├── .github ├── release-drafter.yml └── workflows │ ├── build_package.yaml │ ├── publish-docker-doc.yaml │ ├── publish-lua-bouncer-docker-images.yaml │ ├── publish-openresty-docker-images.yaml │ └── release-drafter.yml ├── .gitignore ├── Dockerfile ├── Dockerfile.lua-bouncer-plugin ├── LICENSE ├── Makefile ├── README.md ├── debian ├── changelog ├── compat ├── control ├── files ├── patches │ ├── crowdsec_nginx.conf.patch │ └── series ├── postinst ├── postrm ├── prerm └── rules ├── docker ├── README.md └── docker_start.sh ├── docs └── assets │ └── crowdsec_openresty.png ├── ingress-nginx └── main.lua ├── install.sh ├── openresty └── crowdsec_openresty.conf ├── rpm └── SPECS │ └── crowdsec-openresty-bouncer.spec └── uninstall.sh /.github/release-drafter.yml: -------------------------------------------------------------------------------- 1 | template: | 2 | ## What’s Changed 3 | 4 | $CHANGES -------------------------------------------------------------------------------- /.github/workflows/build_package.yaml: -------------------------------------------------------------------------------- 1 | # .github/workflows/build-docker-image.yml 2 | name: release-package 3 | 4 | on: 5 | release: 6 | types: prereleased 7 | 8 | jobs: 9 | release-package: 10 | name: Upload release package 11 | runs-on: ubuntu-latest 12 | steps: 13 | - uses: actions/checkout@v1 14 | - name: make the package 15 | run: make release 16 | - name: Upload to release 17 | uses: JasonEtco/upload-to-release@master 18 | with: 19 | args: crowdsec-openresty-bouncer.tgz application/x-gzip 20 | env: 21 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 22 | -------------------------------------------------------------------------------- /.github/workflows/publish-docker-doc.yaml: -------------------------------------------------------------------------------- 1 | name: Update Docker Hub README 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | paths: 8 | - 'docker/README.md' 9 | 10 | jobs: 11 | update-docker-hub-readme: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - 15 | name: Check out the repo 16 | uses: actions/checkout@v2 17 | - 18 | name: Update docker hub README 19 | uses: ms-jpq/sync-dockerhub-readme@v1 20 | with: 21 | username: ${{ secrets.DOCKER_USERNAME }} 22 | password: ${{ secrets.DOCKER_PASSWORD }} 23 | repository: crowdsecurity/openresty 24 | readme: "./docker/README.md" -------------------------------------------------------------------------------- /.github/workflows/publish-lua-bouncer-docker-images.yaml: -------------------------------------------------------------------------------- 1 | name: Publish lua bouncer Docker image 2 | on: 3 | release: 4 | types: 5 | - released 6 | - prereleased 7 | jobs: 8 | push_to_registry: 9 | name: Push Docker image to Docker Hub 10 | runs-on: ubuntu-latest 11 | steps: 12 | - 13 | name: Check out the repo 14 | uses: actions/checkout@v2 15 | - 16 | name: Prepare 17 | id: prep 18 | run: | 19 | DOCKER_IMAGE=crowdsecurity/lua-bouncer-plugin 20 | VERSION=edge 21 | if [[ $GITHUB_REF == refs/tags/* ]]; then 22 | VERSION=${GITHUB_REF#refs/tags/} 23 | elif [[ $GITHUB_REF == refs/heads/* ]]; then 24 | VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -E 's#/+#-#g') 25 | elif [[ $GITHUB_REF == refs/pull/* ]]; then 26 | VERSION=pr-${{ github.event.number }} 27 | fi 28 | TAGS="${DOCKER_IMAGE}:${VERSION}" 29 | if [[ ${{ github.event.action }} == released ]]; then 30 | TAGS=$TAGS,${DOCKER_IMAGE}:latest 31 | fi 32 | echo ::set-output name=version::${VERSION} 33 | echo ::set-output name=tags::${TAGS} 34 | echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ') 35 | - 36 | name: Set up QEMU 37 | uses: docker/setup-qemu-action@v1 38 | - 39 | name: Set up Docker Buildx 40 | uses: docker/setup-buildx-action@v1 41 | - 42 | name: Login to DockerHub 43 | uses: docker/login-action@v1 44 | with: 45 | username: ${{ secrets.DOCKER_USERNAME }} 46 | password: ${{ secrets.DOCKER_PASSWORD }} 47 | - 48 | name: Build and push 49 | uses: docker/build-push-action@v2 50 | with: 51 | context: . 52 | file: ./Dockerfile.lua-bouncer-plugin 53 | push: ${{ github.event_name != 'pull_request' }} 54 | tags: ${{ steps.prep.outputs.tags }} 55 | platforms: linux/amd64,linux/arm64 56 | labels: | 57 | org.opencontainers.image.source=${{ github.event.repository.html_url }} 58 | org.opencontainers.image.created=${{ steps.prep.outputs.created }} 59 | org.opencontainers.image.revision=${{ github.sha }} -------------------------------------------------------------------------------- /.github/workflows/publish-openresty-docker-images.yaml: -------------------------------------------------------------------------------- 1 | name: Publish openresty Docker image 2 | on: 3 | release: 4 | types: 5 | - released 6 | - prereleased 7 | jobs: 8 | push_to_registry: 9 | name: Push Docker image to Docker Hub 10 | runs-on: ubuntu-latest 11 | steps: 12 | - 13 | name: Check out the repo 14 | uses: actions/checkout@v2 15 | - 16 | name: Prepare 17 | id: prep 18 | run: | 19 | DOCKER_IMAGE=crowdsecurity/openresty 20 | VERSION=edge 