Add crowdsec bouncer (work with other crowdsec playbook)
This commit is contained in:
parent
38cfe4ab65
commit
fa3168e18f
|
@ -39,6 +39,26 @@
|
|||
- configuration
|
||||
- config
|
||||
|
||||
- name: "Configure Crowdsec with HAProxy"
|
||||
ansible.builtin.template:
|
||||
src: etc/haproxy/haproxy.d/crowdsec.cfg.j2
|
||||
dest: /etc/haproxy/haproxy.d/crowdsec.cfg
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
backup: yes
|
||||
register: crowdsec
|
||||
when:
|
||||
- crowdsec_haproxy is defined
|
||||
- crowdsec_haproxy == True
|
||||
notify:
|
||||
- Reload HAProxy
|
||||
tags:
|
||||
- configuration
|
||||
- config
|
||||
|
||||
- name: "Configure HAProxy frontends"
|
||||
|
||||
- name: "Configure HAProxy frontends"
|
||||
ansible.builtin.template:
|
||||
src: etc/haproxy/haproxy.d/frontends.j2
|
||||
|
@ -116,8 +136,15 @@
|
|||
copy:
|
||||
remote_src: true
|
||||
dest: /etc/haproxy/haproxy.d/userlists.cfg
|
||||
src: "{{ backends['backup_file'] }}"
|
||||
src: "{{ userlists['backup_file'] }}"
|
||||
when: userlists.changed
|
||||
|
||||
- name: restore crowdsec backup file to original.
|
||||
copy:
|
||||
remote_src: true
|
||||
dest: /etc/haproxy/haproxy.d/crowdsec.cfg
|
||||
src: "{{ crowdsec['backup_file'] }}"
|
||||
when: crowdsec.changed
|
||||
ignore_errors: true
|
||||
|
||||
always:
|
||||
|
@ -142,6 +169,13 @@
|
|||
when: userlists.changed
|
||||
ignore_errors: true
|
||||
|
||||
- name: Delete backup file
|
||||
file:
|
||||
path: "{{ crowdsec['backup_file'] }}"
|
||||
state: absent
|
||||
when: crowdsec.changed
|
||||
ignore_errors: true
|
||||
|
||||
- name: "Set allowed ips"
|
||||
ansible.builtin.template:
|
||||
src: etc/haproxy/allowed.ips.j2
|
||||
|
|
27
tasks/crowdsec.yml
Normal file
27
tasks/crowdsec.yml
Normal file
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
- name: Install crowdsec HAProxy bouncer
|
||||
ansible.builtin.apt:
|
||||
name: crowdsec-haproxy-bouncer
|
||||
state: present
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
when:
|
||||
- hap_crowdsec is defined
|
||||
- hap_crowdsec == True
|
||||
tags:
|
||||
- crowdsec
|
||||
|
||||
- name: "Template crowdsec config"
|
||||
ansible.builtin.template:
|
||||
src: etc/crowdsec/crowdsec-haproxy-bouncer.conf.j2
|
||||
dest: /etc/crowdsec/bouncers/crowdsec-haproxy-bouncer.conf
|
||||
mode: '0644'
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
- Restart HAProxy
|
||||
when:
|
||||
- hap_crowdsec is defined
|
||||
- hap_crowdsec == True
|
||||
tags:
|
||||
- crowdsec
|
|
@ -11,3 +11,7 @@
|
|||
- include_tasks: froxlor_hosts.yml
|
||||
tags:
|
||||
- froxlor
|
||||
|
||||
- include_tasks: crowdsec.yml
|
||||
tags:
|
||||
- crowdsec
|
||||
|
|
24
templates/etc/haproxy/haproxy.d/crowsec.j2
Normal file
24
templates/etc/haproxy/haproxy.d/crowsec.j2
Normal file
|
@ -0,0 +1,24 @@
|
|||
global
|
||||
# Crowdsec bouncer >>>
|
||||
lua-prepend-path /usr/lib/crowdsec/lua/haproxy/?.lua
|
||||
lua-load /usr/lib/crowdsec/lua/haproxy/crowdsec.lua # path to crowdsec.lua
|
||||
setenv CROWDSEC_CONFIG /etc/crowdsec/bouncers/crowdsec-haproxy-bouncer.conf # path to crowdsec bouncer configuration file
|
||||
# Crowdsec bouncer <<<
|
||||
|
||||
frontend myApp
|
||||
|
||||
# Crowdsec bouncer >>>
|
||||
# define a backend for the captcha provider to allow DNS resolution
|
||||
backend captcha_verifier
|
||||
{% if crowdsec_captcha_provider == "recaptcha" -%}
|
||||
server captcha_verifier www.recaptcha.net:443 check
|
||||
{% elif crowdsec_captcha_provider == "cloudflare" -%}
|
||||
server turnstile_verifier challenges.cloudflare.com:443 check
|
||||
{% elif crowdsec_captcha_provider == "hacaptcha" -%}
|
||||
server hcaptcha_verifier hcaptcha.com:443 check
|
||||
{% endif %}
|
||||
|
||||
# define a backend for crowdsec to allow DNS resolution
|
||||
backend crowdsec
|
||||
server crowdsec {{ crowdsec_lapi_server }}:{{ crowdsec_lapi_port | default('8888') }} check
|
||||
# Crowdsec bouncer <<<
|
|
@ -19,6 +19,17 @@ frontend {{ frontend.name }}
|
|||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if haproxy_crowdsec is defined and haproxy_crowdsec == True -%}
|
||||
# Crowdsec bouncer >>>
|
||||
stick-table type ip size 10k expire 30m # declare a stick table to cache captcha verifications
|
||||
http-request lua.crowdsec_allow # action to identify crowdsec remediation
|
||||
http-request track-sc0 src if { var(req.remediation) -m str "captcha-allow" } # cache captcha allow decision
|
||||
http-request redirect location %[var(req.redirect_uri)] if { var(req.remediation) -m str "captcha-allow" } # redirect to initial url
|
||||
http-request use-service lua.reply_captcha if { var(req.remediation) -m str "captcha" } # serve captcha template if remediation is captcha
|
||||
http-request use-service lua.reply_ban if { var(req.remediation) -m str "ban" } # serve ban template if remediation is ban
|
||||
# Crowdsec bouncer <<<
|
||||
{% endif %}
|
||||
|
||||
{% if frontend.acl is defined -%}
|
||||
{% for acl in frontend.acl -%}
|
||||
{% if acl.type is defined and acl.type == "wildcard" -%}
|
||||
|
|
Loading…
Reference in a new issue