Hello,
I am trying to make crowdsec/traefik working ...
As you can see, "source" doesn't even exist.
/ # cscli metrics
Local Api Metrics:
╭────────────────────┬────────┬──────╮
│ Route │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/decisions │ GET │ 17 │
│ /v1/heartbeat │ GET │ 4 │
│ /v1/watchers/login │ POST │ 1 │
╰────────────────────┴────────┴──────╯
Local Api Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│ Machine │ Route │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET │ 4 │
╰───────────┴───────────────┴────────┴──────╯
Local Api Bouncers Metrics:
╭─────────────────┬───────────────┬────────┬──────╮
│ Bouncer │ Route │ Method │ Hits │
├─────────────────┼───────────────┼────────┼──────┤
│ bouncer-traefik │ /v1/decisions │ GET │ 17 │
╰─────────────────┴───────────────┴────────┴──────╯
Local Api Bouncers Decisions:
╭─────────────────┬───────────────┬───────────────────╮
│ Bouncer │ Empty answers │ Non-empty answers │
├─────────────────┼───────────────┼───────────────────┤
│ bouncer-traefik │ 17 │ 0 │
╰─────────────────┴───────────────┴───────────────────╯
Local Api Decisions:
╭──────────────────────────────────────────────────┬────────┬────────┬───────╮
│ Reason │ Origin │ Action │ Count │
├──────────────────────────────────────────────────┼────────┼────────┼───────┤
│ crowdsecurity/spring4shell_cve-2022-22965 │ CAPI │ ban │ 16 │
│ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 11 │
│ crowdsecurity/CVE-2022-42889 │ CAPI │ ban │ 10 │
│ crowdsecurity/ssh-bf │ CAPI │ ban │ 2965 │
│ crowdsecurity/vmware-cve-2022-22954 │ CAPI │ ban │ 7 │
│ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 37 │
│ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 181 │
│ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 7074 │
│ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 1 │
│ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 205 │
│ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 13 │
│ crowdsecurity/http-cve-2021-42013 │ CAPI │ ban │ 5 │
│ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 6 │
│ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 114 │
│ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 466 │
│ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 1 │
│ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 269 │
│ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 84 │
│ crowdsecurity/netgear_rce │ CAPI │ ban │ 4 │
│ crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 │ CAPI │ ban │ 2 │
│ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 13 │
│ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 5329 │
│ crowdsecurity/vmware-vcenter-vmsa-2021-0027 │ CAPI │ ban │ 6 │
│ ltsich/http-w00tw00t │ CAPI │ ban │ 5 │
│ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 32 │
│ crowdsecurity/http-generic-bf │ CAPI │ ban │ 32 │
│ crowdsecurity/http-open-proxy │ CAPI │ ban │ 586 │
│ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 351 │
│ crowdsecurity/http-probing │ CAPI │ ban │ 2763 │
│ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 26 │
╰──────────────────────────────────────────────────┴────────┴────────┴───────╯
Local Api Alerts:
╭───────────────────────────────┬───────╮
│ Reason │ Count │
├───────────────────────────────┼───────┤
│ manual 'ban' from 'localhost' │ 1 │
╰───────────────────────────────┴───────╯
/ #
My traefik compose file:
version: '3'
services:
traefik:
image: traefik:latest
container_name: traefik_ng
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- docker-net
ports:
- 1180:80
- 11443:443
- 8080:8080
environment:
- CF_API_EMAIL=my email
- CF_DNS_API_TOKEN=nxxxxxxxxxxxxxxxB-
# - CF_API_KEY=YOUR_API_KEY
# be sure to use the correct one depending on if you are using a token or key
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /mnt/user/appdata/docker/traefik/conf/traefik.yml:/traefik.yml:ro
- /mnt/user/appdata/docker/traefik/cert/acme.json:/acme.json
- /mnt/user/appdata/docker/traefik/conf/config.yml:/config.yml:ro
- /var/log/traefik:/var/log/traefik
- /var/log/crowdsec:/var/log/crowdsec
- /mnt/user/appdata/docker/traefik/cert/letsencrypt:/letsencrypt
labels:
- "traefik.enable=true"
# router
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.domain.tld`)"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.tld`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=dns-cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=domain.tld"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.domaine.tld"
- "traefik.http.routers.traefik-secure.service=api@internal"
# middlewares
- "traefik.http.middlewares.traefik-auth.basicauth.users=admin:xxxxxxx"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
# middlewares security headers
- "traefik.http.middlewares.security-headers.headers.accesscontrolallowmethods=GET, OPTIONS, PUT"
- "traefik.http.middlewares.security-headers.headers.accesscontrolmaxage=100"
- "traefik.http.middlewares.security-headers.headers.addvaryheader=true"
- "traefik.http.middlewares.security-headers.headers.hostsproxyheaders=X-Forwarded-Host"
- "traefik.http.middlewares.security-headers.headers.sslredirect=true"
- "traefik.http.middlewares.security-headers.headers.sslproxyheaders.X-Forwarded-Proto=https"
- "traefik.http.middlewares.security-headers.headers.stsseconds=63072000"
- "traefik.http.middlewares.security-headers.headers.stsincludesubdomains=true"
- "traefik.http.middlewares.security-headers.headers.stspreload=true"
- "traefik.http.middlewares.security-headers.headers.forcestsheader=true"
- "traefik.http.middlewares.security-headers.headers.framedeny=true"
- "traefik.http.middlewares.security-headers.headers.contenttypenosniff=true"
- "traefik.http.middlewares.security-headers.headers.browserxssfilter=true"
- "traefik.http.middlewares.security-headers.headers.referrerpolicy=same-origin"
- "traefik.http.middlewares.security-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
- "traefik.http.middlewares.security-headers.headers.customresponseheaders.X-Robots-Tag=none,noarchive,nosnippet,notranslate,noimageindex"
networks:
docker-net:
external: true
My crowdsec compose file:
version: '3.8'
services:
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
environment:
GID: "${GID-1000}"
COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
# depends_on: #uncomment if running traefik in the same compose file
# - 'traefik'
volumes:
- ./config/acquis.yaml:/mnt/user/appdata/docker/crowdsec/config/acquis.yaml
- crowdsec-db:/var/lib/crowdsec/data/
- /mnt/user/appdata/docker/crowdsec/config/:/mnt/user/appdata/docker/crowdsec/config/
- /var/log/traefik:/var/log/traefik/:ro
- /var/log/crowdsec:/var/log/crowdsec:ro
- /var/log/auth.log:/var/log/auth.log:ro
networks:
- docker-net
restart: unless-stopped
bouncer-traefik:
image: fbonalair/traefik-crowdsec-bouncer:latest
container_name: bouncer-traefik
environment:
CROWDSEC_BOUNCER_API_KEY: 0xxxxxxxxxxxxxx7
CROWDSEC_AGENT_HOST: crowdsec:8080
networks:
- docker-net # same network as traefik + crowdsec
depends_on:
- crowdsec
restart: unless-stopped
networks:
docker-net:
external: true
volumes:
crowdsec-db:
# crowdsec-config:
# external: true
# traefik_traefik-logs: # this will be the name of the volume from trarfic logs
logs from my traefik container:
162.158.239.40 - - [12/Jul/2023:07:21:48 +0000] "GET / HTTP/2.0" 200 9128 "-" "-" 38 "homeassistant@file" "http://192.168.xxxxx:8123" 19ms