21 | if [[ $GITHUB_REF == refs/tags/* ]]; then 22 | VERSION=${GITHUB_REF#refs/tags/} 23 | elif [[ $GITHUB_REF == refs/heads/* ]]; then 24 | VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -E 's#/+#-#g') 25 | elif [[ $GITHUB_REF == refs/pull/* ]]; then 26 | VERSION=pr-${{ github.event.number }} 27 | fi 28 | TAGS="${DOCKER_IMAGE}:${VERSION}" 29 | if [[ ${{ github.event.action }} == released ]]; then 30 | TAGS=$TAGS,${DOCKER_IMAGE}:latest 31 | fi 32 | echo ::set-output name=version::${VERSION} 33 | echo ::set-output name=tags::${TAGS} 34 | echo ::set-output name=created::$(date -u +'%Y-%m-%dT%H:%M:%SZ') 35 | - 36 | name: Set up QEMU 37 | uses: docker/setup-qemu-action@v1 38 | - 39 | name: Set up Docker Buildx 40 | uses: docker/setup-buildx-action@v1 41 | - 42 | name: Login to DockerHub 43 | uses: docker/login-action@v1 44 | with: 45 | username: ${{ secrets.DOCKER_USERNAME }} 46 | password: ${{ secrets.DOCKER_PASSWORD }} 47 | - 48 | name: Build and push 49 | uses: docker/build-push-action@v2 50 | with: 51 | context: . 52 | file: ./Dockerfile 53 | push: ${{ github.event_name != 'pull_request' }} 54 | tags: ${{ steps.prep.outputs.tags }} 55 | platforms: linux/amd64,linux/arm64 56 | labels: | 57 | org.opencontainers.image.source=${{ github.event.repository.html_url }} 58 | org.opencontainers.image.created=${{ steps.prep.outputs.created }} 59 | org.opencontainers.image.revision=${{ github.sha }} -------------------------------------------------------------------------------- /.github/workflows/release-drafter.yml: -------------------------------------------------------------------------------- 1 | name: Release Drafter 2 | 3 | on: 4 | push: 5 | # branches to consider in the event; optional, defaults to all 6 | branches: 7 | - main 8 | 9 | jobs: 10 | update_release_draft: 11 | runs-on: ubuntu-latest 12 | steps: 13 | # Drafts your next Release notes as Pull Requests are merged into "master" 14 | - uses: release-drafter/release-drafter@v5 15 | with: 16 | config-name: release-drafter.yml 17 | # (Optional) specify config name to use, relative to .github/. Default: release-drafter.yml 18 | # config-name: my-config.yml 19 | env: 20 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | debian/*.substvars 2 | debhelper-build-stamp 3 | debian/crowdsec-openresty-bouncer 4 | debian/.debhelper 5 | config/crowdsec-openresty-bouncer.conf 6 | lua-cs-bouncer/ -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | ARG BUILD_ENV=git 2 | FROM docker.io/openresty/openresty:alpine-fat as with_deps 3 | RUN luarocks install lua-resty-http 4 | 5 | FROM with_deps as git 6 | ARG BUILD_ENV=git 7 | ARG LUA_LIB_VERSION=v1.0.0 8 | RUN if [ "$BUILD_ENV" == "git" ]; then apk add --no-cache git; fi 9 | RUN if [ "$BUILD_ENV" == "git" ]; then git clone -b "${LUA_LIB_VERSION}" https://github.com/crowdsecurity/lua-cs-bouncer.git ; fi 10 | 11 | FROM with_deps as local 12 | RUN if [ "$BUILD_ENV" == "local" ]; then COPY ./lua-cs-bouncer/ lua-cs-bouncer; fi 13 | 14 | FROM ${BUILD_ENV} 15 | RUN mkdir -p /etc/crowdsec/bouncers/ /var/lib/crowdsec/lua/templates/ 16 | RUN cp -R lua-cs-bouncer/lib/* /usr/local/openresty/lualib/ 17 | RUN cp -R lua-cs-bouncer/templates/* /var/lib/crowdsec/lua/templates/ 18 | RUN cp lua-cs-bouncer/config_example.conf /etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf 19 | RUN rm -rf ./lua-cs-bouncer/ 20 | COPY ./openresty /tmp 21 | RUN SSL_CERTS_PATH=/etc/ssl/certs/ca-certificates.crt envsubst '$SSL_CERTS_PATH' < /tmp/crowdsec_openresty.conf > /etc/nginx/conf.d/crowdsec_openresty.conf 22 | RUN sed -i '1 i\resolver local=on ipv6=off;' /etc/nginx/conf.d/crowdsec_openresty.conf 23 | COPY ./docker/docker_start.sh / 24 | 25 | ENTRYPOINT ["/bin/sh", "docker_start.sh"] 26 | -------------------------------------------------------------------------------- /Dockerfile.lua-bouncer-plugin: -------------------------------------------------------------------------------- 1 | ARG BUILD_ENV=git 2 | 3 | FROM docker.io/alpine:latest as git 4 | ARG BUILD_ENV=git 5 | ARG LUA_LIB_VERSION=v1.0.1 6 | RUN if [ "$BUILD_ENV" == "git" ]; then apk add --no-cache git; fi 7 | RUN if [ "$BUILD_ENV" == "git" ]; then git clone -b "${LUA_LIB_VERSION}" https://github.com/crowdsecurity/lua-cs-bouncer.git ; fi 8 | 9 | FROM docker.io/alpine:latest as local 10 | RUN if [ "$BUILD_ENV" == "local" ]; then COPY ./lua-cs-bouncer/ lua-cs-bouncer; fi 11 | 12 | FROM ${BUILD_ENV} 13 | RUN mkdir -p /crowdsec/templates 14 | RUN cp lua-cs-bouncer/lib/plugins/crowdsec/*.lua /crowdsec 15 | RUN cp lua-cs-bouncer/lib/crowdsec.lua /crowdsec 16 | RUN cp lua-cs-bouncer/templates/* /crowdsec/templates 17 | RUN cp lua-cs-bouncer/config_example.conf /crowdsec/crowdsec-bouncer.conf 18 | COPY ./ingress-nginx /crowdsec 19 | COPY ./docker/docker_start.sh / 20 | 21 | ENV IS_LUALIB_IMAGE=true 22 | ENTRYPOINT ["/bin/sh", "docker_start.sh"] 23 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020-2021 Crowdsec 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | BUILD_VERSION?