Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crowdsec Openresty Bouncer Support #238

Open
wants to merge 21 commits into
base: master
Choose a base branch
from
Open

Crowdsec Openresty Bouncer Support #238

wants to merge 21 commits into from

Conversation

LePresidente
Copy link

@LePresidente LePresidente commented Feb 21, 2022
edited
Loading

This adds support for Nginx Proxy Manager to be a firewall bouncer for Crowdsec

Blog post on what this does
https://crowdsec.net/blog/nginx-bouncer-v1/

This has been expanded to be a permanent addon to Nginx Proxy Manager,

There are three Configurations that would be needed to be configurable from Nginx Proxy Manager to configure the crowdsec-openresty-bouncer

File: /config/crowdsec/crowdsec-openresty-bouncer.conf

#Enables/Disables the Proxy (true|false)
ENABLED=false
#URL to the crowdsec api
API_URL=
#APIKEY to the crowdsec api, generated on crowdsec using `cscli bouncers add NPM`
API_KEY=

Idea being this will eventually be editable in Nginx Proxy Manager

@jlesage
Copy link
Owner

jlesage commented Feb 21, 2022

Why not integrating this new feature into Nginx Proxy Manager instead ? The whole point of NPM is to provide a nice UI to ease configuration. Adding a new feature outside NPM is a quick way to implement it, but at the same time, it defeats the goal of the original project.

@LePresidente
Copy link
Author

Think this fits more into an Nginx module that expands Nginx-proxy-manager than something Nginx-proxy-manager will handle and install by itself as it's a completely separate project and some people won't even want to enable it unless they have a crowdsec instance on their network.

I have a PR open on the main repo as well
NginxProxyManager/nginx-proxy-manager#1875

Maybe we should wait for upstream and see what is said there.

@LePresidente
Copy link
Author

Though thinking about this a little more, I think having them separate is better in the long run as updates can be done independently and bug fixes to crowdsec doesn't mean a new docker release for NPM.

@jlesage
Copy link
Owner

jlesage commented Feb 21, 2022

Think this fits more into an Nginx module that expands Nginx-proxy-manager than something Nginx-proxy-manager will handle and install by itself as it's a completely separate project and some people won't even want to enable it unless they have a crowdsec instance on their network.

I think the software should come pre-installed into the container. I agree that it's not the job of NPM to install it. However, the NPM UI should offer an interface to enable and configure the feature. It's similar to Let's Encrypt: this is a piece of software completely independent from Nginx, but it still well integrated into NPM.

Though thinking about this a little more, I think having them separate is better in the long run as updates can be done independently and bug fixes to crowdsec doesn't mean a new docker release for NPM.

I think this method is good for advanced people, but I prefer to have containers that have "fixed" softwares implemented. This way, you provide containers with better predicability, meaning that a specific version "x.y.z" has more chance to behave the same way for everybody, as it does not depend on optional softwares that may or may not be installed. This also has the benefit of allowing people to revert back to a specific version in case of problem with a particular image. And as developer of the image, this provides a better guarantee that a published image will work for everybody.

From the updatability point of view, I prefer to publish a new Docker image every time a software is updated. This eases life of people, since only the container image needs to be update. People don't need to managing multiple different updates. Again, this may not bother some people, but I think that the vast majority don't like to micro-manage their containers.

@LePresidente LePresidente changed the title Crowdsec Openresty Bouncer Support [WIP] Crowdsec Openresty Bouncer Support Feb 21, 2022
@LePresidente
Copy link
Author

OK I see what you saying. Let me see what i can do.

@LePresidente LePresidente mentioned this pull request Feb 21, 2022
Closed
@LePresidente
Copy link
Author

Ok I think that fits the criteria, Waiting on any input in the main nginx proxy manager about how to go about adding the settings into NPM

@LePresidente LePresidente changed the title [WIP] Crowdsec Openresty Bouncer Support Crowdsec Openresty Bouncer Support Feb 23, 2022
@arsaboo
Copy link

arsaboo commented Apr 12, 2022

Thanks for your work on this....would love for this to be available soon 👍

@LePresidente
Copy link
Author

Ok this is pretty much done, it looks like its going to be added upstream like this as well
NginxProxyManager/docker-nginx-full#8

Was added before but found a weird openresty, lua memory bug when loading the whole ca-certs file for the captcha ban scenario

@LePresidente LePresidente mentioned this pull request Mar 30, 2023
Open
@LePresidente LePresidente mentioned this pull request May 16, 2023
Closed
@bmunro-peralex
Copy link

i'll rebase this again to a single commit, seems to be getting out of hand.

@LaurenceJJones LaurenceJJones mentioned this pull request Dec 27, 2023
Open
@PrzemekSkw
Copy link

Hello, @jlesage I use Your container on unraid jlesage/nginx-proxy-manager. Is there any guide how to setup crowdsec to that NPM?
Regards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@LePresidente @jlesage @arsaboo @bmunro-peralex @PrzemekSkw @ArmJo