Skip to content

Commit 00531b2

Browse files
authored
Improve appsec doc regarding multiple appsec_configs (#707)
* up * specific precedence
1 parent b7e704d commit 00531b2

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

crowdsec-docs/docs/appsec/configuration.md

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,58 @@ sidebar_position: 6
99
Configuring the AppSec Component usually requires the use of multiple files:
1010

1111
- [AppSec rules](/appsec/rules_syntax.md) allow you to write a signature to detect and/or block malevolent requests. [You can find more information about the syntax here](/appsec/rules_syntax.md)
12-
- [acquisition configuration](/log_processor/data_sources/appsec.md) indicates which port is the AppSec Component listening on, and which AppSec configuration it will use.
12+
- [Acquisition configuration](/log_processor/data_sources/appsec.md) indicates which port is the AppSec Component listening on, and which AppSec configuration it will use.
1313
- AppSec configuration tells which rules are loaded in in-band (blocking) and out-of-band (non-blocking)
1414
phases. [it as well allows you to tweak the behavior of the component via the powerful expr bindings](/appsec/rules_syntax.md)
1515

16+
## Acquisition configuration
17+
18+
## Default configuration
19+
20+
The Acquisition configuration is usually present directly within `/etc/crowdsec/acquis.d/` or `/etc/crowdsec/acquis.yaml`:
21+
22+
> The default AppSec acquisition configuration
23+
```yaml
24+
appsec_config: crowdsecurity/appsec-default
25+
labels:
26+
type: appsec
27+
listen_addr: 127.0.0.1:7422
28+
source: appsec
29+
```
30+
31+
## Creating custom configuration
32+
33+
34+
If you want to add some custom rules or hooks, it is suggested to add a custom `appsec_config`.
35+
Modifying existing `appsec_config` will make it *tainted* and will interfere with future updates.
36+
37+
```yaml title="/etc/crowdsec/acquis.d/appsec.yaml"
38+
appsec_configs:
39+
- crowdsecurity/appsec-default
40+
- custom/my_vpatch_rules
41+
labels:
42+
type: appsec
43+
listen_addr: 127.0.0.1:7422
44+
source: appsec
45+
```
46+
47+
:::info
48+
When loading several app sec configs, _hooks_ and _appsec rules_ are appended, and for conflicting options (e.g., `default_remediation`), the last one takes precedence.
49+
:::
50+
51+
52+
```yaml title="/etc/crowdsec/appsec-configs/my_vpatch_rules.yaml"
53+
name: custom/my_vpatch_rules
54+
default_remediation: ban
55+
inband_rules:
56+
- custom/custom-vpatch-*
57+
#on_match:
58+
#...
59+
```
1660

1761
## Appsec configuration
1862

19-
The AppSec configuration is referenced by the acquisition configuration (`appsec_config` or `appsec_config_path`):
63+
The AppSec configuration is referenced by the acquisition configuration (`appsec_config`, `appsec_configs` or `appsec_config_path`):
2064

2165
> An example AppSec configuration
2266
```yaml

0 commit comments

Comments
 (0)