="$(shell git for-each-ref --sort=-v:refname --count=1 --format '%(refname)' | cut -d '/' -f3)" 2 | OUTDIR="crowdsec-openresty-bouncer-${BUILD_VERSION}/" 3 | LUA_DIR="${OUTDIR}lua" 4 | CONFIG_DIR="${OUTDIR}config" 5 | TEMPLATE_DIR="${OUTDIR}templates" 6 | OUT_ARCHIVE="crowdsec-openresty-bouncer.tgz" 7 | LUA_BOUNCER_BRANCH?=v1.0.1 8 | default: release 9 | release: 10 | git clone -b "${LUA_BOUNCER_BRANCH}" https://github.com/crowdsecurity/lua-cs-bouncer.git 11 | mkdir -p "${OUTDIR}" 12 | mkdir -p "${LUA_DIR}" 13 | mkdir -p "${CONFIG_DIR}" 14 | mkdir -p "${TEMPLATE_DIR}" 15 | cp -r lua-cs-bouncer/lib "${LUA_DIR}" 16 | cp lua-cs-bouncer/templates/* "${TEMPLATE_DIR}" 17 | cp -r lua-cs-bouncer/config_example.conf ${CONFIG_DIR} 18 | cp -r ./openresty/ ${OUTDIR} 19 | cp install.sh ${OUTDIR} 20 | cp uninstall.sh ${OUTDIR} 21 | chmod +x ${OUTDIR}install.sh 22 | chmod +x ${OUTDIR}uninstall.sh 23 | tar cvzf ${OUT_ARCHIVE} ${OUTDIR} 24 | rm -rf ${OUTDIR} 25 | rm -rf "lua-cs-bouncer/" 26 | clean: 27 | rm -rf "${OUTDIR}" 28 | rm -rf "${OUT_ARCHIVE}" 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | CrowdSec 3 |

4 |

5 | 6 | 7 |

8 |

9 | 📚 Documentation 10 | 💠 Hub 11 | 💬 Discourse 12 |

13 | 14 | 15 | 16 | # CrowdSec OpenResty Bouncer 17 | 18 | A lua bouncer for OpenResty. 19 | 20 | ## How does it work ? 21 | 22 | This bouncer leverages OpenResty lua's API, namely `access_by_lua_file`. 23 | 24 | New/unknown IP are checked against crowdsec API, and if request should be blocked, a **403** is returned to the user, and put in cache. 25 | 26 | # Installation 27 | 28 | Please follow the [official documentation](https://doc.crowdsec.net/docs/bouncers/openresty). 29 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | crowdsec-openresty-bouncer (0.1.0) UNRELEASED; urgency=medium 2 | 3 | * debian package 4 | 5 | -- Crowdsec Team Thu, 16 Dec 2021 15:00:06 +0100 6 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 11 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: crowdsec-openresty-bouncer 2 | Maintainer: Crowdsec Team 3 | Build-Depends: debhelper, bash 4 | 5 | Package: crowdsec-openresty-bouncer 6 | Provides: crowdsec-openresty-bouncer 7 | Description: lua-based openresty bouncer for Crowdsec 8 | Architecture: any 9 | Depends: bash, openresty, openresty-opm, gettext-base 10 | -------------------------------------------------------------------------------- /debian/files: -------------------------------------------------------------------------------- 1 | crowdsec-openresty-bouncer_0.1.0_amd64.buildinfo - - 2 | crowdsec-openresty-bouncer_0.1.0_amd64.deb - - 3 | -------------------------------------------------------------------------------- /debian/patches/crowdsec_nginx.conf.patch: -------------------------------------------------------------------------------- 1 | Index: openresty/crowdsec_openresty.conf 2 | =================================================================== 3 | --- openresty/crowdsec_openresty.conf.orig 4 | +++ openresty/crowdsec_openresty.conf 5 | @@ -1,6 +1,6 @@ 6 | lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;'; 7 | lua_shared_dict crowdsec_cache 50m; 8 | -lua_ssl_trusted_certificate ${SSL_CERTS_PATH}; 9 | +lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; 10 | 11 | init_by_lua_block { 12 | cs = require "crowdsec" 13 | local ok, err = cs.init("/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf", "crowdsec-openresty-bouncer/v1.0.4") 14 | @@ -14,4 +14,4 @@ init_by_lua_block { 15 | access_by_lua_block { 16 | local cs = require "crowdsec" 17 | cs.Allow(ngx.var.remote_addr) 18 | -} 19 | \ No newline at end of file 20 | +} 21 | -------------------------------------------------------------------------------- /debian/patches/series: -------------------------------------------------------------------------------- 1 | crowdsec_nginx.conf.patch -p0 2 | -------------------------------------------------------------------------------- /debian/postinst: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | systemctl daemon-reload 3 | 4 | 5 | API_KEY_REQUIRED=true 6 | BOUNCER_CONFIG_PATH="/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf" 7 | API_KEY="" 8 | CROWDSEC_LAPI_URL="" 9 | LAPI_DEFAULT_PORT="8080" 10 | 11 | check_lua_dependency() { 12 | DEPENDENCY=( 13 | "pintsized/lua-resty-http" 14 | ) 15 | for dep in ${DEPENDENCY[@]}; 16 | do 17 | opm list | grep "${dep}" > /dev/null 18 | if [[ $? != 0 ]]; then 19 | opm get "${dep}" > /dev/null && echo "${dep} successfully installed" 20 | fi 21 | done 22 | } 23 | 24 | 25 | if [ "$1" = "configure" ]; then 26 | 27 | type cscli 28 | 29 | if [ "$?" -eq "0" ] ; then 30 | # Check if it's an upgrade 31 | if [ "$2" != "" ] ; then 32 | echo "Upgrading, check if there is bouncer configuration" 33 | if [ -f "${BOUNCER_CONFIG_PATH}" ] ; then 34 | API_KEY_REQUIRED=false 35 | fi 36 | fi 37 | API=$(cscli config show --key "Config.API.Server") 38 | if [ "$API" = "nil" ] || [ "$API" = "" ] ; then 39 | API_KEY_REQUIRED=false 40 | fi 41 | if [ ${API_KEY_REQUIRED} = true ] ; then 42 | echo "cscli/crowdsec is present, generating API key" 43 | unique=$(date +%s) 44 | API_KEY=$(cscli -oraw bouncers