caddy-crowdsec-bouncer icon indicating copy to clipboard operation
caddy-crowdsec-bouncer copied to clipboard

Published 20 hours ago verified publisher icon hslatman

Configuration sample improvements

Open Emeric-hub opened this issue 5 months ago • 4 comments

Hi,

Thks for this amazing works... My firsts tests were successful.

I now wanna go further in my configuration and i think a few more explanations may be needed.

Default configuration is working, as bouncer out of box... but i now wanna add some nice 403 bouncing error pages... and the route http handler required to add the crowdsec call is disabling my default error pges handlers...

If you find some spare time, it'll be nice if tou could provide examples...

I also try to captcha instead of ban ... but doesn't see any difference. Any idea?

Emeric-hub avatar Feb 12 '24 22:02 Emeric-hub

Hey @Emeric-hub,

Captcha support has been on my list of things to look into for a while: https://github.com/hslatman/caddy-crowdsec-bouncer?tab=readme-ov-file#things-that-can-be-done. I haven't had the need myself yet, so I haven't implemented support for it yet. I do have ideas how I want it to work, and I'd like it to be able to use a configurable captcha provider. Which one do you (want to) use?

Sending them to a custom error page sounds like a nice thing. I might incorporate that, as it's currently not supported.

hslatman avatar Feb 13 '24 13:02 hslatman

Yeah, THKS, for the answer ... for now, i just provide error pages on my Caddyfile (which is mainly used as a mutualised proxy) ... but giving banned IP a nice error pages should be a good start ...

Emeric-hub avatar Feb 18 '24 14:02 Emeric-hub

for now, i've got something like this snippet :

(error_handling) { handle_errors { #Error 4XX @401 { expression {http.error.status_code} == 401 } handle @401 { header -server file_server root * /etc/caddy/error-pages rewrite @401 /401.html } @403 { expression {http.error.status_code} == 403 } handle @403 { header -server file_server root * /etc/caddy/error-pages rewrite @403 /403.html } @404 { expression {http.error.status_code} == 404 } handle @404 { header -server file_server root * /etc/caddy/error-pages rewrite @404 /404.html } #Error 5XX @500 { expression {http.error.status_code} == 500 } handle @500 { header -server file_server root * /etc/caddy/error-pages rewrite @500 /500.html } @502 { expression {http.error.status_code} == 502 } handle @502 { header -server file_server root * /etc/caddy/error-pages rewrite @502 /502.html } @503 { expression {http.error.status_code} == 503 } handle @503 { header -server file_server root * /etc/caddy/error-pages rewrite @503 /503.html } handle { respond "{http.error.status_code} {http.error.status_text}"

        }
    }

}

That works for everything i need ... but ban IP just get an empty 403 error page ... So i can't defined it as production ready ...

if i may help on this thread / issue ... i'll be pleased ...

Emeric-hub avatar Feb 18 '24 14:02 Emeric-hub

Hi there,

i was checking about this point ... after having a look at the appsec functionnality crowdsec.

Finally i found, in nginx bouncer, the following parameter... BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/ban.html

I think it's the same need : Adding an extra and optional parameter in the global crowdsec section of the caddyfile configuration.

Because ban to a static pages is just enough to do the job ... and is probably really less complicated than what i provide earlier.

Emeric-hub avatar Feb 28 '24 21:02 Emeric-hub