Update Cloudflare worker bouncer docs for metrics (#651)

blotus · web-flow · commit 8f24d8b26b1e · 2024-11-18T14:51:49.000+01:00
diff --git a/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx b/crowdsec-docs/unversioned/bouncers/cloudflare-workers.mdx
@@ -115,7 +115,7 @@ sudo systemctl start crowdsec-cloudflare-worker-bouncer # the Remediation Compon
 
 #### From source
 
-:warning: requires go >= 1.20
+:warning: requires go >= 1.23
 
 ```bash
 git clone https://github.com/crowdsecurity/cs-cloudflare-worker-bouncer
@@ -137,7 +137,15 @@ The Remediation Component does the following:
 1. Create a Cloudflare Worker and a Worker KV per configured account.
 2. Create a Worker Route(s) per configured zone. Any request matching the route would be handled by the worker.
 3. For every matching incoming request, the worker checks whether it's IP, Country and AS have a decision against. It checks for this in it's KV store. If found it performs the corresponding remediation.
-4. The Remediation Component also periodically updates the KV store with the latest decisions from CrowdSec. 
+4. The Remediation Component also periodically updates the KV store with the latest decisions from CrowdSec.
+
+If your Cloudflare token has permission on D1, the remediation component will also automatically create a database to track:
+ - Number of requests processed
+ - Number of requests blocked
+
+Those metrics are exposed through the prometheus endpoint and automatically sent to crowdsec for visualisation with `cscli`.
+
+Metrics are stored in a D1 database to allow for easy retrieval by the remediation component. If your token does not have access to D1, a warning will be logged and metrics will be disabled.
 
 ## Configuration
 
@@ -171,6 +179,13 @@ cloudflare_config:
                 mode: managed # Supported Modes "managed"|"invisible"|"non-interactive"
           token: <CLOUDFLARE_ACCOUNT_TOKEN>
           account_name: owner@example.com
+    worker:
+      log_only: false # If true, allow all requests, but still keep track of what would have been blocked in the metrics
+      script_name: ""
+      logpush: null
+      tags: []
+      compatibility_date: ""
+      compatibility_flags: []
 
 log_level: info
 log_media: "stdout"
@@ -193,7 +208,7 @@ For obtaining the `token`:
 
 1. Sign in as a user who has access to the desired account.
 
-Then click [this link](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22challenge_widgets%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22user_details%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22workers_kv_storage%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_routes%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%20%7B%22key%22%3A%20%22dns%22%2C%20%22type%22%3A%22read%22%7D%5D&name=) and create the token. 
+Then click [this link](https://dash.cloudflare.com/profile/api-tokens?permissionGroupKeys=%5B%7B%22key%22%3A%22account_settings%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22challenge_widgets%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22user_details%22%2C%22type%22%3A%22read%22%7D%2C%7B%22key%22%3A%22workers_kv_storage%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_routes%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22workers_scripts%22%2C%22type%22%3A%22edit%22%7D%2C%7B%22key%22%3A%22zone%22%2C%22type%22%3A%22read%22%7D%2C%20%7B%22key%22%3A%20%22dns%22%2C%20%22type%22%3A%22read%22%7D%2C%20%7B%22key%22%3A%22d1%22%2C%20%22type%22%3A%22edit%22%7D%5D&name=) and create the token. 
 
 Alternatively, you can go to [Tokens](https://dash.cloudflare.com/profile/api-tokens) and create the token. 
 
@@ -205,6 +220,7 @@ The Remediation Component requires the following permissions to function:
 | Account          | Workers KV Storage | Edit       |
 | Account          | Workers Scripts    | Edit       |
 | Account          | Account Settings   | Read       |
+| Account          | D1                 | Edit       |
 | User             | User Details       | Read       |
 | Zone             | DNS                | Read       |
 | Zone             | Workers Routes     | Edit       |
@@ -463,6 +479,41 @@ Cloudflare account token.
 
 Account name.
 
+#### `worker.log_only`
+> bool
+
+If true, allow all requests but keep track of what would have been blocked in the metrics.
+
+Defaults to `false`
+
+#### `worker.script_name`
+> string
+
+Name to use for the worker script.
+
+Default to `crowdsec-cloudflare-worker-bouncer`.
+
+#### `worker.logpush`
+> bool
+
+Enable logpush for the worker.
+
+Default to no value.
+
+#### `worker.compatibility_date`
+> string
+
+See https://developers.cloudflare.com/workers/configuration/compatibility-dates/.
+
+Default to no value
+
+#### `worker.compatibility_flags`
+> list of strings
+
+See https://developers.cloudflare.com/workers/configuration/compatibility-flags/.
+
+Default to no value.
+
 #### `ban_template_path`
 > string
 
