fix traefik doc

sabban · sabban · commit 17a433a0ae27 · 2025-11-20T18:35:09.000+01:00
diff --git a/crowdsec-docs/docs/appsec/quickstart/traefik.mdx b/crowdsec-docs/docs/appsec/quickstart/traefik.mdx
@@ -11,14 +11,17 @@ import TabItem from '@theme/TabItem';
 
 ## Objectives
 
-This quickstart walks you through pairing the CrowdSec [AppSec
-Component](/appsec/intro.md#introduction) with the Traefik reverse proxy across
-three deployment models: a single Docker container, a Docker Compose stack, and
-the official Helm chart on Kubernetes. You'll install the required AppSec
-collections, configure the acquisition endpoint that exposes the inspection
-service, and wire the Traefik plugin so requests are evaluated before reaching
-your applications. We'll finish by pointing you to the Stack health check so you
-can validate the bouncer and AppSec stack end to end.
+The goal of this quickstart is to set up the [AppSec
+Component](/appsec/intro.md#introduction) to safeguard web applications running
+on [Traefik](https://doc.traefik.io/traefik/) reverse proxy. We'll deploy a [set
+of
+rules](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching)
+designed to block [well-known
+attacks](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-generic-rules)
+and [currently exploited
+vulnerabilities](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching).
+Additionally, we'll show how to monitor these alerts through the
+[console](https://app.crowdsec.net/).
 
 ## Pre-requisites
 
@@ -178,51 +181,9 @@ In the directory where you persist configuration files, create an `appsec.yaml`
 
 **Steps**
 
-<<<<<<< HEAD
-Create a file named `appsec.yaml` with the following content  
-
-```yaml title="appsec.yaml"
-appsec_config: crowdsecurity/appsec-desfault
-labels:
-  type: appsec
-listen_addr: 0.0.0.0:7422
-source: appsec
-```
-
-You can either create the file under /etc/crowdsec/acquis.d, following [the
-existing directory structure](/u/getting_started/installation/docker#docker) in
-which case the run command remains unchanged, or you can create the file
-elsewhere and mount it using the following method:
-
-
-```bash
-docker run -d --name crowdsec \
-  -v /etc/crowdsec:/etc/crowdsec \
-  -v /elsewhere/appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml \
-  crowdsecurity/crowdsec
-```
-
-
-Because CrowdSec runs inside a container, set listen_addr to 0.0.0.0 instead of
-127.0.0.1 so it can accept connections from outside the container.
-
-If a crowdsec container is already running, stop/remove it before re-running
-with the updated acquisition.
-
-
-</TabItem>
-
-<TabItem value="dockerCompose">
-
-In the directory where you store CrowdSec configuration files (for example,
-`./crowdsec/acquis.d`, if you’re following the [recommended directory
-structure](/u/getting_started/installation/docker#compose), create a file named
-appsec.yaml and mount it into the container.
-=======
 1. Change to the directory where you ran the `docker run` or `docker compose` command.  
 2. Create a file named `appsec.yaml` in this directory.  
 3. Add the following content:
->>>>>>> 24c582de (add traefik for kubernetes)
 
 ```yaml title="appsec.yaml"
 appsec_config: crowdsecurity/appsec-desfault
@@ -232,12 +193,6 @@ listen_addr: 0.0.0.0:7422
 source: appsec
 ```
 
-<<<<<<< HEAD
-Since CrowdSec runs inside a container, make sure to set listen_addr to 0.0.0.0
-(instead of 127.0.0.1) so it listens on the container’s network interface.
-
-Then, update your Docker Compose service to mount the file:
-=======
 Because CrowdSec runs inside a container, set listen_addr to 0.0.0.0 instead of
 127.0.0.1 so it can accept connections from outside the container.
 
@@ -273,21 +228,12 @@ source: appsec
 Because CrowdSec runs in a container, set listen_addr to 0.0.0.0 (not 127.0.0.1) so it listens on the container’s network interface.
 
 Mount the file in your Compose service:
->>>>>>> 24c582de (add traefik for kubernetes)
 ``` 
 services:
   crowdsec:
     volumes:
-<<<<<<< HEAD
-    - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
-    - logs:/var/log/nginx
-    - crowdsec-db:/var/lib/crowdsec/data/
-    - crowdsec-config:/etc/crowdsec/
-    - ./crowdsec/acquis.d/appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml
-=======
       - /path/to/original:/etc/crowdsec   # or a named volume
       - ./appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml
->>>>>>> 24c582de (add traefik for kubernetes)
 ```
 
