#Trying to secure my dockerized web environment with traefik and crowdsec

1 messages · Page 1 of 1 (latest)

pearl stagBOT
#
Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

© Created By WhyAydan for CrowdSec ❤️ ·
reef scarab
# 
services:
  reverse-proxy:
    restart: always
    image: traefik:v3.2
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080" 
    volumes:
      - ./srv/traefik.toml:/etc/traefik/traefik.toml:ro
      - ./srv/certs-traefik.toml:/etc/traefik/dynamic/certs-traefik.toml:ro
      - ./certs:/etc/traefik/tls
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - TZ=EU/Paris

  webhook:
    build:
      context: ./myproject
      dockerfile: Dockerfile
    container_name: webhook-service
    ports:
      - "192.168.1.4:8000:8000"
    volumes:
      - ./myproject/logs:/app/logs
      - ./myproject/database:/app/database
      - ./myproject/services:/app/services
    env_file:
      - ./myproject/.env
    labels:
      - traefik.enable=true
      - traefik.http.routers.webhook.rule=Host(`webhook.mydomain.com`)
      - traefik.http.services.webhook.loadbalancer.server.port=8000
      - traefik.http.services.webhook.loadbalancer.server.scheme=http
      - traefik.http.routers.webhook.entryPoints=https
      - traefik.http.routers.webhook.tls=true
      - traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecEnabled=true
      - traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecHost=crowdsec:7422
      - traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiKey=API_KEY_FROM_CSCLI
      - traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecFailureBlock=true

  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    restart: always
    depends_on:
      - reverse-proxy
    environment:
      - 'COLLECTIONS=crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules'
    volumes:
      - ./crowdsec/appsec.yaml:/etc/crowdsec/appsec.yaml
      - ./crowdsec/crowdsec-db:/var/lib/crowdsec/data/
#

srv/traefik.toml

# traefik static file
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"

[log]
  level = "INFO"

[api]
  insecure = true
  dashboard = true

[providers]
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    exposedByDefault = false

  [providers.file]
    directory="/etc/traefik/dynamic"

[http.middlewares]
  [http.middlewares.hsts]
      headers.StrictTransportSecurity = "max-age=31536000; includeSubDomains; preload"

[accessLog]
  [accessLog.fields.names]
    "StartUTC"="drop"

[experimental.plugins.crowdsec-bouncer-traefik-plugin]
  moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
  version = "v1.3.5"
#

crowdsec/appsec.yaml

appsec_config: crowdsecurity/appsec-default
labels:
    type: appsec
listen_addr: 0.0.0.0:7422
source: appsec
ashen summit
#

Based on what I see, you are trying to enable appsec for Traefik?
I think it is relevant to mention that from what I got so far, AppSec does not work with mTLS. You are using a Key in your service config to authenticate, which should work.

What exactly is not working for you?
And does your crwodsec config have TLS enabled or not?