Skip to content

Commit a8aee60

Browse files
thespadthespad
committed
Update readme with lua/http2 issue notes
1 parent 98be3e4 commit a8aee60

File tree

1 file changed

+26
-2
lines changed

1 file changed

+26
-2
lines changed

README.md

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,10 @@
44

55
Make sure that the line below, under virtual hosts, is in your nginx.conf, otherwise crowdsec-bouncer will not work. More information here https://info.linuxserver.io/issues/2022-08-20-nginx-base/
66

7-
# Includes virtual hosts configs.
8-
include /etc/nginx/http.d/*.conf;
7+
```nginx
8+
# Includes virtual hosts configs.
9+
include /etc/nginx/http.d/*.conf;
10+
```
911

1012
This mod adds the [CrowdSec](https://crowdsec.net) [nginx bouncer](https://github.com/crowdsecurity/cs-nginx-bouncer/) to SWAG, to be installed/updated during container start.
1113

@@ -39,6 +41,28 @@ Set the following environment variables on your SWAG container.
3941

4042
The variables need to remain in place while you are using the mod. If you remove **required** variables the bouncer will be disabled the next time you recreate the container, if you remove **optional** variables the associated features will be disabled the next time you recreate the container.
4143

44+
### Captcha & AppSec Limitations
45+
46+
Due to limitations in the nginx Lua module, if you enable Captcha or AppSec support in the bouncer you cannot safely use http/2 for any of your services. By default Swag ships with http/2 enabled, and so this will need to be changed in any and all active proxy confs as well as the default.conf. For example, in the [subdomain template conf](https://github.com/linuxserver/reverse-proxy-confs/blob/master/_template.subdomain.conf.sample#L9-L10) you would replace
47+
48+
```nginx
49+
server {
50+
listen 443 ssl http2;
51+
listen [::]:443 ssl http2;
52+
```
53+
54+
with
55+
56+
```nginx
57+
server {
58+
listen 443 ssl;
59+
listen [::]:443 ssl;
60+
```
61+
62+
You can automate this using something like `find /path/to/swag/config/nginx -name "*.conf" -type f -exec sed -i -E 's/^(\s+listen.*)http2(.*)/\1\2/g' {} \;`
63+
64+
If you are not using Captcha or AppSec components make sure to omit or leave blank the related environment variables to avoid causing unnecessary issues.
65+
4266
### reCAPTCHA Support Notes
4367

4468
If you're using the reCAPTCHA capability and you're running in an IPv4-only environment then you need to edit your `/config/nginx/resolver.conf` and add `ipv6=off` to the end of the `resolver` statement otherwise the bouncer will attempt to contact the reCAPTCHA endpoint over IPv6 and fail.

0 commit comments

Comments
 (0)