Merge pull request 'Fix CrowdSec firewall-bouncer tar + CF WAF ruleset import' (#3) from wizard/crowdsec-fixes into master
Some checks failed
ci/woodpecker/push/default Pipeline failed
Some checks failed
ci/woodpecker/push/default Pipeline failed
This commit is contained in:
commit
58fc6d5061
2 changed files with 38 additions and 13 deletions
|
|
@ -161,11 +161,13 @@ resource "kubernetes_daemon_set_v1" "firewall_bouncer" {
|
||||||
curl -fsSL "${local.firewall_bouncer_tgz_url}" -o /tmp/fb.tgz
|
curl -fsSL "${local.firewall_bouncer_tgz_url}" -o /tmp/fb.tgz
|
||||||
# Archive layout (verified @ v0.0.34): a single versioned top dir
|
# Archive layout (verified @ v0.0.34): a single versioned top dir
|
||||||
# `crowdsec-firewall-bouncer-vX.Y.Z/` containing the binary plus
|
# `crowdsec-firewall-bouncer-vX.Y.Z/` containing the binary plus
|
||||||
# config/, scripts/, install.sh. Strip that dir and extract ONLY the
|
# config/, scripts/, install.sh. The curl image is BusyBox, whose
|
||||||
# binary — the `*/crowdsec-firewall-bouncer` glob matches one path
|
# tar lacks GNU --wildcards/--strip-components selection — so extract
|
||||||
# segment after the top dir, so config/...yaml is NOT pulled.
|
# everything to a scratch dir, then cp ONLY the binary out via a
|
||||||
tar -xzf /tmp/fb.tgz -C /opt/firewall-bouncer --strip-components=1 \
|
# shell glob (`*/` matches the single versioned top dir).
|
||||||
--wildcards '*/crowdsec-firewall-bouncer'
|
mkdir -p /tmp/fb-extract
|
||||||
|
tar -xzf /tmp/fb.tgz -C /tmp/fb-extract
|
||||||
|
cp /tmp/fb-extract/*/crowdsec-firewall-bouncer ${local.firewall_bouncer_bin_path}
|
||||||
chmod +x ${local.firewall_bouncer_bin_path}
|
chmod +x ${local.firewall_bouncer_bin_path}
|
||||||
echo "Fetched: $(ls -l ${local.firewall_bouncer_bin_path})"
|
echo "Fetched: $(ls -l ${local.firewall_bouncer_bin_path})"
|
||||||
EOT
|
EOT
|
||||||
|
|
|
||||||
|
|
@ -99,26 +99,49 @@ resource "cloudflare_list" "crowdsec_captcha" {
|
||||||
# config.tfvars). Hardcoded here (with the conventional marker comment) because
|
# config.tfvars). Hardcoded here (with the conventional marker comment) because
|
||||||
# the rybbit stack does not import the ingress_factory module.
|
# the rybbit stack does not import the ingress_factory module.
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
resource "cloudflare_ruleset" "crowdsec" {
|
# Cloudflare allows only ONE entrypoint ruleset per zone+phase, and the zone
|
||||||
zone_id = "fd2c5dd4efe8fe38958944e74d0ced6d" # cloudflare_zone_id (viktorbarzin.me)
|
# already has the stock `default` http_request_firewall_custom ruleset (created
|
||||||
name = "crowdsec-ip-enforcement"
|
# out-of-band, id 106a1342bc88454ea59c47ad3431fe0e). Creating a second one fails
|
||||||
description = "Block/challenge IPs CrowdSec flagged (synced from LAPI into CF IP Lists)"
|
# the singleton constraint, so we IMPORT the existing ruleset and manage all of
|
||||||
kind = "zone"
|
# its rules here: our CrowdSec ban/captcha rules FIRST, and the pre-existing
|
||||||
phase = "http_request_firewall_custom"
|
# (currently disabled) skip rule preserved verbatim below it.
|
||||||
|
import {
|
||||||
|
to = cloudflare_ruleset.crowdsec
|
||||||
|
id = "fd2c5dd4efe8fe38958944e74d0ced6d/106a1342bc88454ea59c47ad3431fe0e"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "cloudflare_ruleset" "crowdsec" {
|
||||||
|
zone_id = "fd2c5dd4efe8fe38958944e74d0ced6d" # cloudflare_zone_id (viktorbarzin.me)
|
||||||
|
name = "default"
|
||||||
|
kind = "zone"
|
||||||
|
phase = "http_request_firewall_custom"
|
||||||
|
|
||||||
|
# CrowdSec ban — evaluated FIRST so a banned IP is blocked before anything else.
|
||||||
rules {
|
rules {
|
||||||
action = "block"
|
action = "block"
|
||||||
expression = "(ip.src in $crowdsec_ban)"
|
expression = "(ip.src in $crowdsec_ban)"
|
||||||
description = "CrowdSec: block banned IPs"
|
description = "CrowdSec: block banned IPs"
|
||||||
enabled = true
|
enabled = true
|
||||||
}
|
}
|
||||||
|
# CrowdSec captcha — managed challenge for flagged IPs.
|
||||||
rules {
|
rules {
|
||||||
action = "managed_challenge"
|
action = "managed_challenge"
|
||||||
expression = "(ip.src in $crowdsec_captcha)"
|
expression = "(ip.src in $crowdsec_captcha)"
|
||||||
description = "CrowdSec: managed-challenge captcha'd IPs"
|
description = "CrowdSec: challenge flagged IPs"
|
||||||
enabled = true
|
enabled = true
|
||||||
}
|
}
|
||||||
|
# Pre-existing rule, imported and preserved verbatim (currently disabled).
|
||||||
|
rules {
|
||||||
|
action = "skip"
|
||||||
|
expression = "(http.host contains \"viktorbarzin.me\")"
|
||||||
|
description = "skip"
|
||||||
|
enabled = false
|
||||||
|
action_parameters {
|
||||||
|
phases = ["http_ratelimit", "http_request_firewall_managed", "http_request_sbfm"]
|
||||||
|
products = ["uaBlock", "bic", "hot", "securityLevel", "rateLimit", "waf", "zoneLockdown"]
|
||||||
|
ruleset = "current"
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# -----------------------------------------------------------------------------
|
# -----------------------------------------------------------------------------
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue