Add HAProxy bouncer
This commit is contained in:
parent
443ba7e23a
commit
55434a3bba
98
tasks/haproxy-plugin.yml
Normal file
98
tasks/haproxy-plugin.yml
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
---
|
||||
- name: Create a bouncers directory if it does not exist
|
||||
ansible.builtin.file:
|
||||
path: /etc/crowdsec/bouncers/
|
||||
state: directory
|
||||
mode: '0750'
|
||||
when:
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- name: Check if firewall is registered to lapi
|
||||
ansible.builtin.shell: "cscli bouncers list | grep -q haproxy_{{ ansible_fqdn }}"
|
||||
register: bouncers_status
|
||||
failed_when: bouncers_status.rc not in [0,1]
|
||||
delegate_to: "{{ crowdsec_lapi_server }}"
|
||||
when:
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- name: Register bouncer on LAPI
|
||||
ansible.builtin.shell: "cscli bouncers add haproxy_{{ ansible_fqdn }} -o raw "
|
||||
register: api_key
|
||||
when: bouncers_status.rc == 1
|
||||
delegate_to: "{{ crowdsec_lapi_server }}"
|
||||
when:
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- set_fact:
|
||||
api_key_str: "{{ api_key.stdout }}"
|
||||
when:
|
||||
- api_key.skipped is not defined
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- name: Get API key from config
|
||||
ansible.builtin.shell: cat /etc/crowdsec/bouncers/crowdsec-haproxy-bouncer.conf | grep API_KEY | cut -f2 -d "="
|
||||
register: api_key
|
||||
when:
|
||||
- bouncers_status.rc == 0
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- set_fact:
|
||||
api_key_str: "{{ api_key.stdout }}"
|
||||
when:
|
||||
- api_key.skipped is not defined
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- name: Add configuration to haproxy
|
||||
ansible.builtin.template:
|
||||
src: crowdsec_haproxy.conf.j2
|
||||
dest: "/etc/haproxy/conf.d/crowdsec_haproxy.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: crowdsec-haproxy-restart
|
||||
when:
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- name: Add configuration to crowdsec firewall
|
||||
ansible.builtin.template:
|
||||
src: crowdsec-haproxy.j2
|
||||
dest: "/etc/crowdsec/bouncers/crowdsec-haproxy-bouncer.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0640
|
||||
notify: crowdsec-haproxy-restart
|
||||
when:
|
||||
- crowdsec_haproxy is True
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
||||
- name: Crowdsec apt update and install Crowdsec
|
||||
ansible.builtin.package:
|
||||
update_cache: true
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
ignore_errors: true
|
||||
when:
|
||||
- crowdsec_haproxy is True
|
||||
loop:
|
||||
- lua5.1
|
||||
- luarocks
|
||||
- gettext-base
|
||||
- lua-cjson
|
||||
- crowdsec-haproxy-bouncer
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
|
|
@ -25,4 +25,10 @@
|
|||
- nginx-plugin
|
||||
when: crowdsec_nginx is defined
|
||||
|
||||
- name: Install and configure haproxy plugin
|
||||
include_tasks: haproxy-plugin.yml
|
||||
tags:
|
||||
- haproxy-plugin
|
||||
when: crowdsec_haproxy is defined
|
||||
|
||||
|
||||
|
|
|
|||
28
templates/crowdsec-haproxy.j2
Normal file
28
templates/crowdsec-haproxy.j2
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
API_KEY={{ api_key_str }}
|
||||
# bounce for all type of remediation that the bouncer can receive from the local API
|
||||
BOUNCING_ON_TYPE={{ crowdsec_haproxy_bouncing_type | default('all') }}
|
||||
# when the bouncer receive an unknown remediation, fallback to this remediation
|
||||
#FALLBACK_REMEDIATION=ban
|
||||
MODE={{ crowdsec_haproxy_mode | default('stream') }}
|
||||
REQUEST_TIMEOUT=1000
|
||||
# exclude the bouncing on those location
|
||||
EXCLUDE_LOCATION={{ crowdsec_haproxy_exclude_location | default('') }}
|
||||
# Cache expiration in live mode, in second
|
||||
CACHE_EXPIRATION={{ crowdsec_haproxy_live_cache_exp | default('1') }}
|
||||
# Update frequency in stream mode, in second
|
||||
UPDATE_FREQUENCY={{ crowdsec_haproxy_stream_update_frequency | default('10') }}
|
||||
#those apply for "ban" action
|
||||
# /!\ REDIRECT_LOCATION and BAN_TEMPLATE_PATH/RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE AND BAN_TEMPLATE_PATH
|
||||
BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/haproxy/templates/ban.html
|
||||
REDIRECT_LOCATION=
|
||||
RET_CODE=
|
||||
#those apply for "captcha" action
|
||||
#valid providers are recaptcha, hcaptcha, turnstile
|
||||
CAPTCHA_PROVIDER={{ crowdsec_captcha_provider | default('') }}
|
||||
# default is recaptcha to ensure backwards compatibility
|
||||
# Captcha Secret Key
|
||||
SECRET_KEY={{ crowdsec_captcha_secretkey | default('') }}
|
||||
# Captcha Site key
|
||||
SITE_KEY={{ crowdsec_captcha_sitekey | default('') }}
|
||||
CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/haproxy/templates/captcha.html
|
||||
CAPTCHA_EXPIRATION=3600
|
||||
Loading…
Reference in a new issue