add crowdsec-openresty-bouncer-"${unique}") 45 | PORT=$(cscli config show --key "Config.API.Server.ListenURI"|cut -d ":" -f2) 46 | if [ ! -z "$PORT" ]; then 47 | LAPI_DEFAULT_PORT=${PORT} 48 | fi 49 | CROWDSEC_LAPI_URL="http://127.0.0.1:${LAPI_DEFAULT_PORT}" 50 | if [ $? -eq 1 ] ; then 51 | echo "failed to create API key." 52 | API_KEY_REQUIRED=true 53 | API_KEY="" 54 | else 55 | echo "API Key : ${API_KEY}" 56 | TMP=$(mktemp -p /tmp/) 57 | cp ${BOUNCER_CONFIG_PATH} "${TMP}" 58 | API_KEY=${API_KEY} CROWDSEC_LAPI_URL=${CROWDSEC_LAPI_URL} envsubst < "${TMP}" > ${BOUNCER_CONFIG_PATH} 59 | rm "${TMP}" 60 | fi 61 | fi 62 | fi 63 | 64 | check_lua_dependency 65 | echo "Add 'include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;' in your nginx configuration file to enable the bouncer." 66 | 67 | else 68 | API_KEY_REQUIRED=false 69 | fi 70 | 71 | if [ ${API_KEY_REQUIRED} = true ] ; then 72 | echo "Can't generate an API key for the bouncer. Please do it manually" 73 | fi 74 | 75 | echo "CrowdSec OpenResty Bouncer installed. Restart OpenResty service with 'sudo systemctl restart openresty'" 76 | -------------------------------------------------------------------------------- /debian/postrm: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ "$1" = "remove" ]; then 4 | echo "Don't forget to remove 'include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;' in your nginx configuration file to disable the bouncer and make openresty start again." 5 | echo "" 6 | echo "Run 'sudo systemctl restart openresty.service' to stop openresty-bouncer" 7 | fi -------------------------------------------------------------------------------- /debian/prerm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crowdsecurity/cs-openresty-bouncer/c7a29ec7bf5ede5c89c51abee05fcd9528c217bc/debian/prerm -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | export DEB_VERSION=$(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ') 4 | export BUILD_VERSION=v${DEB_VERSION}-debian-pragmatic 5 | export LUA_BOUNCER_BRANCH?=v1.0.1 6 | 7 | %: 8 | dh $@ 9 | 10 | override_dh_systemd_start: 11 | echo "Not running dh_systemd_start" 12 | override_dh_auto_clean: 13 | rm -rf lua-cs-bouncer 14 | override_dh_auto_test: 15 | override_dh_auto_build: 16 | override_dh_auto_install: 17 | mkdir -p debian/crowdsec-openresty-bouncer/usr/local/openresty/nginx/conf/conf.d/ 18 | cp openresty/crowdsec_openresty.conf debian/crowdsec-openresty-bouncer/usr/local/openresty/nginx/conf/conf.d/ 19 | 20 | git clone -b "${LUA_BOUNCER_BRANCH}" https://github.com/crowdsecurity/lua-cs-bouncer.git 21 | 22 | mkdir -p debian/crowdsec-openresty-bouncer/usr/local/openresty/lualib/ 23 | mkdir -p debian/crowdsec-openresty-bouncer/var/lib/crowdsec/lua/templates/ 24 | cp -r lua-cs-bouncer/lib/* debian/crowdsec-openresty-bouncer/usr/local/openresty/lualib/ 25 | cp -r lua-cs-bouncer/templates/* debian/crowdsec-openresty-bouncer/var/lib/crowdsec/lua/templates/ 26 | mkdir -p debian/crowdsec-openresty-bouncer/etc/crowdsec/bouncers/ 27 | cp lua-cs-bouncer/config_example.conf debian/crowdsec-openresty-bouncer/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf 28 | override_dh_usrlocal: 29 | -------------------------------------------------------------------------------- /docker/README.md: -------------------------------------------------------------------------------- 1 | # OpenResty with CrowdSec Bouncer 2 | 3 | CrowdSec OpenResty - an OpenResty with lua bouncer to use with Crowdsec. 4 | 5 | ## Getting Started 6 | 7 | Before starting using docker image, you need to generate an API key from Crowdsec local API using cscli ([how to](https://docs.crowdsec.net/docs/user_guides/bouncers_configuration/)). And also provide the Crowdsec LAPI URL. 8 | 9 | The container is built from [the OpenResty official image](https://hub.docker.com/r/openresty/openresty). 10 | 11 | #### Run 12 | 13 | ```shell 14 | docker run -d -p 8080:80 \ 15 | -e API_URL= \ 16 | -e API_KEY= \ 17 | --name openresty crowdsecurity/crowdsec-openresty 18 | ``` 19 | 20 | #### Example 21 | 22 | We generate our API key and use it in environment variable 23 | ```shell 24 | $ sudo cscli bouncers add myOpenRestyBouncer 25 | Api key for 'myOpenRestyBouncer': 26 | 27 | abcdefghijklmnopqrstuvwxyz 28 | 29 | Please keep this key since you will not be able to retrieve it! 30 | ``` 31 | 32 | ```shell 33 | docker run -d -p 8080:80 \ 34 | -e API_URL=http://172.17.0.1:8080 \ 35 | -e API_KEY=abcdefghijklmnopqrstuvwxyz \ 36 | --name openresty crowdsecurity/crowdsec-openresty 37 | ``` 38 | 39 | Or you can even mount you own bouncer config file to the target path `/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf` 40 | 41 | ```shell 42 | $ cat myConfigFile.conf 43 | API_URL=http://172.17.0.1:8080 44 | API_KEY=abcdefghijklmnopqrstuvwxyz 45 | CACHE_EXPIRATION=1 46 | BOUNCING_ON_TYPE=ban 47 | REQUEST_TIMEOUT=0.2 48 | UPDATE_FREQUENCY=10 49 | MODE=stream 50 | ``` 51 | 52 | Now run the openresty by mounting your own config file. 53 | 54 | ```shell 55 | docker run -d -p 8080:80 \ 56 | -v ~/myConfigFile.conf:/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf \ 57 | --name openresty crowdsecurity/crowdsec-openresty 58 | ``` 59 | 60 | ### Configuration 61 | 62 | The bouncer uses [lua_shared_dict](https://github.com/openresty/lua-nginx-module#lua_shared_dict) to share cache between all workers. 