plugins
plugins copied to clipboard
opnsense
Add additional Crowdsec bouncers (Caddy, nginx, HaProxy)
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- [X ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [ X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [ X] When the request is meant for an existing plugin, I've added its name to the title.
Is your feature request related to a problem? Please describe. OPNsense currently only supports the crowdsec-firewall-bouncer remediation component (bouncer). This works great for blocking direct traffic to the firewall but does not allow Layer 7 blocking. For example, I use Cloudflare proxy and my WAN only accepts inbound from the Cloudflare IP ranges (https://www.cloudflare.com/ips/). That's all the firewall sees so it can't block by the proxy protocol or x-forwarded-for header that caddy, nginx, and haproxy would see.
Describe the solution you'd like I would like to see these additional bouncers added as installation candidates in OPNsense.
Describe alternatives you've considered I have considered moving nginx off of my OPNsense box and running it in linux just to have this functionality but would ideally like to keep it where it's at.
I could also set up Crowdsec and the Bouncers on each one of my services but would prefer to have it right on the reverse proxy.
I have also looked into used the Crowdsec Blocklist Mirror bouncer but nginx does not allow the use of a file location in the IP ACL section and I would need to manually change the formatting to meet nginx requirements.
Additional context Crowdsec resources for the mentioned bouncers: Caddy Bouncer - https://app.crowdsec.net/hub/author/hslatman/remediation-components/caddy-crowdsec-bouncer nginx Bouncer - https://docs.crowdsec.net/u/bouncers/nginx Haproxy Bouncer - https://docs.crowdsec.net/u/bouncers/haproxy
Just to spin the issue further, shouldn't the most front end reverse proxy be responsible to block the bad actors?
In this case, Cloudflare should sanitize the traffic before they send it to you?
E.g., Cloudflare crowdsec bouncer?
https://docs.crowdsec.net/u/bouncers/cloudflare/
It should, but, the initial Crowdsec Cloudflare Bouncer does not work in "Free mode", and it would appear the Go script they use to update the Cloudflare's API is brutal chatty AND Cloudflare "Free mode" gives you a runway of 1 millimeter it would seem for API credits
There is a Worker bouncer, a 2nd form of Crowdsec Cloudflare Bouncer but I have not figure out how to attempt deployment yet, and it doesn't seem it would work for a "Free mode" account anyway.
Wanting to try to write my own integration via Python and pray...
In related, getting metrics from the OPNSense Bouncer would be a great upgrade!
It's unclear who is responsible to handle this ticket. It sounds like it's for the security/crowdsec maintainer.
cc @mmetc
Caddy will get the client_ip_headers global option:
https://github.com/opnsense/plugins/issues/4517
With that, the real client ip will get parsed from Cloudflare or other CDNs and can then be consumed normally via the HTTP Access Log via the Caddy Crowdsec Collection without needing a bouncer.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
