Add CrowdSec OpenResty bouncer, Admin Dashboard logging and ModSecurity

[baudneo]

UPDATES

ModSec has a known memory leak!

I have no control over fixing that, the modsec maintainer does not seem to be working on fixing the memory leak. For now, all I can recommend is to restart the container every so often.

• Do not add multiple modsecurity on; and modsecurity_rules_file <path/to/rules/file.conf> directives in the advanced tab of your proxy hosts if you have enabled modsec using MODSEC_ENABLE=1 env var. Modsec is enabled in the root http {} block, meaning it will protect all HTTP servers/locations.

• To turn modsec off for certain hosts while MODSEC_ENABLE=1. Add a modsecurity off; directive in your Advanced tab.

• Voice your concerns about the memory leak on the issue I opened in modsecurity GitHub ⇒ Memory leak on nginx -s reload, even after mem leak fixes of v3/master owasp-modsecurity/ModSecurity#2817

PROXY protocol support

• added from upstream PR PROXY Protocol support #1882
• Added PROXY to STREAM hosts; 2 options. Enable our own PROXY headers and accept PROXY headers.
• real_ip_header directive can only be called once. So if you use CloudFlare and Allow PROXY protocol you can't set real_ip_header CF-Connecting-IP;

cs-openresty-bouncer

• Upgraded from 0.1.10 to 0.1.11, fixes a memory issue when using certificates-ca.pem for reCAPTCHA validation. Use Google Root CA instead. See [Docker] lua_ssl_trusted_certificate causes a Memory Leak/Crash on certain systems crowdsecurity/cs-openresty-bouncer#27
• Add reCAPTCHA environment variables $CROWDSEC_RECAP_SECRET $CROWDSEC_RECAP_SITE
• Add SSL_CERTS_PATH to control CA cert used for reCAPTCHA validation. ca-certificates.pem caused memory issues.

---

docker-compose.yaml

• See example at end of README

---

Timezone

Environment Variables

• TZ - Set to your timezone. Example: TZ=America/Chicago

Configuration

• Instead of setting TZ you can mount /etc/localtime into the docker container

---

CrowdSec OpenResty Bouncer

NOTE

• If you don't see the bouncer hitting your local API, send a request to one of the proxied hosts in NPM. I have noticed the bouncer does not start until NPM gets a request once it is all loaded up.
• To check if the bouncer is running, use docker logs --follow [name of your NPM container]. There will be a log line like -> nginx: [alert] [lua] init_by_lua:8: [Crowdsec] Initialisation done

Environment Variables

• CROWDSEC_BOUNCER=1 - Enable CrowdSec OpenResty bouncer, still needs to be configured.
• CROWDSEC_LAPI=[URL] - configure CrowdSec local API URL
• CROWDSEC_KEY=[API KEY] - configure CrowdSec API key
• CROWDSEC_RECAP_SECRET=[SECRET KEY] - configure reCAPTCHA
• CROWDSEC_RECAP_SITE=[SITE KEY] - configure reCAPTCHA
• SSL_CERTS_PATH - CA certificate used to communicate with Google for reCAPTCHA validation

Configuration

• Config file located at data/crowdsec/crowdsec-openresty-bouncer.conf
• HTML templates are located at /crowdsec/templates/ inside the container
• The first time the container is run, a crowdsec config file is created with ENV vars substituted out. User is responsible for config after first creation of the file.
• Set the URL and API key at a minimum. reCAPTCHA's vars if wanted.

---

Admin dashboard logging / OpenResty DEBUG level logging

Environment Variables

• ADMIN_DASHBOARD_LOG=1 - Enable admin (Port 81) dashboard logging
• OPENRESTY_DEBUG=1 - Enable DEBUG level logging for the default OpenResty ERROR log

Configuration

• Admin panel logs are located at data/logs/admin-panel_access.log and data/logs/admin-panel_error.log
• OpenResty default logs fallback_access.log and fallback_error.log. DEBUG level will be set on the error log, it is set to WARN by default.

---

ModSecurity

ModSecurity WAF is installed and loaded by default, OWASP-CoreRuleSet is installed and used as the default rule set. The user is responsible for configuring modsecurity via config/CLI.

MODSECURITY HAS KNOWN MEMORY LEAKS! Whenever nginx -s reload is issued expect RAM to increase by 10 to several hundred MB (depending on if you have custom rule files or are double enabling modsec). Nginx is reloaded every time a host is created/modified and when the SSL cert renewal timer resets. The only way to get modsec to release REAM is to restart nginx from inside the running container using nginx -s stop; nginx -s reload or by restarting the container using sudo docker restart [Name of NPM container]

Environment Variables

• MODSEC_CREATE=1 - Force recreating the default modsecurity config, This should never be needed
• MODSEC_ADMIN_PANEL=1 - Enable ModSec for the admin panel (Port 81 web interface)
• MODSEC_ENABLE=1 - Enable ModSec in the ROOT http {} block (Enabled ModSec for ALL HTTP servers)

The minimum directives that need to be added to enable modsec.

modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;

• See all directives -> https://github.com/SpiderLabs/ModSecurity-nginx#usage

---

Tips to enable

• To enable modsec for ALL HTTP hosts, set MODSEC_ENABLE=1 (Enabled in root http {} block)
• If MODSEC_ENABLE=1. To disable modsec for certain HTTP hosts, add modsecurity off; in the Advanced tab.
• If MODSEC_ENABLE=1. To disable modsec for certain HTTP host locations, add modsecurity off; in a location {} block in the Advanced tab.
• To load custom rules file, add modsecurity_rules_file <path/to/rules/file.conf>; in Advanced tab. Either in the root of the Advanced tab (for all locations) or inside of location {} blocks (for certain locations). MAY INCREASE MEMORY LEAK SIZE!!!
• Stream hosts are unsupported.

Configuration

• By default, the audit log is enabled and is located at data/logs/modsec_audit.log
• The config and rule set are located at data/modsec and data/modsec/ruleset
• data/modsec/modsecurity.conf is the main modsec config file.
• data/modsec/main.conf is the main rules file, it has Include directives that load the actual rules
• data/modsec is symbolically linked to /etc/nginx/modsec

---

docker-compose.yaml

version: "3"
services:
  npm:
    image: 'baudneo/nginx-proxy-manager:latest'
    restart: always
    container_name: npm-secure
    ports:
      # Public HTTP Port:
      - '80:80'
      # Public HTTPS Port:
      - '443:443'
      # Admin Web Port:
      - '81:81'
    environment:
      # This is the default cert used to validate reCAPTCHA
      SSL_CERTS_PATH: "/etc/ssl/certs/GTS_Root_R1.pem"
      TZ: "America/Chicago"
      ADMIN_PANEL_LOG: "1"
      CROWDSEC_BOUNCER: "1"
      OPENRESTY_DEBUG: "0"

      CROWDSEC_LAPI: "http://IP TO CROWDSEC LOCAL API:8080"
      CROWDSEC_KEY: "xxxxxxxxxxxxxxxxxxxxxxxx"
      CROWDSEC_RECAP_SECRET: "XXXX"
      CROWDSEC_RECAP_SITE: "XXXX"
      # These are the settings to access your db
      DB_MYSQL_HOST: "db"
      DB_MYSQL_PORT: 3306
      DB_MYSQL_USER: "npm-user"
      DB_MYSQL_PASSWORD: "db user password"
      DB_MYSQL_NAME: "npm"
      # If you would rather use Sqlite uncomment this
      # and remove all DB_MYSQL_* lines above
      # DB_SQLITE_FILE: "/data/database.sqlite"
      # Uncomment this if IPv6 is not enabled on your host
      # DISABLE_IPV6: 'true'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    depends_on:
      - db
  db:
    image: 'jc21/mariadb-aria:latest'
    restart: always
    container_name: npm_db
    environment:
      MYSQL_ROOT_PASSWORD: 'xxXXxxXXXxxxXXX'
      MYSQL_DATABASE: 'npm'
      MYSQL_USER: 'npm-user'
      MYSQL_PASSWORD: "db user password"
    volumes:
      - ./data/mysql:/var/lib/mysql

[baudneo]

Satisifies:

• Integration with crowdsecurity/cs-nginx-bouncer  #1131
• Suggestion: Enable Admin log by default #1800

[hamishfagg]

@baudneo I'm trying to use your image and I get the following error with no existing config. I see you pushed an update to the docker container 20mins ago?

nginx: [emerg] SSL_CTX_load_verify_locations("/etc/nginx/${SSL_CERTS_PATH}") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/${SSL_CERTS_PATH}','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)

[baudneo]

Sorry, it should be fixed in next 20 mins or so, everything building.

Added PROXY PR and upgraded openresty bouncer.

[baudneo]

Image is up and works, but it seems it built from an old builder and didn't propagate all changes. It will be another couple hours until a new build is out with all the new stuff. This current :testing tag will work for now. Add SSL_CERTS_PATH to the environment and set it to "/etc/ssl/certs/GTS_Root_R1.pem" if it complains about that same error.

In the new image SSL_CERTS_PATH will be set to "/etc/ssl/certs/GTS_Root_R1.pem" by default (can be overridden). Another fork maintainer found a memory issue when using crowdsec' openresty bouncer and reCAPTCHA remediation. Using Googles root CA specifically to reach out to Google for reCAPTCHA validation was the fix.

PROXY protocol from a PR was added with UI changes to configure it. Brotli compression, xslt and image_filter modules have also been added.

[hamishfagg]

Testing image is working but FYI theres a typo in the default value for SSL_CERTS_PATH (lower case 'r' in 'Root') so it complains about that cert not existing. Fixed by manually setting that var though

[baudneo]

Yes sorry about that, I reused a buildx builder instance and the new changes did not propogate. It's rebuilding multi arch images from scratch right now with the upgrades.

The crowdsec html templates are also missing until this build completes.

EDIT: Templates are located at /crowdsec/templates/ INSIDE of the image. Therefore, the proper paths are

BAN_TEMPLATE_PATH=/crowdsec/templates/ban.html
CAPTCHA_TEMPLATE_PATH=/crowdsec/templates/captcha.html

[erdoukki]

Something has changed ?
Will revert to the official docker for NPM !

Because this morning I get an issue trying to log in the WebUI;

root@STARGATE:/srv/NGINX# docker-compose logs 
Attaching to npm-crowdsec

Click to expand...