63 | If you want to increase the cache size you need to change this value `lua_shared_dict crowdsec_cache 50m;` in the config file `/etc/nginx/conf.d/crowdsec_openresty.conf`. 64 | 65 | For others parameters, you can use environment variables below or mount your own config file at `/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf` 66 | 67 | ### Environment Variables 68 | 69 | * `API_URL` - Crowdsec local API URL : `-e API_URL="http://172.17.0.1:8080"` 70 | * `API_KEY` - Disable local API (default: `false`) : `-e API_KEY="abcdefghijklmnopqrstuvwxyz"` 71 | * `CACHE_EXPIRATION` - [For 'live' mode only] decisions cache time (in seconds) (default: `1`) : `-e CACHE_EXPIRATION="1"` 72 | * `CACHE_SIZE` - The maximum number of decisions in cache (default: `1000`) : `-e CACHE_SIZE="1000"` 73 | * `BOUNCING_ON_TYPE` - The decisions type the bouncer should remediate on (default: `ban`) : `-e BOUNCING_ON_TYPE="ban"` 74 | * `REQUEST_TIMEOUT` - Request timeout (in seconds) for LAPI request (default: `0.2`) : `-e REQUEST_TIMEOUT="0.2"` 75 | * `UPDATE_FREQUENCY` - [For 'stream' mode only] pull frequency (in seconds) from LAPI (default: `10`) : `-e UPDATE_FREQUENCY="10"` 76 | * `MODE` - Bouncer mode : streaming (`stream`) or rupture (`live`) mode (default: `stream`) : `-e MODE="stream"` 77 | * `CAPTCHA_PROVIDER` - The selected captcha provider for your `SITE_KEY` and `SECRET_KEY`. Valid providers are recaptcha, hcaptcha or turnstile. For backwards compatability the default is recaptcha if not provided. 78 | * `SITE_KEY` - The site key for the selected captcha provider. 79 | * `SECRET_KEY` - The secret key for the selected captcha provider. 80 | 81 | ### Volumes 82 | 83 | * `/etc/crowdsec/` - Directory where all crowdsec configurations are located 84 | 85 | #### Useful File Locations 86 | 87 | * `/usr/local/openresty/lualib/plugins/crowdsec` - Crowdsec lua library path 88 | 89 | * `/etc/nginx/conf.d` - Nginx configuration to load the crowdsec bouncer lua library and configuration. 90 | 91 | ## Find Us 92 | 93 | * [cs-openresty-bouncer GitHub](https://github.com/crowdsecurity/cs-openresty-bouncer) 94 | * [Crowdsec GitHub](https://github.com/crowdsecurity/crowdsec) 95 | 96 | ## Contributing 97 | 98 | Please read [contributing](https://docs.crowdsec.net/Crowdsec/v1/contributing/) for details on our code of conduct, and the process for submitting pull requests to us. 99 | 100 | ## License 101 | 102 | This project is licensed under the MIT License - see the [LICENSE](https://github.com/crowdsecurity/cs-openresty-bouncer/blob/main/LICENSE) file for details. 103 | -------------------------------------------------------------------------------- /docker/docker_start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | CROWDSEC_BOUNCER_CONFIG="${BOUNCER_CONFIG:-/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf}" 4 | 5 | params=' 6 | ALWAYS_SEND_TO_APPSEC 7 | API_KEY 8 | API_URL 9 | APPSEC_CONNECT_TIMEOUT 10 | APPSEC_FAILURE_ACTION 11 | APPSEC_PROCESS_TIMEOUT 12 | APPSEC_SEND_TIMEOUT 13 | APPSEC_URL 14 | BAN_TEMPLATE_PATH 15 | BOUNCING_ON_TYPE 16 | CACHE_EXPIRATION 17 | CAPTCHA_EXPIRATION 18 | CAPTCHA_PROVIDER 19 | CAPTCHA_TEMPLATE_PATH 20 | EXCLUDE_LOCATION 21 | FALLBACK_REMEDIATION 22 | MODE 23 | REDIRECT_LOCATION 24 | REQUEST_TIMEOUT 25 | RET_CODE 26 | SECRET_KEY 27 | SITE_KEY 28 | SSL_VERIFY 29 | UPDATE_FREQUENCY 30 | ' 31 | 32 | for var in $params; do 33 | eval "value=\$$var" 34 | if [ -n "$value" ]; then 35 | sed -i "s,${var}.*,${var}=${value}," "$CROWDSEC_BOUNCER_CONFIG" 36 | fi 37 | done 38 | 39 | lower=$(echo "$IS_LUALIB_IMAGE" | tr '[:upper:]' '[:lower:]') 40 | if [ "$lower" != "true" ]; then 41 | exec /usr/local/openresty/bin/openresty -g "daemon off;" 42 | fi 43 | -------------------------------------------------------------------------------- /docs/assets/crowdsec_openresty.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/crowdsecurity/cs-openresty-bouncer/c7a29ec7bf5ede5c89c51abee05fcd9528c217bc/docs/assets/crowdsec_openresty.png -------------------------------------------------------------------------------- /ingress-nginx/main.lua: -------------------------------------------------------------------------------- 1 | local cs = require "plugins.crowdsec.crowdsec" 2 | local ngx = ngx 3 | 4 | local _M = {} 5 | local ok, err = cs.init("/etc/nginx/lua/plugins/crowdsec/crowdsec-bouncer.conf", "crowdsec-openresty-bouncer/v1.0.4") 6 | if ok == nil then 7 | ngx.log(ngx.ERR, "[Crowdsec] " .. err) 8 | error() 9 | end 10 | ngx.log(ngx.ALERT, "[Crowdsec] Initialisation done") 11 | 12 | function _M.rewrite() 13 | cs.Allow(ngx.var.remote_addr) 14 | end 15 | 16 | return _M 17 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Starting Crowdsec Openresty Bouncer install" 3 | NGINX_CONF="crowdsec_openresty.conf" 4 | NGINX_CONF_DIR="/usr/local/openresty/nginx/conf/conf.d/" 5 | LIB_PATH="/usr/local/openresty/lualib/" 6 | CONFIG_PATH="/etc/crowdsec/bouncers/" 7 | DATA_PATH="/var/lib/crowdsec/lua/" 8 | PKG="apt" 9 | PACKAGE_LIST="dpkg -l" 10 | SSL_CERTS_PATH="/etc/ssl/certs/ca-certificates.crt" 11 | LAPI_DEFAULT_PORT="8080" 12 | SILENT="false" 13 | 14 | #Accept cmdline arguments to overwrite options. 