|
| 1 | +--- |
| 2 | +id: apache_bouncer |
| 3 | +title: Apache Bouncer |
| 4 | +sidebar_position: 2 |
| 5 | +--- |
| 6 | + |
| 7 | +import Tabs from "@theme/Tabs"; |
| 8 | +import TabItem from "@theme/TabItem"; |
| 9 | +import useBaseUrl from "@docusaurus/useBaseUrl"; |
| 10 | + |
| 11 | +<p align="center"> |
| 12 | + <img |
| 13 | + src={useBaseUrl("/img/crowdsec_nginx.svg")} |
| 14 | + alt="CrowdSec" |
| 15 | + title="CrowdSec" |
| 16 | + width="400" |
| 17 | + height="300" |
| 18 | + /> |
| 19 | +</p> |
| 20 | +<p align="center"> |
| 21 | + <img src="https://img.shields.io/badge/build-pass-green" /> |
| 22 | + <img src="https://img.shields.io/badge/tests-pass-green" /> |
| 23 | +</p> |
| 24 | +<p align="center"> |
| 25 | + 📚 <a href="#installation/">Documentation</a> |
| 26 | + 💠 <a href="https://hub.crowdsec.net">Hub</a> |
| 27 | + 💬 <a href="https://discourse.crowdsec.net">Discourse </a> |
| 28 | +</p> |
| 29 | + |
| 30 | +A Remediation Component for Apache. |
| 31 | + |
| 32 | +:::warning |
| 33 | + |
| 34 | +Beta Remediation Component, please report any issues on [GitHub](https://github.com/crowdsecurity/cs-apache2-bouncer/issues) |
| 35 | + |
| 36 | +::: |
| 37 | + |
| 38 | +## How does it work ? |
| 39 | + |
| 40 | +This component leverages Apache's module mecanism to provide IP address blocking capability. |
| 41 | + |
| 42 | +The module supports **Live mode** with a local (in-memory) cache. |
| 43 | + |
| 44 | +At the back, this component uses `mod_proxy`, `mod_ssl` for requests to LAPI, and `mod_socache_` for the caching feature. |
| 45 | + |
| 46 | +## Installation |
| 47 | + |
| 48 | +:::warning |
| 49 | + |
| 50 | +There is not publicly available packages (yet) for this Remediation Component yet. |
| 51 | + |
| 52 | +We are providing ways to build your own while we're working on packaging. |
| 53 | + |
| 54 | +::: |
| 55 | + |
| 56 | + |
| 57 | + |
| 58 | +<Tabs |
| 59 | + defaultValue="nginx_debian" |
| 60 | + values={[ |
| 61 | + { label: 'Debian/Ubuntu', value: 'nginx_debian' ,}, |
| 62 | + { label: 'Others (build from source)', value: 'others' ,}, |
| 63 | + ] |
| 64 | +}> |
| 65 | +<TabItem value="nginx_debian"> |
| 66 | + |
| 67 | +```bash |
| 68 | +dpkg-buildpackage -us -uc |
| 69 | +sudo dpkg -i ../crowdsec-apache2-bouncer_1.0.0_amd64.deb |
| 70 | +``` |
| 71 | + |
| 72 | +</TabItem> |
| 73 | + |
| 74 | +<TabItem value="others"> |
| 75 | + |
| 76 | +```bash |
| 77 | +aclocal |
| 78 | +autoconf |
| 79 | +autoheader |
| 80 | +automake --add-missing |
| 81 | +./configure |
| 82 | +make |
| 83 | +sudo make install |
| 84 | +sudo cp config/mod_crowdsec.* /etc/apache2/mods-available/ |
| 85 | +sudo mkdir -p /etc/crowdsec/bouncers/ |
| 86 | +sudo cp ./config/crowdsec-apache2-bouncer.conf /etc/crowdsec/bouncers/ |
| 87 | +``` |
| 88 | + |
| 89 | +</TabItem> |
| 90 | + |
| 91 | +</Tabs> |
| 92 | + |
| 93 | +### Initial Configuration |
| 94 | + |
| 95 | +Enable the mod_crowdsec module: |
| 96 | + |
| 97 | +```bash |
| 98 | +sudo a2enmod mod_crowdsec |
| 99 | +``` |
