HaProxy and Crowdsec

Started by Zenturio, September 23, 2024, 09:59:47 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
January 13, 2025, 03:04:36 AM #15 Last Edit: January 13, 2025, 03:39:07 AM by Zenturio
Quote from: Monviech (Cedrik) on October 12, 2024, 05:25:31 PM
Quote from: JLDC on October 12, 2024, 04:50:01 PMFor me, I use Cloudflare proxy and my WAN only accepts inbound from the Cloudflare IP ranges (https://www.cloudflare.com/ips/.  That's all the firewall sees so it can't block by the remote IP that nginx sees.  I could set up the bouncer on each one of my services but would prefer to have it right on the reverse proxy.

Now the usecase is taking shape. The opnsense wont see the proxy protocol or x-forwarded-for header and the block on opnsense firewall level would be useless.

Like written above, trivial to add crowdsec to the existing caddy plugin.


This would also be my use case for Cloudflare. You can pass the X-Forwarded-For header from Cloudflare's CF-Connecting-IP. For this to work, the bounce has to happen at Layer 7.
--

Also, the log parser for HAProxy, which should trigger the firewall bouncer, doesn't seem to work because the log files are not in the standard format on OPNsense, I guess.

Current metrics:

- (Parser) crowdsecurity/haproxy-logs:
╭──────────────────────────────────┬──────┬────────┬──────────╮
│ Parsers                          │ Hits │ Parsed │ Unparsed │
├──────────────────────────────────┼──────┼────────┼──────────┤
│ file:/var/log/haproxy/latest.log │ 115  │ 0      │ 115      │
╰──────────────────────────────────┴──────┴────────┴──────────╯





Quote from: cookiemonster on October 21, 2024, 11:09:25 PMUpdate. It seems to be working correctly and serving both bans and captchas.
One last thing to diagnose is a loop I get on the captcha or more specifically the bot-catching "captcha" aka turnstile. Almost there I think.
I've asked crowdsec in various places now just awaiting input.

Did you get it to work?



Maybe we can also Ping this guy if you found the solution :)
https://forum.opnsense.org/index.php?topic=39377.0
January 13, 2025, 10:54:33 AM #16
Quote from: cookiemonster on October 21, 2024, 11:09:25 PMUpdate. It seems to be working correctly and serving both bans and captchas.
One last thing to diagnose is a loop I get on the captcha or more specifically the bot-catching "captcha" aka turnstile. Almost there I think.
I've asked crowdsec in various places now just awaiting input.


Did you get it to work?

Yes I did and made a small How-To here https://forum.opnsense.org/index.php?topic=44839.0

And you are correct and my suspicion also was, the same thinking. There is no use in giving the HA logs to Crowdsec for that very reason. It is not aware how to process them. With my how-to, we make it it aware.
Today at 02:16:20 AM #17
Quote from: cookiemonster on October 21, 2024, 11:09:25 PMYes I did and made a small How-To here https://forum.opnsense.org/index.php?topic=44839.0

And you are correct and my suspicion also was, the same thinking. There is no use in giving the HA logs to Crowdsec for that very reason. It is not aware how to process them. With my how-to, we make it it aware.


This is great!
Thank you very much for your effort.

btw.
You can use this conditions and rules to forward the X-forwarded-for header to the application if you're behind a Cloudflare Proxy. That way the Application sees the Real Client ip and can make decisions based on them.

Code Select
acl1  src -f /var/haproxy/CF_ips.lst
 acl2  req.hdr(CF-Connecting-IP) -m found
 
 # ACTION: Cloudflare_real_ip
 http-request set-header X-Forwarded-For %[req.hdr(CF-Connecting-IP)] if acl1 acl2
 # ACTION: cf_set_scr
 http-request set-src hdr(x-forwarded-for) if acl1
 # ACTION: cf_set_var
 http-request set-var(txn.sess.cloudflare) always_true if acl1
Hit me up if you need more details



Print
Go Up Pages 1 2
User actions