diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index f0b235e5..1de3fc41 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -101,12 +101,12 @@ resource "helm_release" "traefik" { "set -e; ", "STORAGE=/plugins-storage; ", "mkdir -p \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\"; ", - "wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.2.zip\" ", - "\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.4.2.zip\"; ", + "wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.6.0.zip\" ", + "\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.6.0.zip\"; ", "mkdir -p \"$STORAGE/archives/github.com/Aetherinox/traefik-api-token-middleware\"; ", "wget -q -T 30 -O \"$STORAGE/archives/github.com/Aetherinox/traefik-api-token-middleware/v0.1.4.zip\" ", "\"https://github.com/Aetherinox/traefik-api-token-middleware/archive/refs/tags/v0.1.4.zip\"; ", - "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\",\"github.com/Aetherinox/traefik-api-token-middleware\":\"v0.1.4\"}' ", + "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.6.0\",\"github.com/Aetherinox/traefik-api-token-middleware\":\"v0.1.4\"}' ", "> \"$STORAGE/archives/state.json\"; ", "echo \"Plugins pre-downloaded successfully\"", ])] @@ -232,7 +232,7 @@ resource "helm_release" "traefik" { plugins = { crowdsec-bouncer = { moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" - version = "v1.4.2" + version = "v1.6.0" } # Static-token bearer/header auth middleware. Used by services that # need gateway-level API-key/bearer enforcement without app-layer auth diff --git a/stacks/traefik/modules/traefik/middleware.tf b/stacks/traefik/modules/traefik/middleware.tf index 5f758be4..9b9709c7 100644 --- a/stacks/traefik/modules/traefik/middleware.tf +++ b/stacks/traefik/modules/traefik/middleware.tf @@ -197,11 +197,25 @@ resource "kubernetes_manifest" "middleware_crowdsec" { crowdsec-bouncer = { crowdsecLapiKey = var.crowdsec_api_key crowdsecLapiHost = "crowdsec-service.crowdsec.svc.cluster.local:8080" - crowdsecMode = "stream" - updateMaxFailure = -1 # fail-open: serve from cache when LAPI is unreachable - redisCacheEnabled = true - redisCacheHost = var.redis_host - redisCacheUnreachableBlock = false # don't block traffic if Redis is also unreachable + # LIVE mode (synchronous per-request LAPI query), not stream: under + # Traefik's Yaegi interpreter the plugin's stream cache updates (it logs + # `handleStreamCache:updated`) but does NOT enforce the cached decisions + # — verified by a ban that was present in the LAPI stream AND pulled by + # the plugin yet still let the banned IP through. Live mode queries LAPI + # per request (result cached per-IP for defaultDecisionSeconds), enforces + # reliably, and picks up new decisions immediately. LAPI is 3-replica + + # in-cluster; fail-open preserved via updateMaxFailure=-1. + crowdsecMode = "live" + updateMaxFailure = -1 # fail-open if LAPI is unreachable + # Redis cache DISABLED: the plugin's redis client does not work under + # Traefik's Yaegi interpreter — it logs `cache:unreachable` even though + # redis-master is reachable+writable from the traefik ns (verified). With + # the redis cache enabled + redisCacheUnreachableBlock=false the bouncer + # therefore failed open and enforced nothing. In-memory cache (the + # default when disabled) holds the streamed decision set per-pod and + # works under Yaegi. Trade-off: captcha "already-solved" grace is + # per-pod across the 3 Traefik replicas (at worst an occasional re-solve). + redisCacheEnabled = false clientTrustedIPs = ["10.0.20.0/24", "10.10.0.0/16"] # node + pod CIDRs bypass CrowdSec # Captcha remediation: serve a Cloudflare Turnstile challenge for # `captcha`-type LAPI decisions instead of falling through to a 403