diff --git a/crowdsec-docs/unversioned/bouncers/traefik.mdx b/crowdsec-docs/unversioned/bouncers/traefik.mdx index 085a79b7c..01fbdb599 100644 --- a/crowdsec-docs/unversioned/bouncers/traefik.mdx +++ b/crowdsec-docs/unversioned/bouncers/traefik.mdx @@ -49,6 +49,77 @@ spec: crowdsecLapiKey: mysecretkey12345 ``` +Now, you can install the remediation component: + +```bash +kubectl apply -f bouncer-middleware.yaml +``` + +### Traefik with WAF(appsec) on kubernetes + +We supposed you already have working crowdsec values configuration, basically here is the important configuration to put in crowdsec values : + +```yaml +config: + config.yaml.local: | + api: + server: + auto_registration: + enabled: true + token: "${REGISTRATION_TOKEN}" # /!\ Do not modify this variable (auto-generated and handled by the chart) + allowed_ranges: + - "127.0.0.1/32" + - "192.168.0.0/16" + - "10.0.0.0/8" + - "172.16.0.0/12" +appsec: + enabled: true + acquisitions: + - source: appsec + listen_addr: "0.0.0.0:7422" + path: / + appsec_configs: + - crowdsecurity/appsec-default + - crowdsecurity/crs + labels: + type: appsec + env: + - name: COLLECTIONS + value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs crowdsecurity/appsec-generic-rules" +lapi: + env: + - name: BOUNCER_KEY_traefik + value: +``` + +If you add this config to crowdsec values, don't forget to `helm upgrade` + +Then the configuration for the middleware (bouncer-middleware.yaml) : + +```yaml +kind: Middleware +apiVersion: traefik.io/v1alpha1 +metadata: + name: bouncer + namespace: traefik +spec: + plugin: + bouncer: + enabled: true + crowdsecMode: stream + crowdsecLapiScheme: http + crowdsecLapiHost: crowdsec-service.default.svc.cluster.local:8080 + crowdsecAppsecEnabled: true + crowdsecAppsecHost: crowdsec-appsec-service.default.svc.cluster.local:7422 + crowdsecAppsecPath: "/" + crowdsecAppsecFailureBlock: true + crowdsecAppsecUnreachableBlock: true + crowdsecAppsecBodyLimit: 10485760 + crowdsecLapiKey: + crowdsecLapiPath: "/" + crowdsecLapiTLSInsecureVerify: true +``` + You can see all the configuration options in the [bouncer documentation](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin). You can also refer to a [full traefik and CrowdSec stack on kubernetes](https://raw.githubusercontent.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/main/examples/kubernetes/README.md) @@ -57,3 +128,29 @@ Now, you can install the remediation component: ```bash kubectl apply -f bouncer-middleware.yaml ``` + +### Treafik Behind an Upstream Proxy or Load Balancer + +When Traefik operates behind another proxy (such as a load balancer, CDN, etc ...), the source IP seen by Traefik may be the wrong one instead of the real client. +To ensure Crowdsec applies decisions correctly based on the real client IP, it's crucial to properly forward and trust headers. + +First you configure Treafik to trust the upstream forwarded headers. Traefik has [`forwardedHeaders.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers) and [`proxyProtocol.trustedIPs`](https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers) directives. + + +Then, you need to configure the middleware to trust as well the IP: + +```yaml +spec: + plugin: + bouncer: + forwardedheaderstrustedips: +``` + +When using `proxyProtocol.trustedIPs` Traefik replaces `X-Real-Ip`, you can also add : + +```yaml +spec: + plugin: + bouncer: + forwardedHeadersCustomName: X-Real-Ip +``` \ No newline at end of file