CrowdSec Fastly bouncer
Project description
📚 Documentation 💠 Hub 💬 Discourse
cs-fastly-bouncer
A bouncer that syncs the decisions made by CrowdSec with Fastly's VCL. Manages multi account, multi service setup. Supports IP, Country and AS scoped decisions.
Installation:
Using Docker wrapper (quickest)
Make sure you have docker and git installed.
git clone https://github.com/crowdsecurity/cs-fastly-bouncer
cd cs-fastly-bouncer
sudo ./install.sh
sudo crowdsec-fastly-bouncer \
-c /etc/crowdsec/bouncers/crowdsec-fastly-bouncer.yaml\
-g <FASTLY_TOKEN_1>,<FASTLY_TOKEN_2> \
-o /etc/crowdsec/bouncers/crowdsec-fastly-bouncer.yaml # generate config
sudo vim /etc/crowdsec/bouncers/crowdsec-fastly-bouncer.yaml # Review the generated config, add captcha keys etc.
sudo systemctl start crowdsec-fastly-bouncer
Note: The above installation runs the bouncer inside a docker container. Hence it will have access just to the config files which are mounted. By default /etc/crowdsec/bouncers/crowdsec-fastly-bouncer.yaml
and /var/log/crowdsec-fastly-bouncer.log
are mounted. To modify this behaviour please edit the file at /usr/local/bin/crowdsec-fastly-bouncer
Using python pip
Make sure you have python3.8+ installed. Now in a virtual environment run the following:
git clone https://github.com/crowdsecurity/cs-fastly-bouncer
cd cs-fastly-bouncer
pip install ./
crowdsec-fastly-bouncer -g <FASTLY_TOKEN_1>,<FASTLY_TOKEN_2> > config.yaml # generate config
vim config.yaml # Add crowdsec LAPI key, url, recaptcha keys etc
crowdsec-fastly-bouncer -c config.yaml # Run it !
See how to obtain fastly account tokens here. The tokens must have write access for the configured services.
Note: If your bouncer is not installed on the same machine than LAPI, don't forget to set the lapi_url
and lapi_key
in the configuration file /etc/crowdsec/bouncers/crowdsec-fastly-bouncer.yaml
Note: For captcha to work you must provide the recaptcha_site_key
and recaptcha_secret_key
for each service. Learn how here
Activate the new configuration:
After starting the bouncer, go in the fastly web UI. For each configured service review the version created by the bouncer. If everything looks good, you can activate the new configration !
Configuration:
crowdsec_config:
lapi_key: ${LAPI_KEY}
lapi_url: "http://localhost:8080/"
fastly_account_configs:
- account_token: # Obtain this from fastly
services:
- id: # The id of the service
recaptcha_site_key: # Required for captcha support
recaptcha_secret_key: # Required for captcha support
max_items: 5000 # max_items refers to the capacity of IP/IP ranges to ban/captcha.
activate: false # # Set to true, to activate the new config in production
reference_version: # version to clone/use
clone_reference_version: true # whether to clone the "reference_version".
captcha_cookie_expiry_duration: '1800' # Duration to persist the cookie containing proof of solving captcha
update_frequency: 10 # Duration in seconds to poll the crowdsec API
log_level: info # Valid choices are either of "debug","info","warning","error"
log_mode: file # Valid choices are "file" or "stdout" or "stderr"
log_file: /var/log/crowdsec-fastly-bouncer.log # Ignore if logging to stdout or stderr
Helpers:
The bouncer has few builtin helper features:
Auto config generator:
Usage:
sudo crowdsec-fastly-bouncer -c <PATH_TO_BASE_CONFIG>\
-g <FASTLY_TOKEN_1>,<FASTLY_TOKEN_2>
This will print boilerplate config with sane defaults for the provided comma separted fastly tokens. Always review the generated config before proceeding further.
Crowdsec config is copied from the config at PATH_TO_BASE_CONFIG
.
Cleaner:
Usage:
sudo crowdsec-fastly-bouncer -c <PATH_TO_BASE_CONFIG> -d
This deletes the fastly resources created by the bouncer. It only works if the configured service version is not locked. It is useful for quick iteration before activateing the new service.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for crowdsec-fastly-bouncer-0.0.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 88d9c8345ff886ef2e3d396059f09548bd604d93255e929b44a07d3250ef4508 |
|
MD5 | efa6b996c184086dcbb647efbe9c4b5d |
|
BLAKE2b-256 | fdae0abfdf1e23a8b08e68d5e2b33d29973f39c1ec668616f974a18f0dc597fb |
Hashes for crowdsec_fastly_bouncer-0.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8df2e3c25a0d9ef78cb2a5075a73426c9a8802ee93b6b2ef8ee5a269505f258a |
|
MD5 | b103292cb14a9316a3f2742eac79943a |
|
BLAKE2b-256 | 8d7f001565bd17557a47d26a7e2d78fec59820c5abd94eaa9202992f1b60962c |