162.158.238.64 - - [12/Jul/2023:07:21:48 +0000] "GET / HTTP/2.0" 200 2466 "-" "-" 39 "secure-webserver@file" "http://192.168.xxxxxx:80" 19ms
162.158.239.55 - - [12/Jul/2023:07:22:18 +0000] "GET / HTTP/2.0" 200 9128 "-" "-" 40 "homeassistant@file" "http://192.168.xxxxxx:8123" 1640ms
162.158.239.29 - - [12/Jul/2023:07:22:19 +0000] "GET / HTTP/2.0" 200 2466 "-" "-" 41 "secure-webserver@file" "http://192.168.xxxxxx:80" 1372ms
162.158.238.64 - - [12/Jul/2023:07:22:51 +0000] "GET / HTTP/2.0" 200 2466 "-" "-" 42 "secure-webserver@file" "http://192.168.xxxx:80" 39ms
162.158.238.252 - - [12/Jul/2023:07:22:51 +0000] "GET / HTTP/2.0" 200 9128 "-" "-" 43 "homeassistant@file" "http://192.168xxxxx:8123" 14ms
162.158.239.68 - - [12/Jul/2023:07:23:22 +0000] "GET / HTTP/2.0" 200 2466 "-" "-" 44 "secure-webserver@file" "http://192.168xxxxx:80" 405ms
162.158.239.40 - - [12/Jul/2023:07:23:22 +0000] "GET / HTTP/2.0" 200 9128 "-" "-" 45 "homeassistant@file" "http://192.168.xxxxxx:8123" 247ms
162.158.239.68 - - [12/Jul/2023:07:23:52 +0000] "GET / HTTP/2.0" 200 2466 "-" "-" 46 "secure-webserver@file" "http://192.168xxxxxx:80" 20ms
162.158.238.252 - - [12/Jul/2023:07:23:54 +0000] "GET / HTTP/2.0" 200 9128 "-" "-" 47 "homeassistant@file" "http://192.168.xxxxx:8123" 10ms
My traefik.yml:
api:
dashboard: true
insecure: true
debug: true
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
http:
middlewares:
- crowdsec-bouncer@file
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "tcp://dockersocket:2375" #"unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: /config.yml
watch: true
certificatesResolvers:
dns-cloudflare:
acme:
email: my email
storage: /letsencrypt/acme.json
dnsChallenge:
provider: cloudflare
caServer: https://acme-v02.api.letsencrypt.org/directory
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
experimental:
plugins:
cloudflarewarp:
moduleName: github.com/BetterCorp/cloudflarewarp
version: v1.3.0
traefik-real-ip:
moduleName: "github.com/jramsgz/traefik-real-ip"
version: "v1.0.6"
torblock:
moduleName: "github.com/jpxd/torblock"
version: "v0.1.1"
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/traefik.log"
bufferingSize: 50
My config.yml file:
http:
middlewares:
default-whitelist:
ipWhiteList:
sourceRange:
- "192.168.xxx.0/26"
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
secured:
chain:
middlewares:
- default-whitelist
crowdsec-bouncer:
forwardauth:
address: http://bouncer-traefik:8080/api/v1/forwardAuth
trustForwardHeader: true
cloudflarewarp:
plugin:
cloudflarewarp:
disableDefault: false
trustip: # Trust IPS not required if disableDefault is false - we will allocate Cloud Flare IPs automatically
- "2400:cb00::/32"
my-traefik-real-ip:
plugin:
traefik-real-ip:
excludednets:
- 1.1.1.1/24
my-torblock:
plugin:
torblock:
AddressListURL: https://check.torproject.org/exit-addresses
Enabled: "true"
UpdateInterval: "3600"
#region routers
routers:
secure-webserver:
entryPoints:
- "https"
rule: "Host(`www.domain.tld`)"
middlewares:
- https-redirectscheme
tls: {}
service: secure-webserver
homeassistant:
entryPoints:
- "https"
rule: "Host(`epad.domain.tld`)"
middlewares:
- https-redirectscheme
tls: {}
service: homeassistant
my-router:
rule: Path(`/whoami`)
service: service-whoami
entryPoints:
- http
middlewares:
- cloudflarewarp
#endregion
#region services
services:
secure-webserver:
loadBalancer:
servers:
- url: "http://192.168.xxxxxx:80"
passHostHeader: true
homeassistant:
loadBalancer:
servers:
- url: "http://192.168xxxxx:8123"
passHostHeader: true
service-whoami:
loadBalancer:
servers:
- url: http://127.0.0.1:5000
If you need more infos, please let me know.
Thx