📝 First version of doc update with single bouncer instance (#108)

maxlerebourg · Aug 5, 2023 · 13c209b · 13c209b
1 parent 93340ff
commit 13c209b
Show file tree

Hide file tree

Showing 9 changed files with 103 additions and 108 deletions.
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ There are 4 operating modes (CrowdsecMode) for this plugin:
 The `streaming mode` is recommended for performance, decisions are updated every 60 sec by default and that's the only communication between Traefik and Crowdsec. Every request that happens hits the cache for quick decisions.
 
 The cache can be local to Traefik using the filesystem, or a separate Redis instance.  
-Support for Redis is currently in beta (requires version 7.0.X of Redis).
+
 
 ## Usage
 
@@ -44,6 +44,7 @@ make run
 
 **/!\ Cache is shared by all services**
 *This means if an IP is banned, all services which are protected by an instance of the plugin will deny requests from that IP*
+Only one instance of the plugin is *possible*.
 
 ### Variables
 - Enabled

diff --git a/exemples/behind-proxy/docker-compose.cloudflare.yml b/exemples/behind-proxy/docker-compose.cloudflare.yml
@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   cloudflare:
-    image: "traefik:v2.9.10"
+    image: "traefik:v2.10.4"
     container_name: "cloudflare"
     restart: unless-stopped
     command:
@@ -21,7 +21,7 @@ services:
       - 8080:8080
 
   traefik:
-    image: "traefik:v2.9.10"
+    image: "traefik:v2.10.4"
     container_name: "traefik"
     restart: unless-stopped
     command:
@@ -35,7 +35,7 @@ services:
       - "--entrypoints.web.forwardedheaders.trustedips=172.21.0.5"
 
       - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-      - "--experimental.plugins.bouncer.version=v1.1.11"
+      - "--experimental.plugins.bouncer.version=v1.1.13"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - logs-traefik:/var/log/traefik
@@ -57,13 +57,12 @@ services:
       - "traefik.http.routers.router-foo.middlewares=crowdsec-foo@docker" 
       # Definition of the service
       - "traefik.http.services.service-foo.loadbalancer.server.port=80"
-      # Definitin of the middleware
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled=true"
-      # crowdseclapikey must be uniq to the middleware attached to the service
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecmode=live"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel=DEBUG"
+      # Definition of the middleware
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecmode=live"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
 
   whoami-bar:
     image: traefik/whoami
@@ -77,24 +76,22 @@ services:
       - "traefik.http.routers.router-bar.middlewares=crowdsec-bar@docker" 
       # Definition of the service
       - "traefik.http.services.service-bar.loadbalancer.server.port=80"
-      # Definitin of the middleware
+      # Definition of the middleware
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.enabled=true"
-      # crowdseclapikey must be uniq to the middleware attached to the service
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdseclapikey=44c36dac5c4140af9f06f397508e82c7"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecmode=live"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.loglevel=DEBUG"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecmode=live"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.forwardedheaderstrustedips=172.21.0.5"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
 
 
   crowdsec:
-    image: crowdsecurity/crowdsec:v1.4.6
+    image: crowdsecurity/crowdsec:v1.5.2
     container_name: "crowdsec"
     restart: unless-stopped
     environment:
       COLLECTIONS: crowdsecurity/traefik
       CUSTOM_HOSTNAME: crowdsec
-      BOUNCER_KEY_TRAEFIK_DEV_1: 40796d93c2958f9e58345514e67740e5
-      BOUNCER_KEY_TRAEFIK_DEV_2: 44c36dac5c4140af9f06f397508e82c7
+      BOUNCER_KEY_TRAEFIK_DEV: 40796d93c2958f9e58345514e67740e5
     volumes:
       - ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
       - logs-cloudflare:/var/log/traefik:ro

diff --git a/exemples/binary-vm/scripts/install_traefik.sh b/exemples/binary-vm/scripts/install_traefik.sh
@@ -2,7 +2,7 @@
 
 DEBIAN_FRONTEND=noninteractive sudo apt-get update && sudo apt-get install wget -y
 # DEBIAN_FRONTEND=noninteractive sudo apt-get upgrade -y --assume-yes
-wget -O traefik.tar.gz "https://github.com/traefik/traefik/releases/download/v2.9.10/traefik_v2.9.10_linux_amd64.tar.gz"
+wget -O traefik.tar.gz "https://github.com/traefik/traefik/releases/download/v2.10.4/traefik_v2.10.4_linux_amd64.tar.gz"
 tar -zxvf traefik.tar.gz
 # inspired from https://gist.github.com/ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85
 sudo mv ./traefik /usr/local/bin/

diff --git a/exemples/kubernetes/crowdsec/values.yml b/exemples/kubernetes/crowdsec/values.yml
@@ -1,5 +1,5 @@
 image:
-  tag: v1.4.6
+  tag: v1.5.2
 