npm-crowdsec | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
npm-crowdsec | [s6-init] ensuring user provided files have correct perms...exited 0.
npm-crowdsec | [fix-attrs.d] applying ownership & permissions fixes...
npm-crowdsec | [fix-attrs.d] done.
npm-crowdsec | [cont-init.d] executing container initialization scripts...
npm-crowdsec | [cont-init.d] 01_perms.sh: executing... 
npm-crowdsec | [cont-init.d] 01_perms.sh>>> Changing ownership of /data/logs to 0:0
npm-crowdsec | [cont-init.d] 01_perms.sh: exited 0.
npm-crowdsec | [cont-init.d] 02_s6-secret-init.sh: executing... 
npm-crowdsec | [cont-init.d] 02_s6-secret-init.sh: exited 0.
npm-crowdsec | [cont-init.d] 03_timezone.sh: executing... 
npm-crowdsec | [cont-init.d] 03_timezone.sh>>> Setting timezone to Europe/Paris
npm-crowdsec | [cont-init.d] 03_timezone.sh: exited 0.
npm-crowdsec | [cont-init.d] 80_logging-options.sh: executing... 
npm-crowdsec | [cont-init.d] 80_logging-options.sh>>> Enabling admin dashboard logging
npm-crowdsec | [cont-init.d] 80_logging-options.sh>>> Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)
npm-crowdsec | [cont-init.d] 80_logging-options.sh: exited 0.
npm-crowdsec | [cont-init.d] 90_mmdb.sh: executing... 
npm-crowdsec | [cont-init.d] 90_mmdb.sh: exited 0.
npm-crowdsec | [cont-init.d] 97_modsecurity.sh: executing... 
npm-crowdsec | [cont-init.d] 97_modsecurity.sh: Linking /etc/nginx/modsec to persistent data /data/modsec
npm-crowdsec | [cont-init.d] 97_modsecurity.sh: exited 0.
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh: executing... 
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Enabling CrowdSec Bouncer
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Using configured SSL_CERTS_PATH: /etc/ssl/certs/GTS_Root_R1.pem
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Crowdsec update directory configured: /cs-update
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Evaluating Crowdsec update files...
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Found : /cs-update/* | extension: 
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Ignoring  -> /cs-update/*
npm-crowdsec | [cont-init.d] 99_crowdsec-openresty-bouncer.sh: exited 0.
npm-crowdsec | [cont-init.d] done.
npm-crowdsec | [services.d] starting services
npm-crowdsec | [services.d] done.
npm-crowdsec | ❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/assets.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/block-exploits.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/force-ssl.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/proxy.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/ip_ranges.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/resolvers.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/production.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/default.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/crowdsec_openresty.conf
npm-crowdsec | ❯ Enabling IPV6 in hosts: /data/nginx
npm-crowdsec |   ❯ /data/nginx/redirection_host/1.conf
npm-crowdsec |   ❯ /data/nginx/default_host/site.conf
npm-crowdsec |   ❯ /data/nginx/proxy_host/1.conf
npm-crowdsec | nginx: [error] [lua] crowdsec.lua:46: init(): error loading recaptcha plugin: no recaptcha site key provided, can't use recaptcha
npm-crowdsec | nginx: [error] [lua] ban.lua:37: new(): BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP 403 for ban decisions
npm-crowdsec | nginx: [alert] [lua] init_by_lua:11: [Crowdsec] Initialisation done
npm-crowdsec | [4/15/2022] [6:32:10 AM] [Global   ] › ℹ  info      Generating SQLite knex configuration
npm-crowdsec | [4/15/2022] [6:32:11 AM] [Global   ] › ⬤  debug     Wrote db configuration to config file: ./config/production.json
npm-crowdsec | node:internal/modules/cjs/loader:1187
npm-crowdsec |   return process.dlopen(module, path.toNamespacedPath(filename));
npm-crowdsec |                  ^
npm-crowdsec | 
npm-crowdsec | Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot open shared object file: No such file or directory
npm-crowdsec |     at Object.Module._extensions..node (node:internal/modules/cjs/loader:1187:18)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12)
npm-crowdsec |     at Module.require (node:internal/modules/cjs/loader:1005:19)
npm-crowdsec |     at require (node:internal/modules/cjs/helpers:102:18)
npm-crowdsec |     at Object.<anonymous> (/app/node_modules/bcrypt/bcrypt.js:6:16)
npm-crowdsec |     at Module._compile (node:internal/modules/cjs/loader:1103:14)
npm-crowdsec |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12) {
npm-crowdsec |   code: 'ERR_DLOPEN_FAILED'
npm-crowdsec | }
npm-crowdsec |  1: 0xafa3a0 node::Abort() [node]
npm-crowdsec |  2: 0xafc89c  [node]
npm-crowdsec |  3: 0xd31df0  [node]
npm-crowdsec |  4: 0xd32e4c v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
npm-crowdsec |  5: 0x15511cc  [node]
npm-crowdsec | ./run: line 19:   331 Aborted                 node --abort_on_uncaught_exception --max_old_space_size=250 index.js
npm-crowdsec | node:internal/modules/cjs/loader:1187
npm-crowdsec |   return process.dlopen(module, path.toNamespacedPath(filename));
npm-crowdsec |                  ^
npm-crowdsec | 
npm-crowdsec | Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot open shared object file: No such file or directory
npm-crowdsec |     at Object.Module._extensions..node (node:internal/modules/cjs/loader:1187:18)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12)
npm-crowdsec |     at Module.require (node:internal/modules/cjs/loader:1005:19)
npm-crowdsec |     at require (node:internal/modules/cjs/helpers:102:18)
npm-crowdsec |     at Object.<anonymous> (/app/node_modules/bcrypt/bcrypt.js:6:16)
npm-crowdsec |     at Module._compile (node:internal/modules/cjs/loader:1103:14)
