Skip to main content

Traefik Bouncer

Prereq

Already deployed:

✅ Docker swarm cluster with persistent shared storage

Traefik

CrowdSec

Before proceed please follow this instruction to setup CrowdSec first.

Crowdsec

Enable Bouncer

PLEASE NOTE

In Swarm mode, first you need to get your crowdsec container name or id.

This is the only one time the api will be shown, make sure to note down this API key somewhere safe.

Find where container is deployed

sudo docker service ps crowdsec_app

In case crowdsec is deployed on node 2, then ssh to node 2 and find container name by running:

sudo docker ps

You will see container name something like crowdsec_app.1.aaabbbccc.

Run this command to get API key

sudo docker exec crowdsec_app.1.aaabbbccc cscli bouncers add traefik-bouncer

After get API key go back to first node.

OR

If you use Portainer, you can exec with builtin shell console, then run:

cscli bouncers add traefik-bouncer

Stack

First cd to crowdsec directory

cd /var/data/crowdsec

Edit crowdsec-stack.yaml

sudo micro crowdsec-stack.yaml

Adding the API and Collection

Now we need to add the Traefik collection to the CrowdSec compose file and also the bouncer install along with the API key.

version: "3.9"

services:
  security:
    image: crowdsecurity/crowdsec:latest
    environment:
      - PGID=1000
      - TZ=Asia/Jakarta
      - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/linux
    networks:
      - traefik_proxy
    volumes:
      - /var/data/crowdsec:/etc/crowdsec
      - /var/data/crowdsec/data:/var/lib/crowdsec/data
      - /var/data/crowdsec/log/auth.log:/var/log/auth.log:ro
      - /var/data/traefik/log/access.log:/var/log/traefik/access.log:ro
    deploy:
      mode: replicated
      replicas: 1

  bouncer:
      image: fbonalair/traefik-crowdsec-bouncer:latest
      environment:
        - TZ=Asia/Jakarta
        - CROWDSEC_BOUNCER_API_KEY=PUT_YOUR_BOUNCER_API_KEY_HERE
        - CROWDSEC_AGENT_HOST=crowdsec_security:8080
        - GIN_MODE=release
      networks:
        - traefik_proxy
      deploy:
        mode: replicated
        replicas: 1

networks:
  traefik_proxy:
    external: true

Mapping Log File

sudo micro acquis.yaml

Add this following line

---
filenames:
  - /var/log/traefik/*.log
labels:
  type: traefik

Traefik

Add the CrowdSec Middleware

Edit traefik.yaml file

sudo micro /var/data/traefik/config/traefik.yaml

Add middleware

# check to be sure you have your middleware set for both http and https
entryPoints:
  http:
    address: ":80"
    http:
      middlewares:
        - crowdsec-bouncer@file
  https:
    address: ":443"
    http:
      middlewares:
        - crowdsec-bouncer@file

Edit Dynamic Configuration File

sudo micro /var/data/traefik/config/config.yaml

Add crowdsec-bouncer to middlewares section

crowdsec-bouncer:
  forwardauth:
    address: http://crowdsec_bouncer:8080/api/v1/forwardAuth
    trustForwardHeader: true

Restart CrowdSec and Traefik

sudo docker stack deploy crowdsec -c crowdsec-stack.yaml
cd /var/data/traefik; sudo docker stack deploy traefik -c traefik-stack.yaml