WIP crowdsec integration for the zoraxy reverse proxy
References:
Since this needs to look at all incoming requests, it is implemented as a Dynamic Capture Plugin.
For now, it uses a live bouncer, which queries the Crowdsec API for decisions on each request. However, in the future, it should be possible to use a static bouncer that stores deicisions in an in-memory cache or file and only queries the Crowdsec API for updates periodically.
Warning
These instructions are assuming you have a similar setup to me, that is, are running zoraxy more-or-less bare metal (I'm using an LXC, but the idea is the same).
They are known to be inaccurate if you run Zoraxy in a docker container, see the following
The gist seems to be that you need to:
- put your plugins in a dictory that you mount to
/opt/zoraxy/plugin/instead of/opt/zoraxy/plugins/ - run crowdsec in another container on the same virtual network as Zoraxy (so they can talk to eachother), and make sure you mount your zoraxy logs to this container so crowdsec can monitor traffic
https://zoraxy.aroz.org/plugins/html/1.%20Introduction/3.%20Installing%20Plugin.html
Create a directory for the plugin if it doesn't exist:
mkdir -p /opt/zoraxy/plugins/zoraxycrowdsecbouncerThen, copy the link to the latest binary from the releases page and use wget to download it to the zoraxycrowdsecbouncer directory:
cd /opt/zoraxy/plugins/zoraxycrowdsecbouncer
# wget <LINK_TO_LATEST_BINARY>
wget https://github.com/AnthonyMichaelTDM/zoraxy_crowdsec_bouncer/releases/download/v1.2.1/zoraxycrowdsecbouncer
chmod +x zoraxycrowdsecbouncerDo the same for the config.yaml file:
wget https://github.com/AnthonyMichaelTDM/zoraxy_crowdsec_bouncer/releases/download/v1.2.1/config.yamlClone the repository inside the Zoraxy plugins directory, then build the plugin:
cd /opt/zoraxy/plugins
git clone https://github.com/AnthonyMichaelTDM/zoraxy_crowdsec_bouncer.git zoraxycrowdsecbouncer
cd zoraxycrowdsecbouncer
go build
chmod +x zoraxycrowdsecbouncerAfter installing the plugin, and getting to the point where on the zoraxy dashboard you can see it and that it is healthy, you need to do one more thing to actually get it to work:
- add the plugin to a tag, and also add every service you want protected to the same tag.
You'll also need to do some setup with crowdsec, see tobychui/zoraxy#338 (comment)
TODO: implement a way to configure the bouncer via the web UI.
in the same directory as the plugin, there should be a config.yaml file with some default configuration. Fill in the values as needed.
api_key: YOUR_API_KEY
agent_url: http://127.0.0.1:8080 # for example
log_level: warning # Log level for the bouncer, options: trace, debug, info, warning, error
is_proxied_behind_cloudflare: true # Set to true if your zoraxy instance is proxied behind CloudflareYou can get the API key by running the following command:
sudo cscli bouncers add zoraxy-crowdsec-bouncerThe web UI is available from the Zoraxy web interface in the "Plugins" section.
In it, you can view some basic information about the bouncer, such as the number of requests processed and dropped by the bouncer for each hostname.
Additionally, the web UI will periodically check for updates and will tell you when an update is available.
The web UI will match the theme of the Zoraxy web interface, if you have it in dark mode, the web UI will also be in dark mode.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}