viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

traefik/crowdsec: switch bouncer to live mode (stream cache doesn't enforce under Yaegi)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Details

Browse source 
After bumping to v1.6.0 (stream goroutine runs) and disabling redis (in-memory
cache), the plugin logs `handleStreamCache:updated` but still does NOT enforce:
a ban present in the LAPI stream AND pulled by the plugin still let the banned IP
through. Stream-mode decision matching is unreliable under Traefik's Yaegi
interpreter here. Switch crowdsecMode stream->live: the plugin queries LAPI
synchronously per request (result cached per-IP for defaultDecisionSeconds), which
enforces reliably and picks up new decisions immediately. LAPI is 3-replica +
in-cluster so per-request latency is small; fail-open preserved (updateMaxFailure=-1).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-19 17:43:30 +00:00
parent 0cc48d83ac
commit dd029ca7fb
1 changed files with 10 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

12
stacks/traefik/modules/traefik/middleware.tf
View file

@ -197,8 +197,16 @@ resource "kubernetes_manifest" "middleware_crowdsec" {
crowdsec-bouncer = { crowdsec-bouncer = {
crowdsecLapiKey = var.crowdsec_api_key crowdsecLapiKey = var.crowdsec_api_key
crowdsecLapiHost = "crowdsec-service.crowdsec.svc.cluster.local:8080" crowdsecLapiHost = "crowdsec-service.crowdsec.svc.cluster.local:8080"
crowdsecMode = "stream" # LIVE mode (synchronous per-request LAPI query), not stream: under
updateMaxFailure = -1 # fail-open: serve from cache when LAPI is unreachable # Traefik's Yaegi interpreter the plugin's stream cache updates (it logs
# `handleStreamCache:updated`) but does NOT enforce the cached decisions
# verified by a ban that was present in the LAPI stream AND pulled by
# the plugin yet still let the banned IP through. Live mode queries LAPI
# per request (result cached per-IP for defaultDecisionSeconds), enforces
# reliably, and picks up new decisions immediately. LAPI is 3-replica +
# in-cluster; fail-open preserved via updateMaxFailure=-1.
crowdsecMode = "live"
updateMaxFailure = -1 # fail-open if LAPI is unreachable
# Redis cache DISABLED: the plugin's redis client does not work under # Redis cache DISABLED: the plugin's redis client does not work under
# Traefik's Yaegi interpreter it logs `cache:unreachable` even though # Traefik's Yaegi interpreter it logs `cache:unreachable` even though
# redis-master is reachable+writable from the traefik ns (verified). With # redis-master is reachable+writable from the traefik ns (verified). With