| 100 | + |
| 101 | +Generate an API key for the bouncer [1]: |
| 102 | + |
| 103 | +```bash |
| 104 | +sudo cscli bouncers add apache2 |
| 105 | +``` |
| 106 | + |
| 107 | +Remediation Component config's is located in `/etc/crowdsec/bouncers/crowdsec-apache2-bouncer.conf`: |
| 108 | + |
| 109 | +```bash |
| 110 | +## Replace the API key with the newly generated one [1] |
| 111 | +CrowdsecAPIKey this_is_a_bad_password |
| 112 | +... |
| 113 | +``` |
| 114 | + |
| 115 | +:::info |
| 116 | +If needed, edit `CrowdsecURL` (and other parameters) |
| 117 | +::: |
| 118 | + |
| 119 | +```bash |
| 120 | +sudo systemctl restart apache2 |
| 121 | +``` |
| 122 | + |
| 123 | +## Configuration directives |
| 124 | + |
| 125 | +### `Crowdsec` |
| 126 | + |
| 127 | +> on|off |
| 128 | +
|
| 129 | +Enable or disable module globally: |
| 130 | + - `off` (**default**): Module has to be enabled per location. |
| 131 | + - `on`: Module is enabled by default. |
| 132 | + |
| 133 | +Behavior can be overriden in any location. |
| 134 | + |
| 135 | +### `CrowdsecFallback` |
| 136 | + |
| 137 | +> fail|block|allow |
| 138 | +
|
| 139 | +How to respond if the Crowdsec API is not available: |
| 140 | + - `fail` (**default**) returns a 500 Internal Server Error. |
| 141 | + - `block` returns a 302 Redirect (or 429 Too Many Requests if CrowdsecLocation is unset). |
| 142 | + - `allow` will allow the request through. |
| 143 | + |
| 144 | +### `CrowdsecBlockedHTTPCode` |
| 145 | + |
| 146 | +> 500|403|429 |
| 147 | +
|
| 148 | +HTTP code to return when a request is blocked (default is `429`). |
| 149 | + |
| 150 | +### `CrowdsecLocation` |
| 151 | + |
| 152 | +Set to the URL to redirect to when the IP address is banned. As per RFC 7231 may be a path, or a full URL. For example: /sorry.html |
| 153 | + |
| 154 | +### `CrowdsecURL` |
| 155 | + |
| 156 | +Set to the URL of the Crowdsec API. For example: http://localhost:8080. |
| 157 | + |
| 158 | +### `CrowdsecAPIKey` |
| 159 | + |
| 160 | +Set to the API key of the Crowdsec API. Add an API key using 'cscli bouncers add'. |
| 161 | + |
| 162 | +### `CrowdsecCache` |
| 163 | + |
| 164 | +Enable the crowdsec cache. Defaults to 'none'. Options detailed here: https://httpd.apache.org/docs/2.4/socache.html. |
| 165 | + |
| 166 | +### `CrowdsecCacheTimeout` |
| 167 | + |
| 168 | +Set the crowdsec cache timeout. Defaults to 60 seconds. |
| 169 | + |
| 170 | +## Next steps |
| 171 | + |
| 172 | +### Overriding HTTP Response |
| 173 | + |
| 174 | +If you want to return custom HTTP code and/or content, you can use `CrowdsecLocation` and `RewriteRules` : |
| 175 | + |
| 176 | +```bash |
| 177 | +CrowdsecLocation /one/ |
| 178 | +``` |
| 179 | + |
| 180 | +```bash |
| 181 | +<Location /one/> |
| 182 | + Crowdsec off |
| 183 | + RewriteEngine On |
| 184 | + RewriteRule .* - [R=403,L] |
| 185 | + # Require all denied |
| 186 | + ErrorDocument 403 "hell nooo" |
| 187 | +</Location> |
| 188 | + |
| 189 | +``` |
| 190 | + |
| 191 | + |
| 192 | + |
| 193 | + |
0 commit comments