 agent:
   acquisition:

diff --git a/exemples/kubernetes/traefik/values.yml b/exemples/kubernetes/traefik/values.yml
@@ -1,5 +1,5 @@
 image:
-  tag: v2.9.10
+  tag: v2.10.4
 
 logs:
   general:
@@ -16,4 +16,4 @@ experimental:
 
 additionalArguments:
   - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-  - "--experimental.plugins.bouncer.version=v1.1.11"
+  - "--experimental.plugins.bouncer.version=v1.1.13"
diff --git a/exemples/redis-cache/docker-compose.redis.yml b/exemples/redis-cache/docker-compose.redis.yml
@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   traefik:
-    image: "traefik:v2.9.10"
+    image: "traefik:v2.10.4"
     container_name: "traefik"
     restart: unless-stopped
     command:
@@ -15,7 +15,7 @@ services:
       - "--entrypoints.web.address=:80"
 
       - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-      - "--experimental.plugins.bouncer.version=v1.1.11"
+      - "--experimental.plugins.bouncer.version=v1.1.13"
       # - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -29,26 +29,26 @@ services:
       - redis-insecure
       - redis-secure
 
-  whoami-redis-insecure:
-    image: traefik/whoami
-    container_name: "simple-service-foo"
-    restart: unless-stopped
-    labels:
-      - "traefik.enable=true"
-      # Definition of the router
-      - "traefik.http.routers.router-foo.rule=Path(`/redis-insecure`)"
-      - "traefik.http.routers.router-foo.entrypoints=web"
-      - "traefik.http.routers.router-foo.middlewares=crowdsec-foo@docker" 
-      # Definition of the service
-      - "traefik.http.services.service-foo.loadbalancer.server.port=80"
-      # Definition of the middleware
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled=true"
-      # crowdseclapikey must be uniq to the middleware attached to the service
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.rediscacheenabled=true"
-      # Contact redis-unsecure without a password
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.rediscachehost=redis-insecure:6379"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel=DEBUG"
+# Either use secure, or insecure but do not mix both
+  # whoami-redis-insecure:
+  #   image: traefik/whoami
+  #   container_name: "simple-service-foo"
+  #   restart: unless-stopped
+  #   labels:
+  #     - "traefik.enable=true"
+  #     # Definition of the router
+  #     - "traefik.http.routers.router-foo.rule=Path(`/redis-insecure`)"
+  #     - "traefik.http.routers.router-foo.entrypoints=web"
+  #     - "traefik.http.routers.router-foo.middlewares=crowdsec-foo@docker" 
+  #     # Definition of the service
+  #     - "traefik.http.services.service-foo.loadbalancer.server.port=80"
+  #     # Definition of the middleware
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.rediscacheenabled=true"
+  #     # Contact redis-unsecure without a password
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.rediscachehost=redis-insecure:6379"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
 
   whoami-redis-secure:
     image: traefik/whoami
@@ -63,25 +63,23 @@ services:
       # Definition of the service
       - "traefik.http.services.service-bar.loadbalancer.server.port=80"
       # Definition of the middleware
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.enabled=true"
-      # crowdseclapikey must be uniq to the middleware attached to the service
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdseclapikey=44c36dac5c4140af9f06f397508e82c7"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.rediscacheenabled=true"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.rediscachepassword=FIXME"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.rediscacheenabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.rediscachepassword=FIXME"
       # Contact redis-secure with password
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.rediscachehost=redis-secure:6379"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.loglevel=DEBUG"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.rediscachehost=redis-secure:6379"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
 
 
   crowdsec:
-    image: crowdsecurity/crowdsec:v1.4.6
+    image: crowdsecurity/crowdsec:v1.5.2
     container_name: "crowdsec"
     restart: unless-stopped
     environment:
       COLLECTIONS: crowdsecurity/traefik
       CUSTOM_HOSTNAME: crowdsec
-      BOUNCER_KEY_TRAEFIK_DEV_1: 40796d93c2958f9e58345514e67740e5
-      BOUNCER_KEY_TRAEFIK_DEV_2: 44c36dac5c4140af9f06f397508e82c7
+      BOUNCER_KEY_TRAEFIK_DEV: 40796d93c2958f9e58345514e67740e5
     volumes:
       - ./acquis.yaml:/etc/crowdsec/acquis.yaml:ro
       - logs-redis:/var/log/traefik:ro
@@ -91,22 +89,22 @@ services:
       - "traefik.enable=false"
 
   redis-secure:
-    image: "redis:7.0.9-alpine"
+    image: "redis:7.0.12-alpine"
     container_name: "redis-secure"
     hostname: redis-secure
     restart: unless-stopped
     command: "redis-server --save 60 1 --loglevel debug --requirepass FIXME"
     volumes:
       - redis-secure-data:/data
 
