Crowdsec behind cloudflare proxy, will it ban my real IP?
Hey, I'm enjoing vacation and why not learn something new? Settled for Crowdsec. π π¦
I've installed it on multiple firewalls (opnsense and pfsense) and agents parsing nginx-logs.
I've attacked my website using nikto and the cs-agent at nginx did detect the attack and reported it to the LAPI. When looking at the decisions in the LAPI@pfsense I can see that I should be banned. Great.
But I can still visit my site even if my IP should be banned. I even tried to ban myself manually, same result.
One thing that comes to mind is that I'm using cloudflare in front of PFsense, so crowdsec/pfsense might be fooled here. The real IP is banned by Crowdsec, I forward real_ip correctly but I've firewall rules that only allows CF to connect to me hence I might suspect that the ban does not bite since the traffic seems ot come from CF?
Is the only bouncer in my scenario placed at CF? Or add a bouncer to my webserver. Anyhow I don't see the point of having crowdsec installed at PFsense if I have cloudflare in front of my firewall and enforce that only cloudflare IPs can connect to PFsense.
5 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
Β© Created By WhyAydan for CrowdSec β€οΈ
I worked around this by installing nginx-bouncer in container, which I wanted to avoid since it would be nicer to have PFSense to do the banning. Still the conclusion with crowdsec@pfsens behind cloudflare is not meaningful since the firewall rules is seeing the CF-ips.
At the firewall level (so L3), we can only see the CF IP, as this is what actually open the connection to your server, so it's impossible to do bans at the firewall level.
If blocking at a higher level (HTTP in your case), we can block the actual client because CF adds the actual source IP in the HTTP header and you can configure nginx to use this as the source ip, and everything will work as expected.
Yeah, everything works if I use a nginx-buncer and get the real IP. But in this specific setup I fail to see the usecase for having crowdsec@pfsense since the only port I have open is 443 which forwards to the server where crowdsec-nginx-bouncer is active. Crowdsec bouncer is able to see real IP and do proper banning, I've also configured it with appsec. Works great.
Where's the pfsense-crowdsec can't do much since it's behind cloudflare and I've configured pfsense to only allow CF ips to 443, hence for <<my usecase>> I don't see any usage of crowdsec@pfsense but should only rely on crowdsec-nginx-bouncer. Correct me if I'm wrong?
Nope, you're right.
If the only exposed service is through cloudflare, then blocking at the firewall level is not really useful