From bb388284ba543d8458a01e5717307c09c04131a1 Mon Sep 17 00:00:00 2001 From: he2ss Date: Fri, 22 Aug 2025 15:34:50 +0200 Subject: [PATCH 1/3] update traefik bouncer kubernetes section --- .../unversioned/bouncers/traefik.mdx | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/crowdsec-docs/unversioned/bouncers/traefik.mdx b/crowdsec-docs/unversioned/bouncers/traefik.mdx index 085a79b7..0bdd2bc1 100644 --- a/crowdsec-docs/unversioned/bouncers/traefik.mdx +++ b/crowdsec-docs/unversioned/bouncers/traefik.mdx @@ -49,6 +49,77 @@ spec: crowdsecLapiKey: mysecretkey12345 ``` +Now, you can install the remediation component: + +```bash +kubectl apply -f bouncer-middleware.yaml +``` + +### Traefik with WAF(appsec) on kubernetes + +We supposed you already have working crowdsec values configuration, basically here is the important configuration to put in crowdsec values : + +```yaml +config: + config.yaml.local: | + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: + - "127.0.0.1/32" + - "192.168.0.0/16" + - "10.0.0.0/8" + - "172.16.0.0/12" +appsec: + enabled: true + acquisitions: + - source: appsec + listen_addr: "0.0.0.0:7422" + path: / + appsec_configs: + - crowdsecurity/appsec-default + - crowdsecurity/crs + labels: + type: appsec + env: + - name: COLLECTIONS + value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs crowdsecurity/appsec-generic-rules" +lapi: + env: + - name: BOUNCER_KEY_traefik + value: +``` + +If you add this config to crowdsec values, don't forget to `helm upgrade` + +Then the configuration for the middleware (bouncer-middleware.yaml) : + +```yaml +kind: Middleware +apiVersion: traefik.io/v1alpha1 +metadata: + name: bouncer + namespace: traefik +spec: + plugin: + bouncer: + enabled: true + crowdsecMode: stream + crowdsecLapiScheme: http + crowdsecLapiHost: crowdsec-service.default.svc.cluster.local:8080 + crowdsecAppsecEnabled: true + crowdsecAppsecHost: crowdsec-appsec-service.default.svc.cluster.local:7422 + crowdsecAppsecPath: "/" + crowdsecAppsecFailureBlock: true + crowdsecAppsecUnreachableBlock: true + crowdsecAppsecBodyLimit: 10485760 + crowdsecLapiKey: + crowdsecLapiPath: "/" + crowdsecLapiTLSInsecureVerify: true +``` + You can see all the configuration options in the [bouncer documentation](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin). You can also refer to a [full traefik and CrowdSec stack on kubernetes](https://raw.githubusercontent.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/main/examples/kubernetes/README.md) From 06a354e34d9eb6a4b5546747e14fb721f67ff3ea Mon Sep 17 00:00:00 2001 From: he2ss Date: Tue, 26 Aug 2025 16:40:45 +0200 Subject: [PATCH 2/3] add traefik bouncer section --- .../unversioned/bouncers/traefik.mdx | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/crowdsec-docs/unversioned/bouncers/traefik.mdx b/crowdsec-docs/unversioned/bouncers/traefik.mdx index 0bdd2bc1..05647b9a 100644 --- a/crowdsec-docs/unversioned/bouncers/traefik.mdx +++ b/crowdsec-docs/unversioned/bouncers/traefik.mdx @@ -128,3 +128,29 @@ Now, you can install the remediation component: ```bash kubectl apply -f bouncer-middleware.yaml ``` + +### Treafik Behind an Upstream Proxy or Load Balancer + +When Traefik operates behind another proxy (such as a load balancer, CDN, etc ...), the source IP seen by Traefik may be the wrong one instead of the real client. +To ensure Crowdsec applies decisions correctly based on the real client IP, it's crucial to properly forward and trust headers. + +First you configure Treafik to trust the upstream forwarded headers. Traefik has [`forwardedHeaders.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/?utm_source=chatgpt.com#forwarded-headers) and [`proxyProtocol.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/?utm_source=chatgpt.com#forwarded-headers) directives. + + +Then, you need to configure the middleware to trust as well the IP: + +```yaml +spec: + plugin: + bouncer: + forwardedheaderstrustedips: +``` + +When using `proxyProtocol.trustedIPs` Traefik replaces `X-Real-Ip`, you can also add : + +```yaml +spec: + plugin: + bouncer: + forwardedHeadersCustomName: X-Real-Ip +``` \ No newline at end of file From 297e09860f5a14c6392501dedf193e18974b8d91 Mon Sep 17 00:00:00 2001 From: he2ss Date: Tue, 26 Aug 2025 16:42:06 +0200 Subject: [PATCH 3/3] remove utm --- crowdsec-docs/unversioned/bouncers/traefik.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crowdsec-docs/unversioned/bouncers/traefik.mdx b/crowdsec-docs/unversioned/bouncers/traefik.mdx index 05647b9a..01fbdb59 100644 --- a/crowdsec-docs/unversioned/bouncers/traefik.mdx +++ b/crowdsec-docs/unversioned/bouncers/traefik.mdx @@ -134,7 +134,7 @@ kubectl apply -f bouncer-middleware.yaml When Traefik operates behind another proxy (such as a load balancer, CDN, etc ...), the source IP seen by Traefik may be the wrong one instead of the real client. To ensure Crowdsec applies decisions correctly based on the real client IP, it's crucial to properly forward and trust headers. -First you configure Treafik to trust the upstream forwarded headers. Traefik has [`forwardedHeaders.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/?utm_source=chatgpt.com#forwarded-headers) and [`proxyProtocol.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/?utm_source=chatgpt.com#forwarded-headers) directives. +First you configure Treafik to trust the upstream forwarded headers. Traefik has [`forwardedHeaders.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers) and [`proxyProtocol.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers) directives. Then, you need to configure the middleware to trust as well the IP: