init work on cs update for live/stream modes

bunkerity · Jan 5, 2024 · 0aa4fb6 · 0aa4fb6
1 parent fef6717
commit 0aa4fb6
Show file tree

Hide file tree

Showing 24 changed files with 1,101 additions and 380 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -22,7 +22,7 @@ jobs:
       - name: Get BW tag
         run: |
           if [ "$GITHUB_REF" = "refs/heads/main" ] ; then
-            echo "BW_TAG=1.5.3" >> $GITHUB_ENV
+            echo "BW_TAG=1.5.5" >> $GITHUB_ENV
           else
             echo "BW_TAG=dev" >> $GITHUB_ENV
           fi
@@ -42,14 +42,17 @@ jobs:
       - name: Run Coraza tests
         run: ./.tests/coraza.sh
 
-      - name: Run CrowdSec tests
-        run: ./.tests/crowdsec.sh
+      - name: Run CrowdSec live tests
+        run: ./.tests/crowdsec.sh live
+
+      - name: Run CrowdSec stream tests
+        run: ./.tests/crowdsec.sh stream
 
       - name: Run VirusTotal tests
         run: ./.tests/virustotal.sh
         env:
           VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}
 
       - name: Build and push APIs
-        if: env.BW_TAG == '1.5.3'
+        if: env.BW_TAG == '1.5.5'
         run: ./.tests/build-push.sh "${{ env.BW_TAG }}"
diff --git a/.tests/clamav/docker-compose.yml b/.tests/clamav/docker-compose.yml
@@ -2,7 +2,7 @@ version: "3"
 
 services:
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.3
+    image: bunkerity/bunkerweb:1.5.5
     ports:
       - 80:8080
       - 443:8443
@@ -27,7 +27,7 @@ services:
       - bw-services
 
   bw-scheduler:
-    image: bunkerity/bunkerweb-scheduler:1.5.3
+    image: bunkerity/bunkerweb-scheduler:1.5.5
     depends_on:
       - bunkerweb
       - bw-docker

diff --git a/.tests/coraza/docker-compose.yml b/.tests/coraza/docker-compose.yml
@@ -2,7 +2,7 @@ version: "3"
 
 services:
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.3
+    image: bunkerity/bunkerweb:1.5.5
     ports:
       - 80:8080
       - 443:8443
@@ -26,7 +26,7 @@ services:
       - bw-services
 
   bw-scheduler:
-    image: bunkerity/bunkerweb-scheduler:1.5.3
+    image: bunkerity/bunkerweb-scheduler:1.5.5
     depends_on:
       - bunkerweb
       - bw-docker

diff --git a/.tests/crowdsec.sh b/.tests/crowdsec.sh
@@ -3,7 +3,7 @@
 # shellcheck disable=SC1091
 . .tests/utils.sh
 
-echo "ℹ️ Starting CrowdSec tests ..."
+echo "ℹ️ Starting CrowdSec $1 tests ..."
 
 # Create working directory
 if [ -d /tmp/bunkerweb-plugins ] ; then
@@ -19,6 +19,7 @@ do_and_check_cmd cp .tests/crowdsec/docker-compose.yml /tmp/bunkerweb-plugins/cr
 # Edit compose
 do_and_check_cmd sed -i "s@bunkerity/bunkerweb:.*\$@bunkerweb:tests@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
 do_and_check_cmd sed -i "s@bunkerity/bunkerweb-scheduler:.*\$@bunkerweb-scheduler:tests@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
+do_and_check_cmd sed -i "s@CROWSEC_MODE=.*\$@CROWDSEC_MODE=$1@g" /tmp/bunkerweb-plugins/crowdsec/docker-compose.yml
 
 # Copy configs
 do_and_check_cmd cp .tests/crowdsec/acquis.yaml /tmp/bunkerweb-plugins/crowdsec
@@ -62,6 +63,11 @@ echo "ℹ️ Executing dirb ..."
 do_and_check_cmd sudo apt install -y dirb
 dirb http://localhost -H "Host: www.example.com" -H "User-Agent: LegitOne" > /dev/null 2>&1
 
+# Wait if are in stream mode
+if [ "$1" == "stream" ] ; then
+	sleep 20
+fi
+
 # Expect a 403
 echo "ℹ️ Checking CS ..."
 success="ko"

diff --git a/.tests/crowdsec/docker-compose.yml b/.tests/crowdsec/docker-compose.yml
@@ -2,7 +2,7 @@ version: "3"
 
 services:
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.3
+    image: bunkerity/bunkerweb:1.5.5
     ports:
       - 80:8080
       - 443:8443
@@ -14,6 +14,7 @@ services:
       - USE_CROWDSEC=yes
       - CROWDSEC_API=http://crowdsec:8080
       - CROWDSEC_API_KEY=s3cr3tb0unc3rk3y
+      - CROWDSEC_MODE=
       - LOG_LEVEL=info
       - USE_MODSECURITY=no
       - USE_BLACKLIST=no
@@ -33,7 +34,7 @@ services:
         syslog-address: "udp://10.10.10.254:514"
 
