921 Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Wed, 6 Apr 2022 14:02:56 +0200 Subject: [PATCH 3/5] Add Missing resolver line. --- openresty/crowdsec_openresty.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/openresty/crowdsec_openresty.conf b/openresty/crowdsec_openresty.conf index 1df237a..e5e8f73 100644 --- a/openresty/crowdsec_openresty.conf +++ b/openresty/crowdsec_openresty.conf @@ -1,5 +1,6 @@ lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;'; lua_shared_dict crowdsec_cache 50m; +resolver local=on ipv6=off; lua_ssl_trusted_certificate ${SSL_CERTS_PATH}; init_by_lua_block { cs = require "crowdsec" From aef9f9c18e8788df7eb0dd0c62caa157bc48b47f Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Wed, 6 Apr 2022 15:54:53 +0200 Subject: [PATCH 4/5] Change the approach, allow the SSL_CERTS_PATHv to be configurable There is better performance using the single Google SSL CA certificate then the entire ca-certificates file. --- install.sh | 5 +++-- openresty/crowdsec_openresty.conf | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/install.sh b/install.sh index cf175c2..5f53885 100755 --- a/install.sh +++ b/install.sh @@ -27,6 +27,9 @@ do --DATA_PATH=*) DATA_PATH="${1#*=}" ;; + --SSL_CERTS_PATH=*) + SSL_CERTS_PATH="${1#*=}" + ;; -y|--yes) SILENT="true" ;; @@ -149,7 +152,6 @@ check_lua_dependency() { install() { mkdir -p "${DATA_PATH}/templates/" - cp -r lua/lib/* "${LIB_PATH}/" cp templates/* "${DATA_PATH}/templates/" #Patch the nginx config file @@ -157,7 +159,6 @@ install() { sed -i 's|/etc/crowdsec/bouncers|'"${CONFIG_PATH}"'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" #Some docker images like Nginx Proxy Manager has this defined already. [ -z ${DOCKER} ] || sed -i 's|resolver local=on ipv6=off;||' "${NGINX_CONF_DIR}/${NGINX_CONF}" - [ -z ${DOCKER} ] || sed -i '/lua_ssl_trusted_certificate.*/d' "${NGINX_CONF_DIR}/${NGINX_CONF}" } diff --git a/openresty/crowdsec_openresty.conf b/openresty/crowdsec_openresty.conf index e5e8f73..2200cb2 100644 --- a/openresty/crowdsec_openresty.conf +++ b/openresty/crowdsec_openresty.conf @@ -2,6 +2,7 @@ lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;'; lua_shared_dict crowdsec_cache 50m; resolver local=on ipv6=off; lua_ssl_trusted_certificate ${SSL_CERTS_PATH}; + init_by_lua_block { cs = require "crowdsec" local ok, err = cs.init("/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf", "crowdsec-openresty-bouncer/v0.1.10") From 066d65af1b1a429304f7989d5ff4fabf964bfb8b Mon Sep 17 00:00:00 2001 From: Brian Munro Date: Wed, 6 Apr 2022 18:30:58 +0200 Subject: [PATCH 5/5] Remove resolver from crowdsec_openresty.conf file. Add resolver line to Docker image crowdsec_openresty.conf for testing --- Dockerfile | 1 + install.sh | 2 -- openresty/crowdsec_openresty.conf | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9f9ae62..3c4d45b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ RUN cp lua-cs-bouncer/config_example.conf /etc/crowdsec/bouncers/crowdsec-openre RUN rm -rf ./lua-cs-bouncer/ COPY ./openresty /tmp RUN SSL_CERTS_PATH=/etc/ssl/certs/ca-certificates.crt envsubst < /tmp/crowdsec_openresty.conf > /etc/nginx/conf.d/crowdsec_openresty.conf +RUN sed -i '1 i\resolver local=on ipv6=off;' /etc/nginx/conf.d/crowdsec_openresty.conf COPY ./docker/docker_start.sh / ENTRYPOINT /bin/bash docker_start.sh \ No newline at end of file diff --git a/install.sh b/install.sh index 5f53885..fc5ded4 100755 --- a/install.sh +++ b/install.sh @@ -157,8 +157,6 @@ install() { #Patch the nginx config file SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" sed -i 's|/etc/crowdsec/bouncers|'"${CONFIG_PATH}"'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" - #Some docker images like Nginx Proxy Manager has this defined already. - [ -z ${DOCKER} ] || sed -i 's|resolver local=on ipv6=off;||' "${NGINX_CONF_DIR}/${NGINX_CONF}" } diff --git a/openresty/crowdsec_openresty.conf b/openresty/crowdsec_openresty.conf index 2200cb2..ae9f0c4 100644 --- a/openresty/crowdsec_openresty.conf +++ b/openresty/crowdsec_openresty.conf @@ -1,6 +1,5 @@ lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;'; lua_shared_dict crowdsec_cache 50m; -resolver local=on ipv6=off; lua_ssl_trusted_certificate ${SSL_CERTS_PATH}; init_by_lua_block {