appsec ip
maybe im confued but what does the ip for appsec need to be? i keep getting bind errors... im on unraid but localhost:port doesnt seem to work?
62 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
] nginx: [error] [lua] crowdsec.lua:99: init(): APPSEC is enabled on '0.0.0.0:7422' in npm. does the ip need to be the same as the bouncer?
set
APPSEC_URL=http://0.0.0.0:7422 in my crowdsec-openrestry-bouncer.conf also set in my acquis.yaml 
i guess ill have to wait and see if anyone can chime in.. i suspect NPM isnt playing nice for no reason
So where is NPM in relation to CrowdSec?
What do u mean? I’m using lepresidentes image?
No I mean where is crowdsec running to where NPM is running
are they on the same docker subnet?
Yes both running on the same docker network
Crowdsec works has for years parsing logs for NPM works
So when you defined the LAPI url in NPM did you use
http://crowdsec:8080?I forgot where this is.. I setup crowdsec a ways back can u refresh me
If you look at your
crowdsec-openrestry-bouncer.conf it will say API url I think
waitI used unraid-server-ip:8081
and thats because you expose the port
8081:8080?Yes
Okay, so can you expose the appsec port to the unraid server host?
7422:7422 for exampleAre u saying port forward 7422 to my unraid server via my router?
No I am saying you need to modify the container to expose the port inside the container to the unraid host
I need too add another port to the NPM container?
No you need to add the port to the CrowdSec container
Like so?
Yes
No change
then on NPM side you can set the appsec_url to
http://unraid-server-ip:7422Trying now
You basically set it the same as the original lapi url but different port
Listen address in acquis.yaml too then?
the listen address should be
0.0.0.0:7422
as its a container it can bind to all interfacescscli metrics show appsec still shows a blank enginehave you sent a request to the web server?
As in?
Have you gone to a webpage served by NPM as it need to see a request before it shows in metrics
Yes
and if you check npm did you restart both crowdsec and npm containers?
Yes but NPM is still showing the error I posted above in red
its not an error, it just the way we log it as by default lua doesnt show any other logs than error
so you see appsec enabled and the
unraid-server-ip:7422?
Can you check the crowdsec container that it logs that it enabled the appsec on the address[nginx ] nginx: [error] [lua] crowdsec.lua:99: init(): APPSEC is enabled on '192.168.1.50:7422' NPM logand the crowdsec logs?
Success?
success
So will appsec have an issue with Authentik? Anything I need too addd besides the default config?
since your using
appsec-default then no, its CVE rules that shouldnt impact any applicationBut still protects them via those rules ?
Yes
.env it depends because the authentik hook may run before the lua as you have a location rewrite most likely, so if all appsec are behind authentik then appsec will only enforce rules on authenticated requests.Yeah just gives 404 not found nginx
so all your apps are behind authentik?
Yes. Would u suggested a more complex appsec due to this?
Wait. Not all, my overseerr for example
we have to test an authentik setup, as users reported this in the past but couldnt replicate it as the location rewrites seems to cause an issue
So is appsec obsolete in my use case for now?
for the authentik protected routes most likely, as they need to authenticate anyways so the attack layer is quite minimal as long as your monitoring BF on authentik
Security is #1. I guess I’ll have to keep an eye out and see if you guys find a fix. Should I keep appsec for now anyways?
You can keep it live, there no impact to keep it running
Is testing Authentik still on the todo?
and if it we managed to find a solution, then you will already be setup to use it right away
My thoughts exactly, just didn’t wanna be blind sided because my luck id be remote when it happened lol