 Once you have updated the compose file to include the volume mount and the updated environment variable, you can restart the container.
@@ -408,21 +354,16 @@ spec:
       crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
       crowdsecLapiKey: <shadowed>
       htttTimeoutSeconds: 60
-<<<<<<< HEAD
-=======
       forwardedheaderstrustedips:
         - 10.0.0.0/8
         - 192.168.0.0/16
         - 134.209.137.94
         - 2a03:b0c0:2:f0::f557:a001
->>>>>>> 24c582de (add traefik for kubernetes)
       crowdsecAppsecEnabled: false
       crowdsecAppsecHost: crowdsec:7422
       crowdsecAppsecFailureBlock: true
       crowdsecAppsecUnreachableBlock: true
 ```
-<<<<<<< HEAD
-=======
 
 You can still add some route configuration through
 [IngressRoute](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/http/ingressroute/?utm_source=chatgpt.com)
@@ -433,64 +374,8 @@ and attach the middleware to those routes.
 For more comprehensive documentation on the Traefik Plugin configuration, please
 refer to the [official
 documentation](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin).
->>>>>>> 24c582de (add traefik for kubernetes)
 
-You can still add some route configuration through
-[IngressRoute](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/http/ingressroute)
-and attach the middleware to those routes.
-
-</TabItem>
-</Tabs>
-
-For more comprehensive documentation on the Traefik Plugin configuration, please
-refer to the [official
-documentation](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin).
-
-<details>
-  <summary>The traefik configuration for testing this quickstart guide has been done with the following values.yaml</summary>
-```yaml title="values.yaml"
-deployment:
-  kind: DaemonSet  # run on each node so a sidecar crowdsec can tail Traefik logs
-
-service:
-  type: LoadBalancer  # expose Traefik entrypoints through your cloud LB
-  annotations:
-    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"  # forward client IPs via DigitalOcean proxy protocol
-  spec:
-    externalTrafficPolicy: Local  # keep original source IPs for CrowdSec decisions
-
-# Make Traefik actually write a file that can be parsed
-logs:
-  access:
-    enabled: true  # ensure access logs are produced
-    format: json  # structured logs expected by the bouncer parser
-    fields:
-      defaultMode: keep
-      names:
-        ServiceName: keep  # keep service name for troubleshooting
-  general:
-    level: INFO  # avoid noisy debug output in production 
-    format: json  # align general logs with access log format
-
-# Proxy Protocol needs “enabled”, not only trustedIPs
-additionalArguments:
-  - --accesslog=true  # double-check logging stays on even if values drift
-  - --accesslog.format=json  # enforce JSON formatting at the CLI level
-  - --entrypoints.web.proxyProtocol=true  # enable Proxy Protocol on the HTTP entrypoint
-  - --entrypoints.websecure.proxyProtocol=true  # enable Proxy Protocol on the HTTPS entrypoint
-  - --entrypoints.web.proxyProtocol.trustedIPs=10.0.0.0/8,192.168.0.0/16  # trust proxy headers from your internal ranges
-  - --entrypoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,192.168.0.0/16  # same trust list for HTTPS
-  - --providers.kubernetesingress  # watch standard Ingress resources
-  - --providers.kubernetescrd  # watch Traefik CRD resources
-
-# Traefik middleware configuration 
-experimental:
-  plugins:
-    crowdsec-bouncer-traefik-plugin:
-      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-      version: "v1.4.5"  # pin plugin release for deterministic behaviour
-```
-</details>
+We can't cover all the possible configurations for Traefik in this guide, so please refer to the [official documentation](https://doc.traefik.io/traefik/) for more information.
 
 ### Directives
 
@@ -516,11 +401,51 @@ If the AppSec Component returns `500` status code should the request be blocked.
 
 If the AppSec Component is unreachable should the request be blocked.
 
-## Validate the stack
+## Testing the AppSec Component + Remediation Component
+
+:::note
+We're assuming the web server is installed on the same machine and is listening on port 80. Please adjust your testing accordingly if this is not the case.
+:::
+
+if you try to access `http://localhost/.env` from a browser, your request will be blocked, resulting in the display of the following HTML page:
+
+![appsec-denied](/img/appsec_denied.png)
+
+We can also look at the metrics from `cscli metrics show appsec` it will display:
+ - the number of requests processed by the AppSec Component
+ - Individual rule matches
+
+ <details>
+  <summary>Example Output</summary>
+
+```bash title="sudo cscli metrics show appsec"
+Appsec Metrics:
+╭─────────────────┬───────────┬─────────╮
+│  Appsec Engine  │ Processed │ Blocked │
+├─────────────────┼───────────┼─────────┤
+│ 127.0.0.1:7422/ │ 2         │ 1       │
+╰─────────────────┴───────────┴─────────╯
+
+Appsec '127.0.0.1:7422/' Rules Metrics:
+╭─────────────────────────────────┬───────────╮
+│             Rule ID             │ Triggered │
+├─────────────────────────────────┼───────────┤
+│ crowdsecurity/vpatch-env-access │ 1         │
+╰─────────────────────────────────┴───────────╯
+```
+
+</details>
+
+### Explanation
+
+What happened in the test that we just did is:
 
-Follow the [Stack health check](/u/getting_started/health_check) to confirm the
-CrowdSec engine, AppSec Component, and Traefik bouncer are working together as
-expected.
+ 1. We did a request (`localhost/.env`) to our local webserver
+ 2. Thanks to the Remediation Component configuration, forwarded the request to `http://127.0.0.1:7422`
+ 3. Our AppSec Component, listening on `http://127.0.0.1:7422` analyzed the request
+ 4. The request matches the [AppSec rule to detect .env access](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access)
+ 5. The AppSec Component thus answered with [HTTP 403](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403) to the Remediation Component, indicating that the request must be blocked
+ 6. The web server then presented us with the default "request blocked" page.
 
  ## Integration with the console
 
@@ -535,5 +460,6 @@ Once done, all your alerts, including the ones generated by the AppSec Component
 You are now running the AppSec Component on your Crowdsec Security Engine, congrats!
 
 As the next steps, you can:
+ - [Explore the hub](https://hub.crowdsec.net) to find more rules for your use case
  - Look at the [Rules syntax](/appsec/rules_syntax.md) and [creation process](/appsec/create_rules.md) to create your own and contribute
- - Learn more about AppSec’s advanced capabilities in [Advanced WAF Deployments](/docs/next/appsec/advanced_deployments/)
+ - Take a look at [the benchmarks](/appsec/benchmark.md)
