Merge main into feature/add-spoa-duration-metrics

Resolved conflicts in pkg/spoa/root.go:
- Adopted new dropmorepackets/haproxy-go SPOP library from main
- Re-applied duration metrics instrumentation:
  - CaptchaValidationDuration: timing captcha validation calls
  - GeoLookupDuration: timing geo database lookups
  - IPCheckDuration: already instrumented in dataset.CheckIP()

Author: LaurenceJJones

Dockerfile

@@ -4,43 +4,53 @@ FROM golang:${GOVERSION}-alpine AS build
 
 WORKDIR /go/src/cs-spoa-bouncer
 
-RUN apk add --update --no-cache make git
+RUN apk add --update --no-cache make git ca-certificates
 COPY . .
 
 RUN make build DOCKER_BUILD=1
 
-FROM alpine:latest
-COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /usr/local/bin/crowdsec-spoa-bouncer
-COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
-COPY --from=build /go/src/cs-spoa-bouncer/docker/docker_start.sh /docker_start.sh
+# Create directory structure for scratch image (with .keep files so COPY works)
+RUN mkdir -p /run/crowdsec-spoa /var/log/crowdsec-spoa && \
+    touch /run/crowdsec-spoa/.keep /var/log/crowdsec-spoa/.keep
 
-# Set permissions for config file and binary
-RUN chmod 644 /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml && \
-    chmod 755 /usr/local/bin/crowdsec-spoa-bouncer
+# Final minimal image
+FROM scratch
 
-## Add the same haproxy user as the official haproxy image
-RUN addgroup -g 99 -S haproxy && adduser -S -D -H -u 99 -h /var/lib/haproxy -s /sbin/nologin -G haproxy -g haproxy haproxy
-## Add worker user
-RUN addgroup -S crowdsec-spoa && adduser -S -D -H -s /sbin/nologin -g crowdsec-spoa crowdsec-spoa
+# Default environment variables (can be overridden at runtime)
+ENV LOG_MODE=stdout \
+    LOG_LEVEL=info \
+    CROWDSEC_URL=http://crowdsec:8080/ \
+    UPDATE_FREQUENCY=10s \
+    INSECURE_SKIP_VERIFY=false \
+    LISTEN_TCP=0.0.0.0:9000 \
+    PROMETHEUS_ENABLED=true \
+    PROMETHEUS_ADDR=0.0.0.0 \
+    PROMETHEUS_PORT=6060
 
-## Create a socket for the spoa to inherit crowdsec-spoa:haproxy user from official haproxy image
-RUN mkdir -p /run/crowdsec-spoa/ && chown crowdsec-spoa:haproxy /run/crowdsec-spoa/ && chmod 770 /run/crowdsec-spoa/
+# Copy CA certificates for HTTPS connections to LAPI
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-## Copy Lua files (matching Debian/RPM paths)
-RUN mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua
-COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
+# Copy the static binary
+COPY --from=build /go/src/cs-spoa-bouncer/crowdsec-spoa-bouncer /crowdsec-spoa-bouncer
 
-## Copy templates (matching Debian/RPM paths)
-RUN mkdir -p /var/lib/crowdsec-haproxy-spoa-bouncer/html
-COPY --from=build /go/src/cs-spoa-bouncer/templates/* /var/lib/crowdsec-haproxy-spoa-bouncer/html/
+# Copy Docker-optimized config file
+COPY --from=build /go/src/cs-spoa-bouncer/config/crowdsec-spoa-bouncer.docker.yaml /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml
 
-RUN chown -R root:haproxy /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+# Copy Lua files for HAProxy integration
+COPY --from=build /go/src/cs-spoa-bouncer/lua/ /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
 
-VOLUME [ "/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/", "/var/lib/crowdsec-haproxy-spoa-bouncer/html/" ]
+# Copy HTML templates for ban/captcha pages
+COPY --from=build /go/src/cs-spoa-bouncer/templates/ /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-RUN chmod +x /docker_start.sh
+# Copy runtime directories (required for Unix socket and logs)
+COPY --from=build /run/crowdsec-spoa/ /run/crowdsec-spoa/
+COPY --from=build /var/log/crowdsec-spoa/ /var/log/crowdsec-spoa/
 
-# Run as user
-USER crowdsec-spoa
+# Declare volumes for customizable content
+VOLUME /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
+VOLUME /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-ENTRYPOINT ["/docker_start.sh"]
+EXPOSE 9000 6060
+
+ENTRYPOINT ["/crowdsec-spoa-bouncer"]
+CMD ["-c", "/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml"]

Vagrantfile

@@ -0,0 +1,156 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  config.vm.define "dev" do |vm|
+    vm.vm.box = "debian/bookworm64"
+    vm.vm.hostname = "crowdsec-spoa-test"
+    vm.vm.network "private_network", ip: "192.168.56.10"
+    vm.vm.network "forwarded_port", guest: 9090, host: 9090
+
+    vm.vm.provider "libvirt" do |lv|
+      lv.memory = "4096"
+      lv.cpus = 2
+    end
+
+    vm.vm.synced_folder ".", "/vagrant", type: "rsync", rsync__exclude: [".git/", "node_modules/", "*.log"]
+
+    vm.vm.provision "shell", inline: <<-SHELL
+      set -e
+
+      # Update system and install base packages
+      apt-get update && apt-get upgrade -y
+      apt-get install -y tcpdump vim curl wget git build-essential ca-certificates \
+        gnupg lsb-release apt-transport-https software-properties-common nginx unzip
+
+      # Install HAProxy 3.1
+      curl -fsSL https://haproxy.debian.net/haproxy-archive-keyring.gpg \
+        --create-dirs --output /etc/apt/keyrings/haproxy-archive-keyring.gpg
+      echo "deb [signed-by=/etc/apt/keyrings/haproxy-archive-keyring.gpg]" \
+        https://haproxy.debian.net bookworm-backports-3.1 main > /etc/apt/sources.list.d/haproxy.list
+      apt-get update && apt-get install -y haproxy=3.1.*
+
+      # Install Go 1.25.2
+      GO_VERSION="1.25.2"
+      wget -qO- "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" | tar -xzC /usr/local
+      echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
+      echo 'export PATH=$PATH:/usr/local/go/bin' >> /home/vagrant/.bashrc
+
+      # Install CrowdSec
+      curl -s https://install.crowdsec.net | sh
+      apt-get install -y crowdsec
+
+      # Install Nuclei for AppSec testing
+      NUCLEI_VERSION="3.1.7"
+      wget -qO /tmp/nuclei.zip "https://github.com/projectdiscovery/nuclei/releases/download/v${NUCLEI_VERSION}/nuclei_${NUCLEI_VERSION}_linux_amd64.zip"
+      unzip -q /tmp/nuclei.zip -d /tmp && mv /tmp/nuclei /usr/local/bin/nuclei && chmod +x /usr/local/bin/nuclei
+      rm -f /tmp/nuclei.zip
+      nuclei -update-templates -silent 2>/dev/null || true
+
+      # Clone CrowdSec Hub
+      git clone -q https://github.com/crowdsecurity/hub.git /opt/hub || true
+
+      # Create user and directories
+      groupadd -r crowdsec-spoa 2>/dev/null || true
+      useradd -r -g crowdsec-spoa -d /opt/crowdsec-spoa-bouncer -s /bin/false crowdsec-spoa 2>/dev/null || true
+      mkdir -p /opt/crowdsec-spoa-bouncer /etc/crowdsec/bouncers /var/log/crowdsec-spoa-bouncer \
+        /run/crowdsec-spoa /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+      chown -R crowdsec-spoa:crowdsec-spoa /opt/crowdsec-spoa-bouncer /var/log/crowdsec-spoa-bouncer /run/crowdsec-spoa
+
+      # Copy Lua scripts and templates
+      mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
+      cp /vagrant/lua/*.lua /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/ 2>/dev/null || true
+      cp /vagrant/templates/*.html /var/lib/crowdsec-haproxy-spoa-bouncer/html/ 2>/dev/null || true
+      chmod 644 /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/*.lua 2>/dev/null || true
+      chmod 644 /var/lib/crowdsec-haproxy-spoa-bouncer/html/*.html 2>/dev/null || true
+
+      # Configure nginx
+      cat > /etc/nginx/sites-available/default << 'EOF'
+server {
+    listen 4444 default_server;
+    listen [::]:4444 default_server;
+
+    root /var/www/html;
+    index index.html index.htm index.nginx-debian.html;
+
+    server_name _;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
+EOF
+
+      # Copy and configure HAProxy
+      cp /vagrant/config/haproxy.cfg /etc/haproxy/haproxy.cfg 2>/dev/null || true
+      cp /vagrant/config/crowdsec.cfg /etc/haproxy/crowdsec.cfg 2>/dev/null || true
+      # Update server addresses and remove the second SPOA server (port 9001 doesn't exist)
+      sed -i 's/whoami:2020/127.0.0.1:4444/g; s/spoa:9000/127.0.0.1:9000/g; /server s3 spoa:9001/d' \
+        /etc/haproxy/haproxy.cfg 2>/dev/null || true
+      # Increase SPOA processing timeout to accommodate AppSec calls (AppSec has 5s timeout)
+      sed -i 's/timeout\s\+processing\s\+500ms/timeout     processing      6s/' \
+        /etc/haproxy/crowdsec.cfg 2>/dev/null || true
+
+      # Copy and configure bouncer
+      cp /vagrant/config/crowdsec-spoa-bouncer.yaml.local /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml 2>/dev/null || true
+      # Update URLs (match with or without trailing slash) and API key
+      sed -i 's|http://crowdsec:8080|http://127.0.0.1:8080|g; s|http://crowdsec:7422|http://127.0.0.1:4241|g; s|api_key:.*|api_key: this_is_a_bad_password|g' \
+        /etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml 2>/dev/null || true
+
+      # Configure AppSec before starting CrowdSec
+      # Install AppSec collections first
+      cscli collections install crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules || true
+      
+      # Configure AppSec acquisition
+      mkdir -p /etc/crowdsec/acquis.d
+      cat > /etc/crowdsec/acquis.d/appsec.yaml << 'EOF'
+appsec_config: crowdsecurity/appsec-default
+labels:
+  type: appsec
+listen_addr: 0.0.0.0:4241
+source: appsec
+EOF
+
+      # Now start all services with CrowdSec properly configured
+      systemctl enable --now nginx haproxy crowdsec
+      sleep 5
+      cscli bouncers add crowdsec-spoa-bouncer --key this_is_a_bad_password 2>/dev/null || true
+    SHELL
+
+    vm.vm.provision "shell", run: "always", inline: <<-SHELL
+      set -e
+      export PATH=$PATH:/usr/local/go/bin
+
+      # Build SPOA bouncer
+      if [ -f "/vagrant/main.go" ]; then
+        cd /vagrant
+        if go build -ldflags="-s -w" -o /opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer .; then
+          chown crowdsec-spoa:crowdsec-spoa /opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer
+          chmod +x /opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer
+
+          # Install systemd service
+          cp /vagrant/config/crowdsec-spoa-bouncer.service /etc/systemd/system/crowdsec-spoa-bouncer.service
+          sed -i 's|${BIN}|/opt/crowdsec-spoa-bouncer/crowdsec-spoa-bouncer|g; s|${CFG}|/etc/crowdsec/bouncers|g' \
+            /etc/systemd/system/crowdsec-spoa-bouncer.service
+          sed -i 's|Type=notify|Type=simple|g; /ExecStartPre=/d' \
+            /etc/systemd/system/crowdsec-spoa-bouncer.service
+
+          systemctl daemon-reload
+          systemctl enable --now crowdsec-spoa-bouncer
+        fi
+      fi
+
+      # Restart services in order
+      systemctl restart nginx
+      sleep 2
+      systemctl restart crowdsec-spoa-bouncer 2>/dev/null || true
+      sleep 3
+      systemctl restart haproxy
+
+      # Verify services
+      for svc in nginx crowdsec-spoa-bouncer haproxy; do
+        systemctl is-active --quiet $svc && echo "✅ $svc: running" || echo "❌ $svc: failed"
+      done
+    SHELL
+  end
+end

cmd/root.go

@@ -19,6 +19,7 @@ import (
 	"github.com/spf13/pflag"
 	"golang.org/x/sync/errgroup"
 
+	"github.com/crowdsecurity/crowdsec-spoa/internal/appsec"
 	"github.com/crowdsecurity/crowdsec-spoa/internal/session"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/cfg"
 	"github.com/crowdsecurity/crowdsec-spoa/pkg/dataset"
@@ -132,16 +133,36 @@ func Execute() error {
 	)
 
 	if config.PrometheusConfig.Enabled {
-		go func() {
-			http.Handle("/metrics", promhttp.Handler())
+		promMux := http.NewServeMux()
+		promMux.Handle("/metrics", promhttp.Handler())
 
-			listenOn := net.JoinHostPort(
-				config.PrometheusConfig.ListenAddress,
-				config.PrometheusConfig.ListenPort,
-			)
+		listenOn := net.JoinHostPort(
+			config.PrometheusConfig.ListenAddress,
+			config.PrometheusConfig.ListenPort,
+		)
+
+		promServer := &http.Server{
+			Addr:    listenOn,
+			Handler: promMux,
+		}
+
+		g.Go(func() error {
 			log.Infof("Serving metrics at %s", listenOn+"/metrics")
-			log.Error(http.ListenAndServe(listenOn, nil))
-		}()
+			if err := promServer.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
+				return fmt.Errorf("prometheus server error: %w", err)
+			}
+			return nil
+		})
+
+		g.Go(func() error {
+			<-ctx.Done()
+			log.Info("Shutting down prometheus server...")
+			// Use background context since parent ctx is already canceled
+			shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+			//nolint:contextcheck // parent ctx is canceled, need fresh context for shutdown
+			return promServer.Shutdown(shutdownCtx)
+		})
 	}
 
 	// pprof debug endpoint for runtime profiling (memory, CPU, goroutines)
@@ -211,6 +232,20 @@ func Execute() error {
 	hostManagerLogger := log.WithField("component", "host_manager")
 	HostManager := host.NewManager(hostManagerLogger)
 
+	// Create and initialize global AppSec (for use when no host is matched or as fallback)
+	var globalAppSec *appsec.AppSec
+	if config.AppSecURL != "" {
+		globalAppSec = &appsec.AppSec{
+			URL:     config.AppSecURL,
+			APIKey:  config.APIKey,
+			Timeout: config.AppSecTimeout,
+		}
+		appSecLogger := log.WithField("component", "global_appsec")
+		if err := globalAppSec.Init(appSecLogger); err != nil {
+			return fmt.Errorf("failed to initialize global AppSec: %w", err)
+		}
+	}
+
 	// Create and initialize global session manager (single GC goroutine for all hosts)
 	globalSessions := &session.Sessions{
 		SessionIdleTimeout:    "1h", // Default values
@@ -242,6 +277,7 @@ func Execute() error {
 		HostManager:    HostManager,
 		GeoDatabase:    &config.Geo,
 		GlobalSessions: globalSessions,
+		GlobalAppSec:   globalAppSec,
 		Logger:         spoaLogger,
 	}
 

config/crowdsec-spoa-bouncer.docker.yaml

@@ -0,0 +1,39 @@
+## Docker-optimized configuration for CrowdSec SPOA Bouncer
+## Environment variables can override settings: ${VAR_NAME}
+## If a variable is not set, the default value is used.
+
+## Log configuration
+## stdout is recommended for Docker (use `docker logs` to view)
+log_mode: ${LOG_MODE}
+log_level: ${LOG_LEVEL}
+
+## LAPI configuration
+api_url: ${CROWDSEC_URL}
+api_key: ${CROWDSEC_KEY}
+update_frequency: ${UPDATE_FREQUENCY}
+insecure_skip_verify: ${INSECURE_SKIP_VERIFY}
+
+## SPOA listener configuration
+listen_tcp: ${LISTEN_TCP}
+#listen_unix: ${LISTEN_UNIX}
+
+## GeoIP databases (optional, mount as volumes)
+#asn_database_path: /var/lib/crowdsec/data/GeoLite2-ASN.mmdb
+#city_database_path: /var/lib/crowdsec/data/GeoLite2-City.mmdb
+
+## Global AppSec configuration (optional)
+#appsec_url: ${APPSEC_URL}
+#appsec_timeout: ${APPSEC_TIMEOUT}
+
+## Prometheus metrics endpoint
+prometheus:
+  enabled: ${PROMETHEUS_ENABLED}
+  listen_addr: ${PROMETHEUS_ADDR}
+  listen_port: ${PROMETHEUS_PORT}
+
+## pprof debug endpoint (disabled by default)
+## WARNING: Only enable for debugging, exposes internal runtime data
+#pprof:
+#  enabled: false
+#  listen_addr: 0.0.0.0
+#  listen_port: 6070