Messages

Yes I did and made a small How-To here https://forum.opnsense.org/index.php?topic=44839.0

And you are correct and my suspicion also was, the same thinking. There is no use in giving the HA logs to Crowdsec for that very reason. It is not aware how to process them. With my how-to, we make it it aware.

This is great!
Thank you very much for your effort.

btw.
You can use this conditions and rules to forward the X-forwarded-for header to the application if you're behind a Cloudflare Proxy. That way the Application sees the Real Client ip and can make decisions based on them.

Code Select Expand

acl1  src -f /var/haproxy/CF_ips.lst
 acl2  req.hdr(CF-Connecting-IP) -m found
 
 # ACTION: Cloudflare_real_ip
 http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if acl1 acl2
 # ACTION: cf_set_scr
 http-request set-src hdr(x-forwarded-for) if acl1
 # ACTION: cf_set_var
 http-request set-var(txn.sess.cloudflare) always_true if acl1
Hit me up if you need more details

For me, I use Cloudflare proxy and my WAN only accepts inbound from the Cloudflare IP ranges (https://www.cloudflare.com/ips/.  That's all the firewall sees so it can't block by the remote IP that nginx sees.  I could set up the bouncer on each one of my services but would prefer to have it right on the reverse proxy.

Now the usecase is taking shape. The opnsense wont see the proxy protocol or x-forwarded-for header and the block on opnsense firewall level would be useless.

Like written above, trivial to add crowdsec to the existing caddy plugin.

This would also be my use case for Cloudflare. You can pass the X-Forwarded-For header from Cloudflare's CF-Connecting-IP. For this to work, the bounce has to happen at Layer 7.
--

Also, the log parser for HAProxy, which should trigger the firewall bouncer, doesn't seem to work because the log files are not in the standard format on OPNsense, I guess.

Current metrics:

- (Parser) crowdsecurity/haproxy-logs:
╭──────────────────────────────────┬──────┬────────┬──────────╮
│ Parsers                          │ Hits │ Parsed │ Unparsed │
├──────────────────────────────────┼──────┼────────┼──────────┤
│ file:/var/log/haproxy/latest.log │ 115  │ 0      │ 115      │
╰──────────────────────────────────┴──────┴────────┴──────────╯

Update. It seems to be working correctly and serving both bans and captchas.
One last thing to diagnose is a loop I get on the captcha or more specifically the bot-catching "captcha" aka turnstile. Almost there I think.
I've asked crowdsec in various places now just awaiting input.

Did you get it to work?



Maybe we can also Ping this guy if you found the solution :)
https://forum.opnsense.org/index.php?topic=39377.0

I'm running OPNsense 24.7 with HAProxy and Crowdsec. I have several services running behind HAProxy some of them with Crowdsec log parsers installed, reporting to the OPNsense Crowdsec LAPI. The firewall bouncer works great with this setup, but I also want to block Traffic at Layer 7 directly on HAProxy. This is where the Crowdsec HAProxy Bouncer comes into play, but I can't get it running on OPNsense. Is there any chance to get the bouncer working?

https://github.com/crowdsecurity/cs-haproxy-bouncer
https://www.crowdsec.net/blog/the-haproxy-bouncer-is-out
https://docs.crowdsec.net/u/bouncers/haproxy/