15 | while [[ $# -gt 0 ]] 16 | do 17 | case $1 in 18 | --NGINX_CONF_DIR=*) 19 | NGINX_CONF_DIR="${1#*=}" 20 | ;; 21 | --LIB_PATH=*) 22 | LIB_PATH="${1#*=}" 23 | ;; 24 | --CONFIG_PATH=*) 25 | CONFIG_PATH="${1#*=}" 26 | ;; 27 | --DATA_PATH=*) 28 | DATA_PATH="${1#*=}" 29 | ;; 30 | --SSL_CERTS_PATH=*) 31 | SSL_CERTS_PATH="${1#*=}" 32 | ;; 33 | -y|--yes) 34 | SILENT="true" 35 | ;; 36 | --docker) 37 | DOCKER="1" 38 | ;; 39 | esac 40 | shift 41 | done 42 | 43 | check_pkg_manager(){ 44 | if [ -f /etc/redhat-release ]; then 45 | PKG="yum" 46 | PACKAGE_LIST="yum list installed" 47 | SSL_CERTS_PATH="/etc/ssl/certs/ca-bundle.crt" 48 | elif [ -f /etc/system-release ]; then 49 | if grep -q "Amazon Linux release 2 (Karoo)" < /etc/system-release ; then 50 | PKG="yum" 51 | PACKAGE_LIST="yum list installed" 52 | SSL_CERTS_PATH="/etc/ssl/certs/ca-bundle.crt" 53 | fi 54 | elif [ -f /etc/debian_version ]; then 55 | PKG="apt" 56 | PACKAGE_LIST="dpkg -l" 57 | else 58 | echo "Distribution is not supported, exiting." 59 | exit 60 | fi 61 | } 62 | 63 | requirement() { 64 | mkdir -p "${CONFIG_PATH}" 65 | mkdir -p "${DATA_PATH}" 66 | mkdir -p "${NGINX_CONF_DIR}" 67 | mkdir -p "${LIB_PATH}" 68 | } 69 | 70 | gen_config_file() { 71 | #Don't overwrite the existing file 72 | if [ ! -f "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" ]; then 73 | #check if cscli is available, this can be installed on systems without crowdsec installed 74 | if command -v cscli >/dev/null; then 75 | SUFFIX=$(tr -dc A-Za-z0-9 "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" 84 | [ -n "${API_KEY}" ] && echo "New API key generated to be used in '${CONFIG_PATH}/crowdsec-openresty-bouncer.conf'" 85 | else 86 | #Patch the existing file with new parameters if the need to be added 87 | echo "Patch crowdsec-openresty-bouncer.conf .." 88 | sed "s/=.*//g" "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" > /tmp/crowdsec.conf.raw 89 | sed "s/=.*//g" ./config/config_example.conf > /tmp/config_example.conf.raw 90 | if grep -vf /tmp/crowdsec.conf.raw /tmp/config_example.conf.raw ; then 91 | grep -vf /tmp/crowdsec.conf.raw /tmp/config_example.conf.raw > /tmp/config_example.newvals 92 | cp "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf.bak" 93 | #Make sure we start on a new line. 94 | echo "" >>"${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" 95 | grep -f /tmp/config_example.newvals /tmp/crowdsec/config/config_example.conf >> "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" 96 | fi 97 | fi 98 | sed -i 's|/var/lib/crowdsec/lua|'"${DATA_PATH}"'|' "${CONFIG_PATH}/crowdsec-openresty-bouncer.conf" 99 | } 100 | 101 | check_openresty_dependency() { 102 | DEPENDENCY=( \ 103 | "openresty-opm" \ 104 | ) 105 | for dep in "${DEPENDENCY[@]}"; 106 | do 107 | if ! $PACKAGE_LIST | grep "${dep}" > /dev/null; then 108 | if [[ ${SILENT} == "true" ]]; then 109 | "$PKG" install -y -qq "${dep}" > /dev/null && echo "${dep} successfully installed" 110 | else 111 | echo "${dep} not found, do you want to install it (Y/n)? " 112 | read -r answer 113 | if [[ ${answer} == "" ]]; then 114 | answer="y" 115 | fi 116 | if [ "$answer" != "${answer#[Yy]}" ] ;then 117 | "$PKG" install -y -qq "${dep}" > /dev/null && echo "${dep} successfully installed" 118 | else 119 | echo "unable to continue without ${dep}. Exiting" && exit 1 120 | fi 121 | fi 122 | fi 123 | done 124 | } 125 | 126 | check_lua_dependency() { 127 | DEPENDENCY=( \ 128 | "pintsized/lua-resty-http" \ 129 | ) 130 | for dep in "${DEPENDENCY[@]}"; 131 | do 132 | 133 | if ! opm list | grep "${dep}" > /dev/null; then 134 | if [[ ${SILENT} == "true" ]]; then 135 | opm get "${dep}" > /dev/null && echo "${dep} successfully installed" 136 | else 137 | echo "${dep} not found, do you want to install it (Y/n)? " 138 | read -r answer 139 | if [[ ${answer} == "" ]]; then 140 | answer="y" 141 | fi 142 | if [ "$answer" != "${answer#[Yy]}" ] ;then 143 | opm get "${dep}" > /dev/null && echo "${dep} successfully installed" 144 | else 145 | echo "unable to continue without ${dep}. Exiting" && exit 1 146 | fi 147 | fi 148 | fi 149 | done 150 | } 151 | 152 | 153 | install() { 154 | mkdir -p "${DATA_PATH}/templates/" 155 | cp -r lua/lib/* "${LIB_PATH}/" 156 | cp templates/* "${DATA_PATH}/templates/" 157 | #Patch the nginx config file 158 | SSL_CERTS_PATH=${SSL_CERTS_PATH} envsubst '$SSL_CERTS_PATH' < openresty/${NGINX_CONF} > "${NGINX_CONF_DIR}/${NGINX_CONF}" 159 | sed -i 's|/etc/crowdsec/bouncers|'"${CONFIG_PATH}"'|' "${NGINX_CONF_DIR}/${NGINX_CONF}" 160 | } 161 | 162 | 163 | if ! [ "$(id -u)" = 0 ] && [ -z ${DOCKER} ]; then 164 | echo "Please run the install script as root or with sudo" 165 | exit 1 166 | fi 167 | 168 | [ -z ${DOCKER} ] && check_pkg_manager 169 | requirement 170 | [ -z ${DOCKER} ] && check_openresty_dependency 171 | [ -z ${DOCKER} ] && check_lua_dependency 172 | gen_config_file 173 | install 174 | echo "crowdsec-openresty-bouncer installed successfully" 175 | echo "" 176 | [ -z ${DOCKER} ] && echo "Add 'include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;' in your nginx configuration file to enable the bouncer." 