   bw-scheduler:
-    image: bunkerity/bunkerweb-scheduler:1.5.3
+    image: bunkerity/bunkerweb-scheduler:1.5.5
     depends_on:
       - bunkerweb
       - bw-docker

diff --git a/.tests/virustotal/docker-compose.yml b/.tests/virustotal/docker-compose.yml
@@ -2,7 +2,7 @@ version: "3"
 
 services:
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.3
+    image: bunkerity/bunkerweb:1.5.5
     ports:
       - 80:8080
       - 443:8443
@@ -28,7 +28,7 @@ services:
       - bw-services
 
   bw-scheduler:
-    image: bunkerity/bunkerweb-scheduler:1.5.3
+    image: bunkerity/bunkerweb-scheduler:1.5.5
     depends_on:
       - bunkerweb
       - bw-docker

diff --git a/clamav/README.md b/clamav/README.md
@@ -34,7 +34,7 @@ version: '3'
 services:
 
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.4
+    image: bunkerity/bunkerweb:1.5.5
     ...
     environment:
       - USE_CLAMAV=yes
@@ -59,7 +59,7 @@ version: '3'
 services:
 
   mybunker:
-    image: bunkerity/bunkerweb:1.5.4
+    image: bunkerity/bunkerweb:1.5.5
     ...
     environment:
       - USE_CLAMAV=yes

diff --git a/coraza/README.md b/coraza/README.md
@@ -34,7 +34,7 @@ version: '3'
 services:
 
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.3
+    image: bunkerity/bunkerweb:1.5.5
     ...
     environment:
       - USE_MODSECURITY: "no" # We don't need modsecurity anymore

diff --git a/crowdsec/README.md b/crowdsec/README.md
@@ -67,7 +67,7 @@ version: "3"
 
 services:
   bunkerweb:
-    image: bunkerity/bunkerweb:1.5.3
+    image: bunkerity/bunkerweb:1.5.5
     ports:
       - 80:8080
       - 443:8443
@@ -90,7 +90,7 @@ services:
         syslog-address: "udp://10.10.10.254:514"
 
   bw-scheduler:
-    image: bunkerity/bunkerweb-scheduler:1.5.3
+    image: bunkerity/bunkerweb-scheduler:1.5.5
     depends_on:
       - bunkerweb
       - bw-docker
@@ -199,11 +199,12 @@ metadata:
 
 # Settings
 
-| Setting                     | Default                | Context   | Multiple | Description                                           |
-| --------------------------- | ---------------------- | --------- | -------- | ----------------------------------------------------- |
-| `USE_CROWDSEC`              | `no`                   | multisite | no       | Activate CrowdSec bouncer.                            |
-| `CROWDSEC_API`              | `http://crowdsec:8080` | global    | no       | Address of the CrowdSec API.                          |
-| `CROWDSEC_API_KEY`          |                        | global    | no       | Key for the CrowdSec API given by cscli bouncer add.  |
-| `CROWDSEC_MODE`             | `live`                 | global    | no       | Mode of the CrowdSec API (live or stream).            |
-| `CROWDSEC_REQUEST_TIMEOUT`  | `1000`                 | global    | no       | Bouncer's request timeout in milliseconds.            |
-| `CROWDSEC_UPDATE_FREQUENCY` | `10`                   | global    | no       | Bouncer's update frequency in stream mode, in second. |
+|             Setting             |       Default        | Context |Multiple|                      Description                       |
+|---------------------------------|----------------------|---------|--------|--------------------------------------------------------|
+|`USE_CROWDSEC`                   |`no`                  |multisite|no      |Activate CrowdSec bouncer.                              |
+|`CROWDSEC_API`                   |`http://crowdsec:8080`|global   |no      |Address of the CrowdSec API.                            |
+|`CROWDSEC_API_KEY`               |                      |global   |no      |Key for the CrowdSec API given by cscli bouncer add.    |
+|`CROWDSEC_MODE`                  |`live`                |global   |no      |Mode of the CrowdSec API (live or stream).              |
+|`CROWDSEC_REQUEST_TIMEOUT`       |`500`                 |global   |no      |Bouncer's request timeout in milliseconds (live mode).  |
+|`CROWDSEC_STREAM_REQUEST_TIMEOUT`|`15000`               |global   |no      |Bouncer's request timeout in milliseconds (stream mode).|
+|`CROWDSEC_UPDATE_FREQUENCY`      |`10`                  |global   |no      |Bouncer's update frequency in stream mode, in second.   |
diff --git a/crowdsec/crowdsec.lua b/crowdsec/crowdsec.lua
@@ -10,7 +10,7 @@ local ERR = ngx.ERR
 local has_variable = utils.has_variable
 local get_deny_status = utils.get_deny_status
 local cs_init = cs.init
-local cs_allowed = cs.allowed
+local cs_allow = cs.Allow
 
