Add crowdsec bouncer (work with other crowdsec playbook)

2024-04-24 10:29:37 +02:00 · 2024-04-24 10:29:37 +02:00 · fa3168e18f
parent 38cfe4ab65
commit fa3168e18f
5 changed files with 101 additions and 1 deletions
--- a/tasks/configuration.yml
+++ b/tasks/configuration.yml
@ -39,6 +39,26 @@
      - configuration
      - config

+  - name: "Configure Crowdsec with HAProxy"
+    ansible.builtin.template:
+      src: etc/haproxy/haproxy.d/crowdsec.cfg.j2
+      dest: /etc/haproxy/haproxy.d/crowdsec.cfg
+      mode: '0644'
+      owner: root
+      group: root
+      backup: yes
+    register: crowdsec
+    when:
+      - crowdsec_haproxy is defined
+      - crowdsec_haproxy == True
+    notify:
+      - Reload HAProxy
+    tags:
+      - configuration
+      - config
+
+  - name: "Configure HAProxy frontends"
+
  - name: "Configure HAProxy frontends"
    ansible.builtin.template:
      src: etc/haproxy/haproxy.d/frontends.j2
@ -116,8 +136,15 @@
      copy:
        remote_src: true
        dest: /etc/haproxy/haproxy.d/userlists.cfg
-        src: "{{ backends['backup_file'] }}"
+        src: "{{ userlists['backup_file'] }}"
      when: userlists.changed
+
+    - name: restore crowdsec backup file to original.
+      copy:
+        remote_src: true
+        dest: /etc/haproxy/haproxy.d/crowdsec.cfg
+        src: "{{ crowdsec['backup_file'] }}"
+      when: crowdsec.changed
      ignore_errors: true

  always:
@ -142,6 +169,13 @@
      when: userlists.changed
      ignore_errors: true

+    - name: Delete backup file
+      file:
+         path: "{{ crowdsec['backup_file'] }}"
+         state: absent
+      when: crowdsec.changed
+      ignore_errors: true
+
 - name: "Set allowed ips"
  ansible.builtin.template:
    src: etc/haproxy/allowed.ips.j2
--- a/tasks/crowdsec.yml
+++ b/tasks/crowdsec.yml
@ -0,0 +1,27 @@
+---
+- name: Install crowdsec HAProxy bouncer
+  ansible.builtin.apt:
+    name: crowdsec-haproxy-bouncer
+    state: present
+    update_cache: yes
+    cache_valid_time: 3600
+  when: 
+    - hap_crowdsec is defined
+    - hap_crowdsec == True
+  tags:
+    - crowdsec
+
+- name: "Template crowdsec config"
+  ansible.builtin.template:
+    src: etc/crowdsec/crowdsec-haproxy-bouncer.conf.j2
+    dest: /etc/crowdsec/bouncers/crowdsec-haproxy-bouncer.conf
+    mode: '0644'
+    owner: root
+    group: root
+  notify:
+    - Restart HAProxy
+  when: 
+    - hap_crowdsec is defined
+    - hap_crowdsec == True
+  tags:
+    - crowdsec
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -11,3 +11,7 @@
 - include_tasks: froxlor_hosts.yml
  tags:
    - froxlor
+
+- include_tasks: crowdsec.yml
+  tags:
+    - crowdsec
--- a/templates/etc/haproxy/haproxy.d/crowsec.j2
+++ b/templates/etc/haproxy/haproxy.d/crowsec.j2
@ -0,0 +1,24 @@
+global
+	# Crowdsec bouncer >>>
+ 	lua-prepend-path /usr/lib/crowdsec/lua/haproxy/?.lua
+ 	lua-load /usr/lib/crowdsec/lua/haproxy/crowdsec.lua # path to crowdsec.lua
+ 	setenv CROWDSEC_CONFIG /etc/crowdsec/bouncers/crowdsec-haproxy-bouncer.conf # path to crowdsec bouncer configuration file
+ 	# Crowdsec bouncer <<<
+
+frontend myApp
+
+	# Crowdsec bouncer >>>
+	# define a backend for the captcha provider to allow DNS resolution
+backend captcha_verifier
+	{% if crowdsec_captcha_provider == "recaptcha" -%}
+	server captcha_verifier www.recaptcha.net:443 check
+	{% elif crowdsec_captcha_provider == "cloudflare" -%}
+ 	server turnstile_verifier challenges.cloudflare.com:443 check
+	{% elif crowdsec_captcha_provider == "hacaptcha" -%}
+ 	server hcaptcha_verifier hcaptcha.com:443 check
+	{% endif %}
+
+# define a backend for crowdsec to allow DNS resolution
+backend crowdsec
+	server crowdsec {{ crowdsec_lapi_server }}:{{ crowdsec_lapi_port | default('8888') }} check
+	# Crowdsec bouncer <<<
--- a/templates/etc/haproxy/haproxy.d/frontends.j2
+++ b/templates/etc/haproxy/haproxy.d/frontends.j2
@ -19,6 +19,17 @@ frontend {{ frontend.name }}
    {% endfor %}
    {% endif %}

+    {% if haproxy_crowdsec is defined and haproxy_crowdsec == True -%}
+    # Crowdsec bouncer >>>
+    stick-table type ip size 10k expire 30m # declare a stick table to cache captcha verifications
+    http-request lua.crowdsec_allow # action to identify crowdsec remediation
+    http-request track-sc0 src if { var(req.remediation) -m str "captcha-allow" } # cache captcha allow decision 
+    http-request redirect location %[var(req.redirect_uri)] if { var(req.remediation) -m str "captcha-allow" } # redirect to initial url
+    http-request use-service lua.reply_captcha if { var(req.remediation) -m str "captcha" } # serve captcha template if remediation is captcha
+    http-request use-service lua.reply_ban if { var(req.remediation) -m str "ban" } # serve ban template if remediation is ban
+    # Crowdsec bouncer <<<
+    {% endif %}
+
    {% if frontend.acl is defined -%}
    {% for acl in frontend.acl -%}
    {% if acl.type is defined and acl.type == "wildcard" -%}