npm-crowdsec |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12) {
npm-crowdsec |   code: 'ERR_DLOPEN_FAILED'
npm-crowdsec | }
npm-crowdsec |  1: 0xafa3a0 node::Abort() [node]
npm-crowdsec |  2: 0xafc89c  [node]
npm-crowdsec |  3: 0xd31df0  [node]
npm-crowdsec |  4: 0xd32e4c v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
npm-crowdsec |  5: 0x15511cc  [node]
npm-crowdsec | ./run: line 19:   385 Aborted                 node --abort_on_uncaught_exception --max_old_space_size=250 index.js
npm-crowdsec | node:internal/modules/cjs/loader:1187
npm-crowdsec |   return process.dlopen(module, path.toNamespacedPath(filename));
npm-crowdsec |                  ^
npm-crowdsec | 
npm-crowdsec | Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot open shared object file: No such file or directory
npm-crowdsec |     at Object.Module._extensions..node (node:internal/modules/cjs/loader:1187:18)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12)
npm-crowdsec |     at Module.require (node:internal/modules/cjs/loader:1005:19)
npm-crowdsec |     at require (node:internal/modules/cjs/helpers:102:18)
npm-crowdsec |     at Object.<anonymous> (/app/node_modules/bcrypt/bcrypt.js:6:16)
npm-crowdsec |     at Module._compile (node:internal/modules/cjs/loader:1103:14)
npm-crowdsec |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12) {
npm-crowdsec |   code: 'ERR_DLOPEN_FAILED'
npm-crowdsec | }
npm-crowdsec |  1: 0xafa3a0 node::Abort() [node]
npm-crowdsec |  2: 0xafc89c  [node]
npm-crowdsec |  3: 0xd31df0  [node]
npm-crowdsec |  4: 0xd32e4c v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
npm-crowdsec |  5: 0x15511cc  [node]
npm-crowdsec | ./run: line 19:   394 Aborted                 node --abort_on_uncaught_exception --max_old_space_size=250 index.js
npm-crowdsec | node:internal/modules/cjs/loader:1187
npm-crowdsec |   return process.dlopen(module, path.toNamespacedPath(filename));
npm-crowdsec |                  ^
npm-crowdsec | 
npm-crowdsec | Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot open shared object file: No such file or directory
npm-crowdsec |     at Object.Module._extensions..node (node:internal/modules/cjs/loader:1187:18)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12)
npm-crowdsec |     at Module.require (node:internal/modules/cjs/loader:1005:19)
npm-crowdsec |     at require (node:internal/modules/cjs/helpers:102:18)
npm-crowdsec |     at Object.<anonymous> (/app/node_modules/bcrypt/bcrypt.js:6:16)
npm-crowdsec |     at Module._compile (node:internal/modules/cjs/loader:1103:14)
npm-crowdsec |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12) {
npm-crowdsec |   code: 'ERR_DLOPEN_FAILED'
npm-crowdsec | }
npm-crowdsec |  1: 0xafa3a0 node::Abort() [node]
npm-crowdsec |  2: 0xafc89c  [node]
npm-crowdsec |  3: 0xd31df0  [node]
npm-crowdsec |  4: 0xd32e4c v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
npm-crowdsec |  5: 0x15511cc  [node]
npm-crowdsec | ./run: line 19:   403 Aborted                 node --abort_on_uncaught_exception --max_old_space_size=250 index.js
npm-crowdsec | node:internal/modules/cjs/loader:1187
npm-crowdsec |   return process.dlopen(module, path.toNamespacedPath(filename));
npm-crowdsec |                  ^
npm-crowdsec | 
npm-crowdsec | Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot open shared object file: No such file or directory
npm-crowdsec |     at Object.Module._extensions..node (node:internal/modules/cjs/loader:1187:18)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12)
npm-crowdsec |     at Module.require (node:internal/modules/cjs/loader:1005:19)
npm-crowdsec |     at require (node:internal/modules/cjs/helpers:102:18)
npm-crowdsec |     at Object.<anonymous> (/app/node_modules/bcrypt/bcrypt.js:6:16)
npm-crowdsec |     at Module._compile (node:internal/modules/cjs/loader:1103:14)
npm-crowdsec |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12) {
npm-crowdsec |   code: 'ERR_DLOPEN_FAILED'
npm-crowdsec | }
npm-crowdsec |  1: 0xafa3a0 node::Abort() [node]
npm-crowdsec |  2: 0xafc89c  [node]
npm-crowdsec |  3: 0xd31df0  [node]
npm-crowdsec |  4: 0xd32e4c v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
npm-crowdsec |  5: 0x15511cc  [node]
npm-crowdsec | ./run: line 19:   412 Aborted                 node --abort_on_uncaught_exception --max_old_space_size=250 index.js
npm-crowdsec | node:internal/modules/cjs/loader:1187
npm-crowdsec |   return process.dlopen(module, path.toNamespacedPath(filename));
npm-crowdsec |                  ^
npm-crowdsec | 
npm-crowdsec | Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot open shared object file: No such file or directory
npm-crowdsec |     at Object.Module._extensions..node (node:internal/modules/cjs/loader:1187:18)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12)
npm-crowdsec |     at Module.require (node:internal/modules/cjs/loader:1005:19)
npm-crowdsec |     at require (node:internal/modules/cjs/helpers:102:18)
npm-crowdsec |     at Object.<anonymous> (/app/node_modules/bcrypt/bcrypt.js:6:16)
npm-crowdsec |     at Module._compile (node:internal/modules/cjs/loader:1103:14)
npm-crowdsec |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
npm-crowdsec |     at Module.load (node:internal/modules/cjs/loader:981:32)
npm-crowdsec |     at Function.Module._load (node:internal/modules/cjs/loader:822:12) {
npm-crowdsec |   code: 'ERR_DLOPEN_FAILED'
npm-crowdsec | }
npm-crowdsec |  1: 0xafa3a0 node::Abort() [node]
npm-crowdsec |  2: 0xafc89c  [node]
npm-crowdsec |  3: 0xd31df0  [node]
npm-crowdsec |  4: 0xd32e4c v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
npm-crowdsec |  5: 0x15511cc  [node]
npm-crowdsec | ./run: line 19:   421 Aborted                 node --abort_on_uncaught_exception --max_old_space_size=250 index.js

