crowdsec - move as external plugin

2021-07-16 10:05:53 +02:00 · 2021-07-16 10:05:53 +02:00 · 82548378ae
parent b926b0db62
commit 82548378ae
7 changed files with 22 additions and 79 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -0,0 +1,3 @@
+[submodule "bunkerized-nginx-crowdsec"]
+	path = examples/crowdsec/bunkerized-nginx-crowdsec
+	url = https://github.com/bunkerity/bunkerized-nginx-crowdsec
--- a/confs/global/init-lua.conf
+++ b/confs/global/init-lua.conf
@ -9,7 +9,6 @@ local use_abusers		= {% if has_value("BLOCK_ABUSERS", "yes") %}true{% else %}fal
 local use_tor_exit_nodes	= {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}true{% else %}false{% endif +%}
 local use_user_agents		= {% if has_value("BLOCK_USER_AGENT", "yes") %}true{% else %}false{% endif +%}
 local use_referrers		= {% if has_value("BLOCK_REFERRER", "yes") %}true{% else %}false{% endif +%}
-local use_crowdsec		= {% if has_value("USE_CROWDSEC", "yes") %}true{% else %}false{% endif +%}

 if use_proxies then
 	dataloader.load_ip("/etc/nginx/proxies.list", ngx.shared.proxies_data)
@ -31,16 +30,6 @@ if use_referrers then
 	dataloader.load_raw("/etc/nginx/referrers.list", ngx.shared.referrers_data)
 end

-if use_crowdsec then
-	local cs = require "crowdsec.CrowdSec"
-	local ok, err = cs.init("/etc/nginx/crowdsec.conf")
-	if ok == nil then
-		logger.log(ngx.ERR, "CROWDSEC", err)
-		error()
-	end
-	logger.log(ngx.ERR, "CROWDSEC", "*NOT AN ERROR* initialisation done")
-end
-
 -- Load plugins
 ngx.shared.plugins_data:safe_set("plugins", nil, 0)
 local p = io.popen("find /opt/bunkerized-nginx/plugins -maxdepth 1 -type d ! -path /opt/bunkerized-nginx/plugins")
@ -54,14 +43,24 @@ for dir in p:lines() do
 			ngx.shared.plugins_data:safe_set(data.id .. "_" .. k, v, 0)
 		end
 		file:close()
-		-- store plugin
-		local plugins, flags = ngx.shared.plugins_data:get("plugins")
-		if plugins == nil then
-			ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
-		else
-			ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
+		-- call init
+		local plugin = require(data.id .. "/" .. data.id)
+		local init = true
+		if plugin["init"] ~= nil then
+			init = plugin.init()
+		end
+		-- store plugin
+		if init then
+			local plugins, flags = ngx.shared.plugins_data:get("plugins")
+			if plugins == nil then
+				ngx.shared.plugins_data:safe_set("plugins", data.id, 0)
+			else
+				ngx.shared.plugins_data:safe_set("plugins", plugins .. " " .. data.id, 0)
+			end
+			logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
+		else
+			logger.log(ngx.ERR, "PLUGINS", "init failed for plugin " .. data.name .. "/" .. data.version)
 		end
-		logger.log(ngx.ERR, "PLUGINS", "*NOT AN ERROR* plugin " .. data.name .. "/" .. data.version .. " has been loaded")
 	else
 		logger.log(ngx.ERR, "PLUGINS", "Can't load " .. dir .. "/plugin.json")
 	end
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@ -25,9 +25,6 @@ local use_referrers		= {% if BLOCK_REFERRER == "yes" %}true{% else %}false{% end
 -- countries
 local use_country		= {% if WHITELIST_COUNTRY != "" or BLACKLIST_COUNTRY != "" %}true{% else %}false{% endif +%}

-- crowdsec
-local use_crowdsec		= {% if USE_CROWDSEC == "yes" %}true{% else %}false{% endif +%}
-
 -- antibot
 local use_antibot_cookie	= {% if USE_ANTIBOT == "cookie" %}true{% else %}false{% endif +%}
 local use_antibot_javascript	= {% if USE_ANTIBOT == "javascript" %}true{% else %}false{% endif +%}
@ -238,18 +235,6 @@ if use_dnsbl and not dnsbl.cached() then
 	end
 end

-- check if IP is in CrowdSec DB
-if use_crowdsec then
-	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
-	if ok == nil then
-		logger.log(ngx.ERR, "CROWDSEC", err)
-	end
-	if not ok then
-		logger.log(ngx.WARN, "CROWDSEC", "denied " .. ngx.var.remote_addr)
-		ngx.exit(ngx.HTTP_FORBIDDEN)
-	end
-end
-
 -- cookie check
 if use_antibot_cookie and ngx.var.uri ~= "/favicon.ico" then
 	if not cookie.is_set("uri") then
--- a/examples/crowdsec/bunkerized-nginx-crowdsec
+++ b/examples/crowdsec/bunkerized-nginx-crowdsec
@ -0,0 +1 @@
+Subproject commit 6dadb32c011971789d0cb02ec6cce6ad6dda90c0
--- a/examples/crowdsec/docker-compose.yml
+++ b/examples/crowdsec/docker-compose.yml
@ -23,6 +23,7 @@ services:
    volumes:
      - ./web-files:/www:ro
      - ./letsencrypt:/etc/letsencrypt
+      - ./bunkerized-nginx-crowdsec:/plugins/crowdsec # edit plugin.json
    environment:
      - SERVER_NAME=app1.example.com app2.example.com # replace with your domains
      - MULTISITE=yes
@ -31,9 +32,6 @@ services:
      - DISABLE_DEFAULT_SERVER=yes
      - USE_CLIENT_CACHE=yes
      - USE_GZIP=yes
-      - USE_CROWDSEC=yes
-      - CROWDSEC_HOST=http://mycrowdsec:8080
-      - CROWDSEC_KEY=                                # you need to generate it (see bouncer_key.sh)
      - app1.example.com_REMOTE_PHP=myapp1
      - app1.example.com_REMOTE_PHP_PATH=/app
      - app2.example.com_REMOTE_PHP=myapp2
--- a/helpers/install.sh
+++ b/helpers/install.sh
@ -586,17 +586,6 @@ CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make INC_PATH=-I/opt/
 echo "[*] Install luasec"
 CHANGE_DIR="/tmp/bunkerized-nginx/luasec" do_and_check_cmd make LUACPATH=/opt/bunkerized-nginx/deps/lib/lua LUAPATH=/opt/bunkerized-nginx/deps/lib/lua install

-# Download and install lua-cs-bouncer
-echo "[*] Clone crowdsecurity/lua-cs-bouncer"
-git_secure_clone https://github.com/crowdsecurity/lua-cs-bouncer.git 3c235c813fc453dcf51a391bc9e9a36ca77958b0
-echo "[*] Install lua-cs-bouncer"
-if [ ! -d /opt/bunkerized-nginx/deps/lib/lua/crowdsec ] ; then
-	do_and_check_cmd mkdir /opt/bunkerized-nginx/deps/lib/lua/crowdsec
-fi
-do_and_check_cmd cp -r /tmp/bunkerized-nginx/lua-cs-bouncer/lib/* /opt/bunkerized-nginx/deps/lib/lua/crowdsec
-do_and_check_cmd sed -i 's/require "lrucache"/require "resty.lrucache"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua
-do_and_check_cmd sed -i 's/require "config"/require "crowdsec.config"/' /opt/bunkerized-nginx/deps/lib/lua/crowdsec/CrowdSec.lua
-
 # Download and install lua-resty-iputils
 echo "[*] Clone hamishforbes/lua-resty-iputils"
 git_secure_clone https://github.com/hamishforbes/lua-resty-iputils.git 3151d6485e830421266eee5c0f386c32c835dba4
--- a/settings.json
+++ b/settings.json
@ -493,38 +493,6 @@
            }
        ]
    },
-    "CrowdSec": {
-        "id": "use-crowdsec",
-        "params": [
-            {
-                "context": "multisite",
-                "default": "no",
-                "env": "USE_CROWDSEC",
-                "id": "use-crowdsec",
-                "label": "Use crowdsec",
-                "regex": "^(yes|no)$",
-                "type": "checkbox"
-            },
-            {
-                "context": "global",
-                "default": "",
-                "env": "CROWDSEC_HOST",
-                "id": "crowdsec-host",
-                "label": "CrowdSec host",
-                "regex": "^(https?://[\\S]+:?\\d*)?$",
-                "type": "text"
-            },
-            {
-                "context": "global",
-                "default": "",
-                "env": "CROWDSEC_KEY",
-                "id": "crowdsec-key",
-                "label": "CrowdSec key",
-                "regex": "^([\\S])*$",
-                "type": "text"
-            }
-        ]
-    },
    "DNSBL": {
        "id": "dnsbl",
        "params": [
				`@ -0,0 +1 @@`
				`Subproject commit 6dadb32c011971789d0cb02ec6cce6ad6dda90c0`