-  redis-insecure:
-    image: "redis:7.0.9-alpine"
-    container_name: "redis-insecure"
-    hostname: redis-unsecure
-    restart: unless-stopped
-    command: "redis-server --save 60 1 --loglevel debug"
-    volumes:
-      - redis-unsecure-data:/data
+  # redis-insecure:
+  #   image: "redis:7.0.12-alpine"
+  #   container_name: "redis-insecure"
+  #   hostname: redis-unsecure
+  #   restart: unless-stopped
+  #   command: "redis-server --save 60 1 --loglevel debug"
+  #   volumes:
+  #     - redis-unsecure-data:/data
 
 volumes:
   logs-redis:

diff --git a/exemples/standalone-mode/docker-compose.alone.yml b/exemples/standalone-mode/docker-compose.alone.yml
@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   traefik:
-    image: "traefik:v2.9.10"
+    image: "traefik:v2.10.4"
     container_name: "traefik"
     restart: unless-stopped
     command:
@@ -15,7 +15,7 @@ services:
       - "--entrypoints.web.address=:80"
 
       - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-      - "--experimental.plugins.bouncer.version=v1.1.11"
+      - "--experimental.plugins.bouncer.version=v1.1.13"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
     ports:

diff --git a/exemples/tls-auth/docker-compose.tls-auth.yml b/exemples/tls-auth/docker-compose.tls-auth.yml
@@ -2,7 +2,7 @@ version: "3.8"
 
 services:
   traefik:
-    image: "traefik:v2.9.10"
+    image: "traefik:v2.10.4"
     container_name: "traefik"
     restart: unless-stopped
     command:
@@ -15,37 +15,39 @@ services:
       - "--entrypoints.web.address=:80"
 
       - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-      - "--experimental.plugins.bouncer.version=v1.1.11"
+      - "--experimental.plugins.bouncer.version=v1.1.13"
       # - "--experimental.localplugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./LAPIKEY:/etc/traefik/LAPIKEY:ro
       - logs-tls-auth:/var/log/traefik
       - crowdsec-certs-tls-auth:/etc/traefik/crowdsec-certs
-      - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+      # - ./../../:/plugins-local/src/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
 
     ports:
       - 80:80
       - 8080:8080
     depends_on:
       - crowdsec
 
-  whoami-foo:
-    image: traefik/whoami
-    container_name: "simple-service-foo"
-    restart: unless-stopped
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.router-foo.rule=Path(`/foo`)"
-      - "traefik.http.routers.router-foo.entrypoints=web"
-      - "traefik.http.routers.router-foo.middlewares=crowdsec-foo@docker" 
-      - "traefik.http.services.service-foo.loadbalancer.server.port=80"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.enabled=true"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.loglevel=DEBUG"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdseclapischeme=https"
-      - "traefik.http.middlewares.crowdsec-foo.plugin.bouncer.crowdsecLapiTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
+# Use HTTPS scheme but with lapikey authentication
+  # whoami-foo:
+  #   image: traefik/whoami
+  #   container_name: "simple-service-foo"
+  #   restart: unless-stopped
+  #   labels:
+  #     - "traefik.enable=true"
+  #     - "traefik.http.routers.router-foo.rule=Path(`/foo`)"
+  #     - "traefik.http.routers.router-foo.entrypoints=web"
+  #     - "traefik.http.routers.router-foo.middlewares=crowdsec-foo@docker" 
+  #     - "traefik.http.services.service-foo.loadbalancer.server.port=80"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapikey=40796d93c2958f9e58345514e67740e5"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapischeme=https"
+  #     - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
 
+# Use HTTPS scheme with TLS cert authentication
   whoami-bar:
     image: traefik/whoami
     container_name: "simple-service-bar"
@@ -56,15 +58,15 @@ services:
       - "traefik.http.routers.router-bar.entrypoints=web"
       - "traefik.http.routers.router-bar.middlewares=crowdsec-bar@docker"
       - "traefik.http.services.service-bar.loadbalancer.server.port=80"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.enabled=true"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.loglevel=DEBUG"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdseclapischeme=https"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiTLSCertificateBouncerFile=/etc/traefik/crowdsec-certs/bouncer.pem"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiTLSCertificateBouncerKeyFile=/etc/traefik/crowdsec-certs/bouncer-key.pem"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.loglevel=DEBUG"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdseclapischeme=https"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateAuthorityFile=/etc/traefik/crowdsec-certs/inter.pem"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateBouncerFile=/etc/traefik/crowdsec-certs/bouncer.pem"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiTLSCertificateBouncerKeyFile=/etc/traefik/crowdsec-certs/bouncer-key.pem"
 
   crowdsec:
-    image: crowdsecurity/crowdsec:v1.4.6
+    image: crowdsecurity/crowdsec:v1.5.2
     container_name: "crowdsec"
     restart: unless-stopped
     environment: