crowdsec-bouncer-traefik-plugin icon indicating copy to clipboard operation
crowdsec-bouncer-traefik-plugin copied to clipboard

Published 20 hours ago verified publisher icon maxlerebourg

[HELP] ForwardedHeadersTrustedIPs

Open alberk8 opened this issue 1 year ago • 2 comments

I have this question regarding the IP address of the ForwardedHeardersTrustedIps for Cloudflare Tunnel. In the example here.

As far as I know, the IP keeps changing. Is there a way to keep this static?

alberk8 avatar Sep 13 '24 02:09 alberk8

I have this question regarding the IP address of the ForwardedHeardersTrustedIps for Cloudflare Tunnel. In the example here.

As far as I know, the IP keeps changing. Is there a way to keep this static?

I don't know if you can keep it static (most likely if you defined it was compose it will), but the ForwardedHeardersTrustedIps accepts a range aswell so you can defined 172.16.0.0/12 and that will cover all ranges used by default docker setup.

LaurenceJJones avatar Sep 13 '24 19:09 LaurenceJJones

Another thing to know, you can add more IP by adding them with comma like this: 10.0.0.1,10.1.1.2/12,10.2.2.3

maxlerebourg avatar Sep 14 '24 05:09 maxlerebourg

I have this question regarding the IP address of the ForwardedHeardersTrustedIps for Cloudflare Tunnel. In the example here.

As far as I know, the IP keeps changing. Is there a way to keep this static?

With the IP keeps changing, you mean the IP from docker or the IP from Cloudflare ?

For the first one, like @LaurenceJJones said, you can specify a range like the range of IPs used by docker, or in the cloudflare case, you can use a list like @maxlerebourg said. I think it's not changing so often for Cloudflare IP's.

mathieuHa avatar Sep 24 '24 13:09 mathieuHa

Hi everyone.

I have a question related to the original post (OP). I’m using CF Tunnel and have successfully added the Docker IP range to the TrustedIPs in both Traefik and the CrowdSec bouncer as follows: forwardedHeaders: trustedIPs: - 127.0.0.1/32 - 172.19.0.0/16 - 192.168.1.0/24

After configuring this, I manually blocked my smartphone's local IP and the carrier IP. Below are the access logs for your review:

{"ClientAddr":"172.19.0.1:56184","ClientHost":"200.43.149.144","ClientPort":"56184","ClientUsername":"-","DownstreamContentSize":87615,"DownstreamStatus":200,"Duration":31199214,"OriginContentSize":87615,"OriginDuration":19476147,"OriginStatus":200,"Overhead":11723067,"RequestAddr":"pdf.mydomain.com","RequestContentSize":0,"RequestCount":39,"RequestHost":"pdf.mydomain.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"s-pdf@docker","ServiceAddr":"172.19.0.16:8080","ServiceName":"s-pdf@docker","ServiceURL":"http://172.19.0.16:8080","StartLocal":"2024-10-03T14:54:36.407348757Z","StartUTC":"2024-10-03T14:54:36.407348757Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-10-03T14:54:36Z"}

{"ClientAddr":"192.168.10.50:33428","ClientHost":"192.168.10.50","ClientPort":"33428","ClientUsername":"-","DownstreamContentSize":11383,"DownstreamStatus":403,"Duration":708384,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":708384,"RequestAddr":"pdf.mydomain.com","RequestContentSize":0,"RequestCount":23,"RequestHost":"pdf.mydomain.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"s-pdf@docker","StartLocal":"2024-10-03T14:53:02.282972125Z","StartUTC":"2024-10-03T14:53:02.282972125Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-10-03T14:53:02Z"}

Only the local requests were successfully blocked. Any ideas what can I've done wrong ?

Thanks.

adilson0888 avatar Oct 03 '24 15:10 adilson0888

Hi @adilson0888,

You may run the plugin with debug log enabled, so you can inspect which IP it is transferring to Crowdsec. If you see a private IP for a public access, then there is an issue, and you gotta work on some X-Forwarder-for header or conf related

mathieuHa avatar Oct 14 '24 15:10 mathieuHa

Hello @mathieuHa

The issue was with my forwardedHeadersCustomName, which I copied from the GitHub Dynamic Configuration example without paying attention. I initially used "X-Custom-Header," but after updating it to "X-Forwarded-For," everything started working as expected, allowing me to block local and public IPs.

Thank you for your help!

adilson0888 avatar Oct 14 '24 18:10 adilson0888

Personally, I just define all private class IP ranges:

   crowdsec:
      plugin:
        bouncer:
          enabled: true
          updateIntervalSeconds: 60
          updateMaxFailure: 0
          defaultDecisionSeconds: 60
          httpTimeoutSeconds: 10
          crowdsecMode: live
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecUnreachableBlock: true
          crowdsecLapiKey: FIXME
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http
          crowdsecLapiTLSInsecureVerify: false
          forwardedHeadersTrustedIPs:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16
          clientTrustedIPs:
            - 10.0.0.0/8
            - 172.16.0.0/12
            - 192.168.0.0/16

l4rm4nd avatar Oct 27 '24 02:10 l4rm4nd