[baudneo]

Something has changed ?
Will revert to the official docker for NPM !
Because this morning I get an issue trying to log in the WebUI;

I tried to recreate your error and am unsuccessful. Try editing crowdsec-openresty-bouncer.conf and add the template paths or change the remediation type to ban instead of all/captcha. The templates are in the /crowdsec/ directory inside the image. I don't see that being the issue. I myself had some errors once I added a new SSL cert, but from what I can tell that's a bug in the original NPM code. It left the ssl_cert directives set to the old certificate location, which caused the image to keep restarting. Once I changed the SSL cert directives (in data/nginx/proxy_host/x.conf) to point towards the new cert, all was well.

Another thing to try is to stop the container, remove it and then docker rmi <image hash>. Do docker-compose up -d --force-recreate and it should pull a fresh image. Not sure whats going on there.

If you want to revert to the base image, feel free.

Template paths

BAN_TEMPLATE_PATH=/crowdsec/templates/ban.html
CAPTCHA_TEMPLATE_PATH=/crowdsec/templates/captcha.html

output from me pulling and starting the image

❯ stack.up
Pulling npm (baudneo/nginx-proxy-manager:latest)...
latest: Pulling from baudneo/nginx-proxy-manager
f003217c5aae: Already exists
6c32b142fdf0: Already exists
17be1e23f450: Already exists
73c92c1e534c: Already exists
d3c318fe5b42: Already exists
97ed422a8aa1: Already exists
29d61e7936a4: Already exists
1a856b91a20b: Already exists
0a7cb278cd80: Already exists
a76d4b8acf92: Already exists
5359a296178b: Already exists
3a7c7616af3a: Already exists
eec59602dfeb: Already exists
1d4297df430c: Already exists
d8e1e6893f44: Already exists
6e4c98400729: Already exists
5828067bd470: Already exists
fad1a95d5637: Already exists
580b77e16e1e: Already exists
82a7dc1180af: Already exists
b347adf6a121: Already exists
58434db0acc2: Already exists
0f228f5f59f5: Already exists
8a7ca37f2115: Already exists
da74e4b97311: Already exists
0c2369ab1b85: Already exists
f2c264029e3e: Already exists
d645772e60f3: Already exists
a33dbce6a92e: Pull complete
4d686fdec7ad: Pull complete
735647708321: Pull complete
a0f31d71b30d: Pull complete
0adfd5fc03a2: Pull complete
1b1eb638c089: Pull complete
4f4fb700ef54: Pull complete
8adf2b26289b: Pull complete
3fc850f3c4ee: Pull complete
b1f029dfaa61: Pull complete
448f23657f91: Pull complete
Digest: sha256:a401ec6491beaf53d20956cdcbe1dcc43e31b44c0ec2d7ee45766e52f60a6d8d
Status: Downloaded newer image for baudneo/nginx-proxy-manager:latest
gotify is up-to-date
npm_prod_db is up-to-date
Creating npm_prod ... done
❯ docker logs --follow npm_prod
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_perms.sh: executing...
[cont-init.d] 01_perms.sh>>> Changing ownership of /data/logs to 0:0
[cont-init.d] 01_perms.sh: exited 0.
[cont-init.d] 02_s6-secret-init.sh: executing...
[cont-init.d] 02_s6-secret-init.sh: exited 0.
[cont-init.d] 03_timezone.sh: executing...
[cont-init.d] 03_timezone.sh>>> Setting timezone to cont/place
[cont-init.d] 03_timezone.sh: exited 0.
[cont-init.d] 80_logging-options.sh: executing...
[cont-init.d] 80_logging-options.sh>>> Enabling admin dashboard logging
[cont-init.d] 80_logging-options.sh>>> Leaving OpenResty ERROR (fallback_error.log) logging at level: WARN (default behavior)
[cont-init.d] 80_logging-options.sh: exited 0.
[cont-init.d] 90_mmdb.sh: executing...
[cont-init.d] 90_mmdb.sh: exited 0.
[cont-init.d] 97_modsecurity.sh: executing...
[cont-init.d] 97_modsecurity.sh: Linking /etc/nginx/modsec to persistent data /data/modsec
[cont-init.d] 97_modsecurity.sh: exited 0.
[cont-init.d] 99_crowdsec-openresty-bouncer.sh: executing...
[cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Enabling CrowdSec Bouncer
[cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Using configured SSL_CERTS_PATH: /etc/ssl/certs/GTS_Root_R1.pem
[cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Crowdsec update directory configured: /cs-update
[cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Evaluating Crowdsec update files...
[cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Found : /cs-update/* | extension:
[cont-init.d] 99_crowdsec-openresty-bouncer.sh>>> Ignoring  -> /cs-update/*
[cont-init.d] 99_crowdsec-openresty-bouncer.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/default.conf
  ❯ /etc/nginx/conf.d/production.conf
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/include/resolvers.conf
  ❯ /etc/nginx/conf.d/crowdsec_openresty.conf
❯ Enabling IPV6 in hosts: /data/nginx
  ❯ /data/nginx/proxy_host/1.conf
  ❯ /data/nginx/proxy_host/4.conf
  ❯ /data/nginx/proxy_host/7.conf
  ❯ /data/nginx/proxy_host/9.conf
  ❯ /data/nginx/proxy_host/2.conf
  ❯ /data/nginx/dead_host/2.conf
  ❯ /data/nginx/custom/http_top.conf
  ❯ /data/nginx/default_host/site.conf
[4/15/2022] [12:30:27 AM] [Global   ] › ℹ  info      Generating MySQL knex configuration from environment variables
[4/15/2022] [12:30:27 AM] [Global   ] › ⬤  debug     Wrote db configuration to config file: ./config/production.json
nginx: [alert] [lua] init_by_lua:11: [Crowdsec] Initialisation done
[4/15/2022] [12:30:28 AM] [Migrate  ] › ℹ  info      Current database version: 20220209144645
[4/15/2022] [12:30:29 AM] [Setup    ] › ℹ  info      Creating a new JWT key pair...
[4/15/2022] [12:30:47 AM] [Setup    ] › ℹ  info      Wrote JWT key pair to config file: /app/config/production.json
[4/15/2022] [12:31:03 AM] [Setup    ] › ℹ  info      Added Certbot plugins certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare
[4/15/2022] [12:31:03 AM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[4/15/2022] [12:31:03 AM] [Setup    ] › ℹ  info      Logrotate completed.
[4/15/2022] [12:31:03 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[4/15/2022] [12:31:03 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[4/15/2022] [12:31:04 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[4/15/2022] [12:31:04 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[4/15/2022] [12:31:04 AM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[4/15/2022] [12:31:04 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[4/15/2022] [12:31:04 AM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[4/15/2022] [12:31:04 AM] [Global   ] › ℹ  info      Backend PID 337 listening on port 3000 ...
[4/15/2022] [12:31:06 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[4/15/2022] [12:31:06 AM] [SSL      ] › ℹ  info      Renew Complete