177 | echo "" 178 | [ -z ${DOCKER} ] && echo "Run 'sudo systemctl restart openresty.service' to start openresty-bouncer" 179 | exit 0 -------------------------------------------------------------------------------- /openresty/crowdsec_openresty.conf: -------------------------------------------------------------------------------- 1 | lua_package_path '$prefix/../lualib/plugins/crowdsec/?.lua;;'; 2 | lua_shared_dict crowdsec_cache 50m; 3 | lua_ssl_trusted_certificate ${SSL_CERTS_PATH}; 4 | 5 | init_by_lua_block { 6 | cs = require "crowdsec" 7 | local ok, err = cs.init("/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf", "crowdsec-openresty-bouncer/v1.0.4") 8 | if ok == nil then 9 | ngx.log(ngx.ERR, "[Crowdsec] " .. err) 10 | error() 11 | end 12 | if ok == "Disabled" then 13 | ngx.log(ngx.ALERT, "[Crowdsec] Bouncer Disabled") 14 | else 15 | ngx.log(ngx.ALERT, "[Crowdsec] Initialisation done") 16 | end 17 | } 18 | 19 | map $server_addr $unix { 20 | default 0; 21 | "~unix:" 1; 22 | } 23 | 24 | access_by_lua_block { 25 | local cs = require "crowdsec" 26 | if ngx.var.unix == "1" then 27 | ngx.log(ngx.DEBUG, "[Crowdsec] Unix socket request ignoring...") 28 | else 29 | cs.Allow(ngx.var.remote_addr) 30 | end 31 | } 32 | -------------------------------------------------------------------------------- /rpm/SPECS/crowdsec-openresty-bouncer.spec: -------------------------------------------------------------------------------- 1 | Name: crowdsec-openresty-bouncer 2 | Version: %(echo $VERSION) 3 | Release: %(echo $PACKAGE_NUMBER)%{?dist} 4 | Summary: OpenResty bouncer for Crowdsec 5 | 6 | License: MIT 7 | URL: https://crowdsec.net 8 | Source0: https://github.com/crowdsecurity/%{name}/archive/v%(echo $VERSION).tar.gz 9 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) 10 | 11 | BuildRequires: git 12 | BuildRequires: make 13 | %{?fc33:BuildRequires: systemd-rpm-macros} 14 | 15 | Requires: openresty, openresty-opm, gettext 16 | 17 | %define debug_package %{nil} 18 | 19 | %description 20 | 21 | %define version_number %(echo $VERSION) 22 | %define releasever %(echo $RELEASEVER) 23 | %global local_version v%{version_number}-%{releasever}-rpm 24 | %global name crowdsec-openresty-bouncer 25 | %global __mangle_shebangs_exclude_from /usr/bin/env 26 | 27 | %prep 28 | %setup -q -T -b 0 -n crowdsec-openresty-bouncer-%{version_number} 29 | 30 | %install 31 | rm -rf %{buildroot} 32 | mkdir -p %{buildroot}/usr/local/openresty/nginx/conf/conf.d/ 33 | mkdir -p %{buildroot}/usr/local/openresty/lualib/plugins/crowdsec/ 34 | mkdir -p %{buildroot}/var/lib/crowdsec/lua/templates/ 35 | mkdir -p %{buildroot}/etc/crowdsec/bouncers/ 36 | git clone -b v1.0.1 https://github.com/crowdsecurity/lua-cs-bouncer.git 37 | install -m 600 -D lua-cs-bouncer/config_example.conf %{buildroot}/etc/crowdsec/bouncers/%{name}.conf 38 | install -m 644 -D lua-cs-bouncer/lib/crowdsec.lua %{buildroot}/usr/local/openresty/lualib/ 39 | install -m 644 -D lua-cs-bouncer/lib/plugins/crowdsec/* %{buildroot}/usr/local/openresty/lualib/plugins/crowdsec/ 40 | install -m 644 -D lua-cs-bouncer/templates/* %{buildroot}/var/lib/crowdsec/lua/templates/ 41 | install -m 644 -D openresty/crowdsec_openresty.conf %{buildroot}/usr/local/openresty/nginx/conf/conf.d/ 42 | 43 | %clean 44 | rm -rf %{buildroot} 45 | 46 | %files 47 | %defattr(-,root,root,-) 48 | /usr/local/openresty/lualib/ 49 | /var/lib/crowdsec/lua/templates/ 50 | /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf 51 | %config(noreplace) /etc/crowdsec/bouncers/%{name}.conf 52 | 53 | 54 | %post -p /bin/bash 55 | 56 | systemctl daemon-reload 57 | 58 | NGINX_CONFIG_PATH="/usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf" 59 | BOUNCER_CONFIG_PATH="/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf" 60 | CERT_FILE="" 61 | CERT_OK=0 62 | START=0 63 | LAPI_DEFAULT_PORT="8080" 64 | 65 | CERTS=( 66 | "/etc/pki/tls/certs/ca-bundle.crt" 67 | "/etc/pki/tls/cacert.pem" 68 | "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" 69 | "/etc/ssl/certs/ca-bundle.crt" 70 | "/etc/ssl/certs/ca-certificates.crt" 71 | ) 72 | 73 | 74 | 75 | check_lua_dependency() { 76 | DEPENDENCY=( 77 | "pintsized/lua-resty-http" 78 | ) 79 | for dep in ${DEPENDENCY[@]}; 80 | do 81 | opm list | grep ${dep} > /dev/null 82 | if [[ $? != 0 ]]; then 83 | opm get ${dep} > /dev/null && echo "${dep} successfully installed" 84 | fi 85 | done 86 | } 87 | 88 | 89 | if [ "$1" == "1" ] ; then 90 | type cscli > /dev/null 91 | if [ "$?" -eq "0" ] ; then 92 | START=1 93 | echo "cscli/crowdsec is present, generating API key" 94 | unique=`date +%s` 95 | API_KEY=`cscli -oraw bouncers add crowdsec-openresty-bouncer-${unique}` 96 | PORT=$(cscli config show --key "Config.API.Server.ListenURI"|cut -d ":" -f2) 97 | if [ ! -z "$PORT" ]; then 98 | LAPI_DEFAULT_PORT=${PORT} 99 | fi 100 | CROWDSEC_LAPI_URL="http://127.0.0.1:${LAPI_DEFAULT_PORT}" 101 | if [ $? -eq 1 ] ; then 102 | echo "failed to create API token, service won't be started." 103 | START=0 104 | API_KEY="" 105 | else 106 | echo "API Key : ${API_KEY}" 107 | fi 108 | TMP=`mktemp -p /tmp/` 109 | cp ${BOUNCER_CONFIG_PATH} ${TMP} 110 | API_KEY=${API_KEY} CROWDSEC_LAPI_URL=${CROWDSEC_LAPI_URL} envsubst < ${TMP} > ${BOUNCER_CONFIG_PATH} 111 | rm ${TMP} 112 | check_lua_dependency 113 | 114 | fi 115 | 116 | TMP=`mktemp -p /tmp/` 117 | cp ${NGINX_CONFIG_PATH} ${TMP} 118 | for cert_path in ${CERTS[@]}; 119 | do 120 | if [ -f $cert_path ]; then 121 | CERT_FILE=$cert_path 122 | break 123 | fi 124 | done 125 | SSL_CERTS_PATH=${CERT_FILE} envsubst '$SSL_CERTS_PATH' < ${TMP} > ${NGINX_CONFIG_PATH} 126 | rm ${TMP} 127 | 128 | echo "Add 'include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;' in your nginx configuration file (in the 'http' section) to enable the bouncer." 129 | 130 | else 131 | START=1 132 | fi 133 | 134 | if [ "$CERT_FILE" = "" ]; then 135 | echo "Unable to find a valid certificate, please provide a valide certificate for the 'lua_ssl_trusted_certificate' directive in ${NGINX_CONFIG_PATH}." 136 | fi 137 | 138 | 139 | echo "CrowdSec OpenResty Bouncer installed. Restart OpenResty service with 'sudo systemctl restart openresty'" 140 | 141 | %postun -p /bin/bash 142 | if [ "$1" == "0" ] ; then 143 | echo "Don't forget to remove 'include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;' in your nginx configuration file to disable the bouncer and make openresty start again." 144 | echo "" 145 | echo "Run 'sudo systemctl restart openresty.service' to stop openresty-bouncer" 146 | fi 147 | 148 | %changelog 149 | * Tue Feb 1 2022 Kevin Kadosh 150 | - First initial packaging 151 | -------------------------------------------------------------------------------- /uninstall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NGINX_CONF="crowdsec_openresty.conf" 4 | NGINX_CONF_DIR="/usr/local/openresty/nginx/conf/conf.d/" 5 | LIB_PATH="/usr/local/openresty/lualib/plugins/crowdsec/" 6 | PKG="apt" 7 | PACKAGE_LIST="dpkg -l" 8 | SILENT="false" 9 | 10 | #Accept cmdline arguments to overwrite options. 11 | while [[ $# -gt 0 ]] 12 | do 13 | case $1 in 14 | -y|--yes) 15 | SILENT="true" 16 | ;; 17 | esac 18 | shift 19 | done 20 | 21 | check_pkg_manager(){ 22 | if [ -f /etc/redhat-release ]; then 23 | PKG="yum remove" 24 | PACKAGE_LIST="yum list installed" 25 | elif [ -f /etc/system-release ]; then 26 | if grep -q "Amazon Linux release 2 (Karoo)" < /etc/system-release ; then 27 | PKG="yum remove" 28 | PACKAGE_LIST="yum list installed" 29 | fi 30 | elif [ -f /etc/debian_version ]; then 31 | PKG="apt remove --purge" 32 | PACKAGE_LIST="dpkg -l" 33 | else 34 | echo "Distribution is not supported, exiting." 35 | exit 36 | fi 37 | } 38 | 39 | remove_lua_dependency() { 40 | DEPENDENCY=( 41 | "pintsized/lua-resty-http" 42 | ) 43 | for dep in ${DEPENDENCY[@]}; 44 | do 45 | opm list | grep ${dep} > /dev/null 46 | if [[ $? == 0 ]]; then 47 | if [[ ${SILENT} == "true" ]]; then 48 | opm remove ${dep} > /dev/null && echo "${dep} successfully removed" 49 | else 50 | echo "${dep} found, do you want to remove it (Y/n)? " 51 | read answer 52 | if [[ ${answer} == "" ]]; then 53 | answer="y" 54 | fi 55 | if [ "$answer" != "${answer#[Yy]}" ] ;then 56 | opm remove ${dep} > /dev/null && echo "${dep} successfully removed" 57 | fi 58 | fi 59 | fi 60 | done 61 | } 62 | 63 | remove_openresty_dependency() { 64 | DEPENDENCY=( 65 | "openresty-opm" 66 | ) 67 | for dep in ${DEPENDENCY[@]}; 68 | do 69 | $PACKAGE_LIST | grep ${dep} > /dev/null 70 | if [[ $? == 0 ]]; then 71 | if [[ ${SILENT} == "true" ]]; then 72 | $PKG -y -qq ${dep} > /dev/null && echo "${dep} successfully removed" 73 | else 74 | echo "${dep} found, do you want to remove it (Y/n)? " 75 | read answer 76 | if [[ ${answer} == "" ]]; then 77 | answer="y" 78 | fi 79 | if [ "$answer" != "${answer#[Yy]}" ] ;then 80 | $PKG -y -qq ${dep} > /dev/null && echo "${dep} successfully removed" 81 | fi 82 | fi 83 | fi 84 | done 85 | } 86 | 87 | 88 | uninstall() { 89 | rm -rf ${LIB_PATH} 90 | rm ${NGINX_CONF_DIR}/${NGINX_CONF} 91 | } 92 | 93 | if ! [ $(id -u) = 0 ]; then 94 | log_err "Please run the uninstall script as root or with sudo" 95 | exit 1 96 | fi 97 | 98 | check_pkg_manager 99 | remove_lua_dependency 100 | remove_openresty_dependency 101 | uninstall 102 | echo "crowdsec-openresty-bouncer uninstalled successfully" 103 | echo "" 104 | echo "Don't forget to remove 'include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;' in your nginx configuration file to disable the bouncer and make openresty start again." 105 | echo "" 106 | echo "Run 'sudo systemctl restart openresty.service' to stop openresty-bouncer" --------------------------------------------------------------------------------