cs-haproxy-spoa-bouncer/docker-compose.proxy-test.yaml at 3e955abd887a7eedd810cc6ceacba57bc78a61c9 · crowdsecurity/cs-haproxy-spoa-bouncer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
services:
  spoa:
    image: crowdsecurity/crowdsec-spoa:latest
    build:
      context: .
      dockerfile: Dockerfile
    depends_on:
      - crowdsec
    volumes:
      - sockets:/run/
      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
      - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
      - geodb:/var/lib/crowdsec/data/
      - ./config/crowdsec-spoa-bouncer.yaml.local:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml.local
    networks:
      crowdsec:
        ipv4_address: 10.5.5.254
    deploy:
      resources:
        limits:
          cpus: "4.0"
          memory: 250M


  whoami:
    image: traefik/whoami:latest
    networks:
      - crowdsec
    command:
       - --port=2020

  haproxy:
    image: haproxy:2.9.7-alpine
    volumes:
      - ./config/haproxy-upstreamproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
      - ./config/crowdsec.cfg:/etc/haproxy/crowdsec.cfg
      - sockets:/run/
      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
      - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
    # HAProxy is now only accessible via nginx (not exposed directly)
    depends_on:
      - crowdsec
      - spoa
      - whoami
    networks:
      - crowdsec

  # Nginx acting as upstream proxy (like Cloudflare)
  nginx:
    image: nginx:alpine
    volumes:
      - ./config/nginx-proxy.conf:/etc/nginx/nginx.conf:ro
    ports:
      - "9090:80"
    depends_on:
      - haproxy
    networks:
      - crowdsec

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    environment:
      - BOUNCER_KEY_SPOA=+4iYgItcalc9+0tWrvrj9R6Wded/W1IRwRtNmcWR9Ws
      - DISABLE_ONLINE_API=true
      - CROWDSEC_BYPASS_DB_VOLUME_CHECK=true
      - COLLECTIONS=crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
    volumes:
      - geodb:/staging/var/lib/crowdsec/data/
      - ./docker/crowdsec/acquisitions/appsec.yaml:/etc/crowdsec/acquis.d/appsec.yaml
    networks:
      - crowdsec

volumes:
  lua:
    driver: local
  sockets:
    driver: local
  templates:
    driver: local
  geodb:
    driver: local

networks:
  crowdsec:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: "10.5.5.0/24"