When I remove template paths

nginx: [error] [lua] crowdsec.lua:46: init(): error loading recaptcha plugin: CAPTCHA_TEMPLATE_PATH variable is empty, will ban without template
nginx: [error] [lua] ban.lua:37: new(): BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP 403 for ban decisions
nginx: [alert] [lua] init_by_lua:11: [Crowdsec] Initialisation done
[4/15/2022] [12:43:57 AM] [Migrate  ] › ℹ  info      Current database version: 20220209144645
[4/15/2022] [12:44:01 AM] [Setup    ] › ℹ  info      Added Certbot plugins certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare
[4/15/2022] [12:44:01 AM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[4/15/2022] [12:44:01 AM] [Setup    ] › ℹ  info      Logrotate completed.
[4/15/2022] [12:44:01 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[4/15/2022] [12:44:01 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[4/15/2022] [12:44:01 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[4/15/2022] [12:44:02 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[4/15/2022] [12:44:02 AM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[4/15/2022] [12:44:02 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[4/15/2022] [12:44:02 AM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[4/15/2022] [12:44:02 AM] [Global   ] › ℹ  info      Backend PID 333 listening on port 3000 ...
[4/15/2022] [12:44:03 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[4/15/2022] [12:44:04 AM] [SSL      ] › ℹ  info      Renew Complete

[erdoukki]

Thanks @baudneo, I will try later.
For now I have reverted to default and have also to change back the docker-compose version tag to 2 (from 3)...

[erdoukki]

npm-crowdsec | Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot open shared object file: No such file or directory

OK, I give another try as you proposed.
I remove all images from your own repository.
I clean the docker-compose and keep only your settings.
I may cleaning in the ./data folder.

Then still the same issue which look like to be closed to;
https://stackoverflow.com/questions/41027833/bcrypt-and-docker-bcrypt-lib-node-invalid-elf-header
The error message I get is because of a missing file, but it may be he same message for a bad file maybe ?
I am on a ARM64 !

[baudneo]

Hmm the thing though is your error says the file is missing completely, not that there are missing elf headers. I am perplexed but I will try and take a look into it as soon as I can.

I don't have arm64 SoC to test with at the moment but I will see if I can virtualize something if possible to do some testing. Sorry about that.

Can you try docker exec -it <container name> /bin/bash and then use ls to see what's going on in the /app/node_modules/bcrypt directory. Just to see if there are some irregularities.

[erdoukki]

root@STARGATE:/srv/NGINX# docker exec -it npm-crowdsec /bin/bash
 _   _       _            ____                      __  __                                   
| \ | | __ _(_)_ __ __  _|  _ \ _ __ _____  ___   _|  \/  | __ _ _ __   __ _  __ _  ___ _ __ 
|  \| |/ _` | | '_ \\ \/ / |_) | '__/ _ \ \/ / | | | |\/| |/ _` | '_ \ / _` |/ _` |/ _ \ '__|
| |\  | (_| | | | | |>  <|  __/| | | (_) >  <| |_| | |  | | (_| | | | | (_| | (_| |  __/ |   
|_| \_|\__, |_|_| |_/_/\_\_|   |_|  \___/_/\_\\__, |_|  |_|\__,_|_| |_|\__,_|\__, |\___|_|   
       |___/                                  |___/                          |___/           
Version 5 (notset) 2022-04-12 19:51:53 MDT, OpenResty 1.19.9.1, debian 10 (buster), Certbot certbot 1.26.0
Base: debian:buster-slim, linux/arm64
Certbot: baudneo/nginx-full:latest, linux/arm64
Node: baudneo/nginx-full:certbot, linux/arm64

Can you try docker exec -it <container name> /bin/bash and then use ls to see what's going on in the /app/node_modules/bcrypt directory. Just to see if there are some irregularities.

The file is here...

[root@docker-e4ef7a2a36e7:/app]# ls node_modules/bcrypt/lib/binding/napi-v3/ -hal
total 92K
drwxrwxr-x 2 root root 4.0K Apr 13 03:51 .
drwxrwxr-x 3 root root 4.0K Apr 13 03:51 ..
-rwxrwxr-x 1 root root  83K Jun  8  2020 bcrypt_lib.node

I do not find the file command line tool to check the elf header.

[root@docker-e4ef7a2a36e7:/app]# /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node
bash: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot execute binary file: Exec format error

I have tried npm install bcrypt

[root@docker-e4ef7a2a36e7:/app]# npm install bcrypt

added 28 packages, removed 1 package, changed 4 packages, and audited 535 packages in 5m

19 packages are looking for funding
  run `npm fund` for details

5 vulnerabilities (1 moderate, 3 high, 1 critical)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

Pretty useless test, but different result !

