Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] CrowdsecAppsecFailureBlock false should also not block when crowdsec is down #173

Closed
trunneml opened this issue Jun 5, 2024 · 3 comments · Fixed by #175
Closed

[BUG] CrowdsecAppsecFailureBlock false should also not block when crowdsec is down #173

trunneml opened this issue Jun 5, 2024 · 3 comments · Fixed by #175
Assignees
@maxlerebourg
Labels
bug Something isn't working

Comments

@trunneml
Copy link

trunneml commented Jun 5, 2024

Describe the bug 🐛
Setting CrowdsecAppsecFailureBlock to false works for 500, but if a connection to crowdsec is not possible crowdsec-bouncer-traefik-plugin still returns 403

Expected behavior 👀
When crowdsec api is not available and CrowdsecAppsecFailureBlock is set to false Traefik should just work as normal.

To Reproduce
Steps to reproduce the behavior:

  1. Configure crowdsec-bouncer-traefik-plugin with CrowdsecAppsecFailureBlock set to false
  2. Stop crowdsec
  3. Try to open a service behinde Traefik
  4. See error
@mathieuHa
Copy link
Collaborator

Hi we'll look into it.
In the mean time could you provide some informations like the version of the plugin, runtime (docker, kubernetes, binary, vm..).

@mathieuHa mathieuHa self-assigned this Jun 6, 2024
@mathieuHa mathieuHa added the bug Something isn't working label Jun 6, 2024
@mathieuHa mathieuHa assigned maxlerebourg and unassigned mathieuHa Jun 6, 2024
@maxlerebourg
Copy link
Owner

Hey @trunneml
I looked into the code, the CrowdsecAppsecFailureBlock: false handle the appsec response status code 500 only. We followed the protocol from Crowdsec to implement our plugin.

I don't know if it's smart to totally bypass our plugin when crowdsec is unreachable.

We could add a new variable CrowdsecAppsecUnreachableBlock to handle this case, and by default is true.

What do you think ?

@trunneml
Copy link
Author

trunneml commented Jun 9, 2024

An extra flag fixes my problem.
Background: Croudsec LAPI is in an different network segment.

@maxlerebourg maxlerebourg linked a pull request Jun 9, 2024 that will close this issue
✨ Add CrowdsecAppsecUnreachableBlock #175
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maxlerebourg maxlerebourg

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

✨ Add CrowdsecAppsecUnreachableBlock maxlerebourg/crowdsec-bouncer-traefik-plugin
3 participants
@trunneml @mathieuHa @maxlerebourg