 function crowdsec:initialize(ctx)
 	-- Call parent initialize
@@ -28,7 +28,7 @@ function crowdsec:init()
 	end
 	-- Init CS
 	local ok
-	ok, err = cs_init("/var/cache/bunkerweb/crowdsec/crowdsec.conf", "crowdsec-bunkerweb-bouncer/v1.0")
+	ok, err = cs_init("/var/cache/bunkerweb/crowdsec/crowdsec.conf", "crowdsec-bunkerweb-bouncer/v1.1")
 	if not ok then
 		self.logger:log(ERR, "error while initializing bouncer : " .. err)
 	end
@@ -40,11 +40,11 @@ function crowdsec:access()
 		return self:ret(true, "CrowdSec plugin not enabled")
 	end
 	-- Do the check
-	local ok, err, allowed = cs_allowed()
+	local ok, err, banned = cs_allow(self.ctx.bw.remote_addr)
 	if not ok then
 		return self:ret(false, "Error while executing CrowdSec bouncer : " .. err)
 	end
-	if not allowed then
+	if banned then
 		return self:ret(true, "CrowSec bouncer denied request", get_deny_status())
 	end
 

diff --git a/crowdsec/jobs/crowdsec-conf.py b/crowdsec/jobs/crowdsec-conf.py
@@ -58,9 +58,14 @@
         .replace(b"%CROWDSEC_MODE%", getenv("CROWDSEC_MODE", "live").encode())
         .replace(
             b"%CROWDSEC_REQUEST_TIMEOUT%",
-            getenv("CROWDSEC_REQUEST_TIMEOUT", "1000").encode(),
+            getenv("CROWDSEC_REQUEST_TIMEOUT", "500").encode(),
         )
+        .replace(b"%CROWDSEC_UPDATE_FREQUENCY%", getenv("CROWDSEC_UPDATE_FREQUENCY", "10").encode())
         .replace(b"%UPDATE_FREQUENCY%", getenv("UPDATE_FREQUENCY", "10").encode())
+        .replace(
+            b"%CROWDSEC_STREAM_REQUEST_TIMEOUT%",
+            getenv("CROWDSEC_STREAM_REQUEST_TIMEOUT", "15000").encode(),
+        )
     )
 
     # Write configuration in cache

diff --git a/crowdsec/lib/ban.lua b/crowdsec/lib/ban.lua
@@ -1,7 +1,7 @@
 local utils = require "crowdsec.lib.utils"
 
 
-local M = { _TYPE = 'module', _NAME = 'ban.funcs', _VERSION = '1.0-0' }
+local M = {_TYPE='module', _NAME='ban.funcs', _VERSION='1.0-0'}
 
 M.template_str = ""
 M.redirect_location = ""
@@ -11,7 +11,7 @@ M.ret_code = ngx.HTTP_FORBIDDEN
 function M.new(template_path, redirect_location, ret_code)
     M.redirect_location = redirect_location
 
-    local ret_code_ok = false
+    ret_code_ok = false
     if ret_code ~= nil and ret_code ~= 0 and ret_code ~= "" then
         for k, v in pairs(utils.HTTP_CODE) do
             if k == ret_code then
@@ -25,39 +25,40 @@ function M.new(template_path, redirect_location, ret_code)
         end
     end
 
-    local template_file_ok = false
+    template_file_ok = false
     if (template_path ~= nil and template_path ~= "" and utils.file_exist(template_path) == true) then
         M.template_str = utils.read_file(template_path)
         if M.template_str ~= nil then
             template_file_ok = true
         end
     end
 
-    -- if template_file_ok == false and (M.redirect_location == nil or M.redirect_location == "") then
-    --     ngx.log(ngx.ERR,
-    --         "BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP " ..
-    --         M.ret_code .. " for ban decisions")
-    -- end
+    if template_file_ok == false and (M.redirect_location == nil or M.redirect_location == "") then
+        ngx.log(ngx.ERR, "BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP " .. M.ret_code  .. " for ban decisions")
+    end
 
     return nil
 end
 
+
+
 function M.apply()
     if M.redirect_location ~= "" then
         ngx.redirect(M.redirect_location)
         return
     end
     if M.template_str ~= "" then
         ngx.header.content_type = "text/html"
+        ngx.header.cache_control = "no-cache"
         ngx.status = M.ret_code
         ngx.say(M.template_str)
         ngx.exit(M.ret_code)
         return
     end
-
+ 
     ngx.exit(M.ret_code)
 
     return
 end
 
-return M
+return M