Best Bouncer Configuration for AppSec on a LAMP Server
Hello, I have a question. I currently have several LAMP web servers, notably with Apache2 + PHP. Right now, I’d like to set up AppSec, but first I want to install the appropriate bouncers. I see that there is a bouncer for PHP and another for Apache. What would you recommend? Should I install both, or just one of them? Which one would work best with AppSec? Thank you in advance.
34 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Hello,
You will only need one of them.
The PHP bouncer does support appsec, and the apache bouncer does not.
Great, thanks a lot! I just tried to set this up, but I couldn’t find any specific documentation. I mixed several docs to manage to implement the PHP bouncer + appsec + captcha. However, I’ve reached a point where I defined the captcha for certain scenarios, but when I trigger it, nothing happens. Do you have any idea why?
is the index page generated by PHP code ?
The PHP bouncer will only work if the content of the page was generated by PHP
yes
and if you add a "normal" decision, do you get a 403 ?
What does
cscli bouncers list show ?When I remove the captcha decision, I get banned. But when I put the captcha decision back, I still don’t see any captcha.
I don't know why I'm not getting a 403, only 200 responses.
Hmmmm nevermind, actually it happens after a certain amount of time, it doesn’t block me instantly
So for now, there's only a captcha issue on my machine.
I don't know how often the bouncer will refresh, but most bouncers update their cache every 10 seconds
it depends on the cron you setup
the docs has an exemple for every 15 minutes
but with a cron, you won't be able to go under a minute
i have :
if you want instant update, you will need to use
live mode which will make a query to LAPI for each request processed by your app (with some cache on top of that)okok
set
stream_mode to false in the bouncer config to enable live mode (it's the default, I don't know if you changed it or not)
and for the captcha issue:
- can you check the actual content of the response ? I don't know which HTTP the bouncer uses to send the captcha page
- Set debug_mode to truein the config, it should log more informations about what is happeningNo, I haven’t changed the stream_mode. However, when I modify the settings.php, do I need to restart Apache2 and CrowdSec?
only apache
That's why I removed the firewall bouncer, I only have the PHP bouncer to test, so there's no risk of conflict between two bouncers.
I just tested it on a standard configuration, and even there the captcha doesn't appear. Aside from the standard installation, is there anything else that needs to be installed?
no it should work out of the box with the PHP bouncer
Can you set
debug_mode to true in the bouncer configuration, make a request (from an IP that has a captcha decision) and paste the logs ?Are the logs actually in crowdsec.log (php bouncer) ? Because it doesn't seem like enabling debug mode changes anything.
no they are emitted by PHP
so they should be where your PHP logs
so the bouncer think the captcha has been already solved, and does not show it again (this is by design, in order to avoid showing the captcha to the user for each request)
Have you solved the captcha once ?
The default cache duration for the captcha is 24h
yes
that why ?
yes
you can change it to a lower value by setting
captcha_cache_duration in the config to a value in seconds🥲
Sorry, I should have thought about this earlier, but I've never actually used this bouncer (the further away I am from PHP, the better :D)
It's my fault, I should have read more carefully. However, I modified the value, but it still considers it as "solved". I think it has the last value cached — how can I clear the cache?
And just to be sure, I only need to specify it like this, right?
yes that should work
To clear the cache, you can run the
prune-cache.php scriptOkay, I just ran some tests. I'm not sure why, but when I run php prune-cache.php, it doesn't work, whereas php clear-prune.php does. Note that there's nothing in the logs when I run prune-cache.php. But it's fine, it's working now.
I also noticed that when I get banned, I see the "Oh" page. However, when I unban myself, it takes between 1 and 2 minutes before I can access the page again. Do you know why that might be? Because I do have stream_mode set to false.