Help Connecting Unraid Docker Agent to OPNsense plugin?
I have the Crowdsec plugin installed on OPNSense (primary LAPI host) and I'm trying to setup the docker on Unraid as an agent so it can scan the logs of my internet-facing services and coordinate with a SWAG bouncer.
I've tried this 2 different ways:
(On OPNsense)
1) Running
cscli machines add unraid-agent --auto in order to get an API key to use with the Unraid agent. However this throws the following error: Error: credentials file '/usr/local/etc/crowdsec/local_api_credentials.yaml' already exists: please remove it, use "--force" or specify a different file with "-f" ("-f -" for standard output)
If I delete the local_api_credentials.yaml file then this command works, the new machine is created, and shows up under Services > Crowdsec > Overview > Machines, and I can pull the API key from the local_api_credentials.yaml file, but then the Crowdsec service fails to start again after restart. Apparently that file is somehow being used by the local OPNsense plugin and replacing this YAML file completely screws up the install. I have no idea how I'm supposed to get an API key for a new machine...
(On Unraid)
2) Running cscli lapi register -u http://192.168.1.1:8080 from the Crowdsec docker console. This gives the error: api client register: api register (http://192.168.1.1:8080/) http 403 Forbidden: API error: http code 403, response: Forbidden
192.168.1.1 is the IP of my OPNsense box, I haven't edited the default 8080 port, and I don't have any conflicting services using that port. I also tried changing the "LAPI listen address" in the OPNSense CrowdSec settings from 127.0.0.1 to 192.168.1.1, but that doesn't work either.
Nothing works. What am I missing here?9 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
I also tried editing the local_api_credentials.yaml file in the Unraid Crowdsec docker appdata to point at OPNsense, but every time the docker restarts that file gets automatically reverted back to the default. Nothing I put there sticks.
This leads me to believe that I need to be using environment variables in the docker template itself, and I do see some people mentioning the following variables:
DISABLE_LOCAL_API=true
AGENT_USERNAME="agent_user_name" - agent_user_name previously registered with LAPI
AGENT_PASSWORD="agent_password" - agent_password previously registered with LAPI
LOCAL_API_URL="http://LAPI_host:LAPI_port"
But I haven't been able to properly test this because I CANNOT FIGURE OUT HOW TO GET A PASSWORD FROM THE OPNSENSE PLUGIN!. When I try to add a machine via the CLI I get that damn local_api_credentials.yaml already exists error.Lol, even Gemini is throwing in the towel:
Update: It's possible it's not the modifications to local_api_credentials.yaml crashing the Crowdsec service on OPNSense. After completely removing it and reinstalling it, I simply changed the "LAPI listen address" from 127.0.0.1 to 192.168.1.1 - and after restarting the service it doesn't come back up.
About to completely remove the plugin again (including modifying the /conf/config.xml in OPNsense to remove the <crowdsec> section, and deleting all the directories it created) - reinstall crowdsec, and test if modifying the local_api_credentials.yaml causes any issues if I leave the LAPI Listen URL alone.
Update2: Ok I think what I'm supposed to be doing here is generating a new, separate, credentials.yaml file for the Unraid machine when I create it. This time I tried running the command:
cscli machines add unraid-agent --auto --file /usr/local/etc/crowdsec/unraid_api_credentials.yaml
And this seems to work. My Crowdsec plugin on OPNsense is ok and I have an API key for the Unraid agent.
I added the environment variables I see suggested on reddit to the Crowdsec docker template on unraid, but still no luck. In the logs I see the same 403 error that I get when I try to run the cscli lapi register -u http://192.168.1.1:8080 command.
I'm pulling my hair out over this. Any help would be very appreciated.
Update3: Tried changing the LAPI Listen url to 0.0.0.0 and adding my server IP to the "trusted_ips" list in the config.yaml file. Still no luck.
Hey, yes I agree we did a poor job at communicating how to get a container to connect to a central LAPI, however, you are on right tracks with the environment variables, cause the docker init script tries to know what you want to do so if they are not there then it will regenerate it.
As for the machine add command, we though it would be obvious that if your intent if you want to add another machine you use the suggested
-f- which will output the credentials to the screen instead of saving them to a file or use -f /to/another/file like you said latter to output them to a differnet location than default.
When you run cscli lapi register it will always generated new credentials the idea is you either use cscli machine add or cscli lapi register but never both. As for docker we suggest using the cscli machine add --auto -f- then copy and paste them in the values.
However, please note that even though the LAPI is configured for 0.0.0.0 you need to restart the service and make sure the port is reachable for your LAN side in your firewall settings.I've restarted the service, and I think my firewall rules are ok (attached). I can't figure out why I always get the 403 Forbidden response.
I noticed that the Crowdsec docker on Unraid uses port 8081 - do I need to change that or maybe setup a port forward on the firewall?