Skip to content

Commit 30c42a1

Browse files
committed
update traefik bouncer kubernetes section
1 parent 8202551 commit 30c42a1

File tree

1 file changed

+71
-0
lines changed

1 file changed

+71
-0
lines changed

crowdsec-docs/unversioned/bouncers/traefik.mdx

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,77 @@ spec:
4949
crowdsecLapiKey: mysecretkey12345
5050
```
5151
52+
Now, you can install the remediation component:
53+
54+
```bash
55+
kubectl apply -f bouncer-middleware.yaml
56+
```
57+
58+
### Traefik with WAF(appsec) on kubernetes
59+
60+
We supposed you already have working crowdsec values configuration, basically here is the important configuration to put in crowdsec values :
61+
62+
```yaml
63+
config:
64+
config.yaml.local: |
65+
api:
66+
server:
67+
auto_registration:
68+
enabled: true
69+
token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart)
70+
allowed_ranges:
71+
- "127.0.0.1/32"
72+
- "192.168.0.0/16"
73+
- "10.0.0.0/8"
74+
- "172.16.0.0/12"
75+
appsec:
76+
enabled: true
77+
acquisitions:
78+
- source: appsec
79+
listen_addr: "0.0.0.0:7422"
80+
path: /
81+
appsec_configs:
82+
- crowdsecurity/appsec-default
83+
- crowdsecurity/crs
84+
labels:
85+
type: appsec
86+
env:
87+
- name: COLLECTIONS
88+
value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs crowdsecurity/appsec-generic-rules"
89+
lapi:
90+
env:
91+
- name: BOUNCER_KEY_traefik
92+
value: <YOUR-BOUNCER-KEY>
93+
```
94+
95+
If you add this config to crowdsec values, don't forget to `helm upgrade`
96+
97+
Then the configuration for the middleware (bouncer-middleware.yaml) :
98+
99+
```yaml
100+
kind: Middleware
101+
apiVersion: traefik.io/v1alpha1
102+
metadata:
103+
name: bouncer
104+
namespace: traefik
105+
spec:
106+
plugin:
107+
bouncer:
108+
enabled: true
109+
crowdsecMode: stream
110+
crowdsecLapiScheme: http
111+
crowdsecLapiHost: crowdsec-service.default.svc.cluster.local:8080
112+
crowdsecAppsecEnabled: true
113+
crowdsecAppsecHost: crowdsec-appsec-service.default.svc.cluster.local:7422
114+
crowdsecAppsecPath: "/"
115+
crowdsecAppsecFailureBlock: true
116+
crowdsecAppsecUnreachableBlock: true
117+
crowdsecAppsecBodyLimit: 10485760
118+
crowdsecLapiKey: <YOUR-BOUNCER-KEY>
119+
crowdsecLapiPath: "/"
120+
crowdsecLapiTLSInsecureVerify: true
121+
```
122+
52123
You can see all the configuration options in the [bouncer documentation](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin).
53124
You can also refer to a [full traefik and CrowdSec stack on kubernetes](https://raw.githubusercontent.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/main/examples/kubernetes/README.md)
54125

0 commit comments

Comments
 (0)