[root@docker-e4ef7a2a36e7:/app]# /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node
Segmentation fault

I was good !!
Because then, the logs of the docker became OK

npm-crowdsec | [4/18/2022] [7:01:16 AM] [Migrate  ] › ℹ  info      Current database version: none
npm-crowdsec | [4/18/2022] [7:01:17 AM] [Migrate  ] › ℹ  info      [proxy_protocol] Migrating Up...
npm-crowdsec | [4/18/2022] [7:01:17 AM] [Migrate  ] › ℹ  info      [proxy_protocol] proxy_host Table altered
npm-crowdsec | [4/18/2022] [7:01:17 AM] [Setup    ] › ℹ  info      Creating a new JWT key pair...

[erdoukki]

Another issue with the CAPTCHA I made at Google !?
Not sure to have understand well this part, is it required to ?

npm-crowdsec | nginx: [error] [lua] config.lua:120: loadConfig(): unsupported configuration 'CROWDSEC_RECAP_SECRET'
npm-crowdsec | nginx: [error] [lua] config.lua:120: loadConfig(): unsupported configuration 'CROWDSEC_RECAP_SITE'
npm-crowdsec | nginx: [error] [lua] crowdsec.lua:46: init(): error loading recaptcha plugin: no recaptcha site key provided, can't use recaptcha
npm-crowdsec | nginx: [alert] [lua] init_by_lua:11: [Crowdsec] Initialisation done

Here are my parameters (all are externally define from the docker-compose.yaml

root@STARGATE:/srv/NGINX# cat data/crowdsec/crowdsec-openresty-bouncer.conf 
API_URL=http://<IP>:<PORT>
API_KEY=<HEX>
CACHE_EXPIRATION=1
BOUNCING_ON_TYPE=ban
REQUEST_TIMEOUT=0.2
UPDATE_FREQUENCY=10
MODE=stream
BAN_TEMPLATE_PATH=/crowdsec/templates/ban.html
CAPTCHA_TEMPLATE_PATH=/crowdsec/templates/captcha.html
CROWDSEC_RECAP_SECRET=<SECRETKEY>
CROWDSEC_RECAP_SITE=<SITEKEY>

[baudneo]

Another issue with the CAPTCHA I made at Google !? Not sure to have understand well this part, is it required to ?

npm-crowdsec | nginx: [error] [lua] config.lua:120: loadConfig(): unsupported configuration 'CROWDSEC_RECAP_SECRET'
npm-crowdsec | nginx: [error] [lua] config.lua:120: loadConfig(): unsupported configuration 'CROWDSEC_RECAP_SITE'
npm-crowdsec | nginx: [error] [lua] crowdsec.lua:46: init(): error loading recaptcha plugin: no recaptcha site key provided, can't use recaptcha
npm-crowdsec | nginx: [alert] [lua] init_by_lua:11: [Crowdsec] Initialisation done

Here are my parameters (all are externally define from the docker-compose.yaml

root@STARGATE:/srv/NGINX# cat data/crowdsec/crowdsec-openresty-bouncer.conf 
API_URL=http://<IP>:<PORT>
API_KEY=<HEX>
CACHE_EXPIRATION=1
BOUNCING_ON_TYPE=ban
REQUEST_TIMEOUT=0.2
UPDATE_FREQUENCY=10
MODE=stream
BAN_TEMPLATE_PATH=/crowdsec/templates/ban.html
CAPTCHA_TEMPLATE_PATH=/crowdsec/templates/captcha.html
CROWDSEC_RECAP_SECRET=<SECRETKEY>
CROWDSEC_RECAP_SITE=<SITEKEY>

The CROWDSEC_RECAP_XXXC are environment variables used only when the file is first created on a user's very first time running npm without having anything in the data/crowdsec directory.

Change them to

SECRET_KEY=xxxxxx
SITE_KEY=xxxxxxx

The way to use the CROWDSEC_RECAP vars is to set them as the VALUE of those keys. You would set CROWDSEC_RECAP_SITE and CROWDSEC_RECAP_SECRET as environment variables in your docker compose with the keys as values and then set your config like so

SITE_KEY=$CROWDSEC_RECAP_SITE
SECRET_KEY=$CROWDSEC_RECAP_SECRET

On boot of the container the 99 init file should replace those environment variables. BUT, for now I would just set the keys on the crowdsec bouncer .conf.

So once you manually.installed bcrypt using node package manager it started working? Thats.... Odd. That means everytime you start that container you will need to install bcrypt from node package manager.

I'll try and take a look into what's going on there. It seems weird that on arm64 there is a bcrypt library that isn't registered but the files are there.

Edit: the captcha stuff isn't needed if you have remediation set to ban. Changing those 2 keys will get the reCAPTCHA set up, then you can change the "bounce on type" to all/captcha to use captcha.

To test that crowdsec is working properly you can add your IP to the decision list manually on your crowdsec LAPI host using cscli decisions add -i <ip> and then test by trying to access an NPM host, you should see a html page saying you've been banned or to do a captcha.

Once you are done testing use cscli decisions delete -i <ip> to remove your IP from the decisions list.

[erdoukki]

There is something else which locks the running !

root@STARGATE:/srv/NGINX# docker-compose logs --tail=20 -f
Attaching to npm-crowdsec
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/assets.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/block-exploits.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/force-ssl.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/proxy.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/ip_ranges.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/include/resolvers.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/production.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/default.conf
npm-crowdsec |   ❯ /etc/nginx/conf.d/crowdsec_openresty.conf
npm-crowdsec | ❯ Enabling IPV6 in hosts: /data/nginx
npm-crowdsec |   ❯ /data/nginx/redirection_host/1.conf
npm-crowdsec |   ❯ /data/nginx/redirection_host/3.conf
npm-crowdsec |   ❯ /data/nginx/redirection_host/2.conf
npm-crowdsec |   ❯ /data/nginx/default_host/site.conf
npm-crowdsec |   ❯ /data/nginx/proxy_host/6.conf
npm-crowdsec |   ❯ /data/nginx/proxy_host/5.conf
npm-crowdsec |   ❯ /data/nginx/proxy_host/1.conf
npm-crowdsec |   ❯ /data/nginx/custom/http_top.conf
npm-crowdsec | nginx: [alert] [lua] init_by_lua:11: [Crowdsec] Initialisation done
npm-crowdsec | [4/18/2022] [7:59:05 AM] [Migrate  ] › ℹ  info      Current database version: none
npm-crowdsec | [4/18/2022] [7:59:36 AM] [Setup    ] › ℹ  info      Added Certbot plugins certbot-dns-ovh==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') 
npm-crowdsec | [4/18/2022] [7:59:36 AM] [Setup    ] › ℹ  info      Logrotate Timer initialized
npm-crowdsec | [4/18/2022] [7:59:36 AM] [Setup    ] › ℹ  info      Logrotate completed.
npm-crowdsec | [4/18/2022] [7:59:36 AM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
npm-crowdsec | [4/18/2022] [7:59:36 AM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
npm-crowdsec | [4/18/2022] [7:59:39 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
npm-crowdsec | [4/18/2022] [7:59:40 AM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
npm-crowdsec | [4/18/2022] [7:59:41 AM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
npm-crowdsec | [4/18/2022] [7:59:41 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
npm-crowdsec | [4/18/2022] [7:59:41 AM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
npm-crowdsec | [4/18/2022] [7:59:41 AM] [Global   ] › ℹ  info      Backend PID 324 listening on port 3000 ...
npm-crowdsec | [4/18/2022] [7:59:57 AM] [Nginx    ] › ℹ  info      Reloading Nginx
npm-crowdsec | [4/18/2022] [7:59:58 AM] [SSL      ] › ℹ  info      Renew Complete

Then nothing more and not working (more than 10 minutes waiting...)

[baudneo]

The logs there seem correct. They don't output much noise besides "SSL renew complete" and a few other things when it's running. Is the admin panel responding? (Port 81)

[erdoukki]

No, no answer, it is why I state it as not running.

[baudneo]

Well I would use the jc22 image for now until I can take a look at the arm64 build. I don't know what's going on with that specific version of the build as the amd54 build is working great, low ram usage and bans/captchas as it should while still serving Admin dashboard and everything else.

You are absolutely certain you deleted the old images and pulled new ones?

[erdoukki]

You are absolutely certain you deleted the old images and pulled new ones?

Yes, I think so.
I have list all the referenced images to your repo and remove them with the command line you gave.

[pittbull]

Trying to install your image as a direct replacement for another docker instance of npm, but it fails with the following:

3: 0xd53d8e  [node]
 4: 0xd551af v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) [node]
 5: 0x15f0bf9  [node]
./run: line 19:   626 Aborted                 node --abort_on_uncaught_exception --max_old_space_size=250 index.js
[4/28/2022] [9:56:03 PM] [Global   ] › ℹ  info      No valid environment variables for database provided, using default SQLite file '/data/database.sqlite'
Knex: run
$ npm install sqlite3 --save
/lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.29' not found (required by /app/node_modules/sqlite3/lib/binding/node-v93-linux-x64/node_sqlite3.node)
Error: /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.29' not found (required by /app/node_modules/sqlite3/lib/binding/node-v93-linux-x64/node_sqlite3.node)
    at Object.Module._extensions..node (node:internal/modules/cjs/loader:1187:18)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Module.require (node:internal/modules/cjs/loader:1005:19)
    at require (node:internal/modules/cjs/helpers:102:18)
    at Object.<anonymous> (/app/node_modules/sqlite3/lib/sqlite3-binding.js:4:15)
    at Module._compile (node:internal/modules/cjs/loader:1103:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
/app/node_modules/knex/lib/client.js:234
      throw new Error(`${message}\n${e.message}`);
            ^

[baudneo]

I am away for the last little bit and for a bit longer dealing with some personal family stuff and don't have access to my machine to fix builds.

You can try the older testing tag that has modsec and an older version of the crowdsec bouncer for now. I will update when 8 return and I will fix these issues.

Sorry people. :(

[pittbull]

No worries @baudneo - we all have to take care of our family stuff. Best of luck - and we'll see you when you return.

[baudneo]

Please be aware that ModSecurity has known memory leaks. I have done a lot of research and work to minimize the memory leak. The ModSec maintainer does not seem to be actively working on fixing the memory leaks. I changed how modsec was compiled and where modsec directives are placed for MODSEC_ENABLE=1. Before the directives were placed in the default server {} block, now it is in the ROOT http {} block.

The memory leak increases every time nginx -s reload is run. Reloads happen every time a host is created or modified and when the SSL cert renewal timer resets.

If you only set the MODSEC_ENABLE=1 env var and do not add any modsec directives in the Advanced tab, then the memory leak should only be 10-12 MB per reload. If you have MODSEC_ENBABLE=0 and then use the modsecurity on; and modsecurity_rules_file </path/to/file>; directives in the Advanced tabs of hosts (in the root of the tab or inside of location {} blocks), there may be significantly larger memory leaks on every reload. YMMV.

Voice your concerns about the memory leak in the issue I opened ⇒ owasp-modsecurity/ModSecurity#2817