C
CrowdSec5w ago
DJKatastrof

Caddy Appsec

Hi! I have setup crowdsec with https://github.com/hslatman/caddy-crowdsec-bouncer. But im not sure if appec is working as it should, have I missed anything? In my caddy config I have 
    # CrowdSec global configuration
    crowdsec {
        api_url http://192.168.1.19:8080
        api_key redacted
        ticker_interval 60s
        disable_streaming
        appsec_url http://localhost:7422
    }
    # CrowdSec global configuration
    crowdsec {
        api_url http://192.168.1.19:8080
        api_key redacted
        ticker_interval 60s
        disable_streaming
        appsec_url http://localhost:7422
    }
These are my collections 
 crowdsecurity/appsec-generic-rules     ✔️  enabled  1.0      /etc/crowdsec/collections/appsec-generic-rules.yaml    
 crowdsecurity/appsec-virtual-patching  ✔️  enabled  7.4      /etc/crowdsec/collections/appsec-virtual-patching.yaml 
 crowdsecurity/base-http-scenarios      ✔️  enabled  1.2      /etc/crowdsec/collections/base-http-scenarios.yaml     
 crowdsecurity/caddy                    ✔️  enabled  0.1      /etc/crowdsec/collections/caddy.yaml                   
 crowdsecurity/http-cve                 ✔️  enabled  2.9      /etc/crowdsec/collections/http-cve.yaml                
 crowdsecurity/linux                    ✔️  enabled  0.3      /etc/crowdsec/collections/linux.yaml                   
 crowdsecurity/sshd                     ✔️  enabled  0.7      /etc/crowdsec/collections/sshd.yaml                    
 crowdsecurity/whitelist-good-actors    ✔️  enabled  0.2      /etc/crowdsec/collections/whitelist-good-actors.yaml   
 crowdsecurity/appsec-generic-rules     ✔️  enabled  1.0      /etc/crowdsec/collections/appsec-generic-rules.yaml    
 crowdsecurity/appsec-virtual-patching  ✔️  enabled  7.4      /etc/crowdsec/collections/appsec-virtual-patching.yaml 
 crowdsecurity/base-http-scenarios      ✔️  enabled  1.2      /etc/crowdsec/collections/base-http-scenarios.yaml     
 crowdsecurity/caddy                    ✔️  enabled  0.1      /etc/crowdsec/collections/caddy.yaml                   
 crowdsecurity/http-cve                 ✔️  enabled  2.9      /etc/crowdsec/collections/http-cve.yaml                
 crowdsecurity/linux                    ✔️  enabled  0.3      /etc/crowdsec/collections/linux.yaml                   
 crowdsecurity/sshd                     ✔️  enabled  0.7      /etc/crowdsec/collections/sshd.yaml                    
 crowdsecurity/whitelist-good-actors    ✔️  enabled  0.2      /etc/crowdsec/collections/whitelist-good-actors.yaml
and lastly my /etc/crowdsec/acquis.d/appsec.yaml file 
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/appsec-default
name: caddy-appsec
source: appsec
labels:
  type: appsec
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/appsec-default
name: caddy-appsec
source: appsec
labels:
  type: appsec
8 Replies
CrowdSec
CrowdSec5w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
DJKatastrof
DJKatastrofOP5w ago
Caddy configuration 
# CrowdSec protection snippet
(crowdsec) {
    crowdsec
}

*.doimain.com {
    log
    # Apply CrowdSec protection to all subdomains
    import crowdsec

    tls {
        dns cloudflare redacted
        resolvers 1.1.1.1
    }

    # Pocket-ID server (no auth needed)
    @pocketid host pocket.domain.com
    handle @pocketid {
        import geo-sweden-only
        reverse_proxy http://192.168.1.55:1411
    }
}
# CrowdSec protection snippet
(crowdsec) {
    crowdsec
}

*.doimain.com {
    log
    # Apply CrowdSec protection to all subdomains
    import crowdsec

    tls {
        dns cloudflare redacted
        resolvers 1.1.1.1
    }

    # Pocket-ID server (no auth needed)
    @pocketid host pocket.domain.com
    handle @pocketid {
        import geo-sweden-only
        reverse_proxy http://192.168.1.55:1411
    }
}
iiamloz
iiamloz5w ago
if useful https://www.crowdsec.net/blog/secure-caddy-crowdsec-remediation-waf-guide but the TLDR is, the module introduces a new keyword called "appsec" like the "crowdsec" keyword so you must also put this in your crowdsec block @DJKatastrof
Secure Caddy with CrowdSec: Remediation and WAF Guide
Learn how to secure Caddy with CrowdSec using the Remediation and AppSec components. Step-by-step setup for blocking threats and logging traffic.
DJKatastrof
DJKatastrofOP5w ago
I'll try and see 🙂 another question, i just enrolled my instance. But on app.crowdsec.net its only showing 4 scenarios. If i type cscli scenarios list I can see 100 scenarios. Does it take time to sync maybe? Becuase alerts is not syncing as well. Maybe the caddy bouncer dont provide that info? @hslatman maybe you can help me out here 😅 thanks
iiamloz
iiamloz5w ago
on community plan we only sync meta data like that every 2 hours. make sure you are persisting the /etc/crowdsec directory as that holds the enrollment information, if you dont and do a restart/destroy then the console wont know its the same instance.
DJKatastrof
DJKatastrofOP5w ago
Cool, thanks! Does enrolling to console require local API? If my crowdsec docker in a multiserver env? nevermind, i figured that you need to enrol the lapi server, not the other way around, thanks!
iiamloz
iiamloz5w ago
Yes as the LAPI is the main one talking to CAPI, the rest dont need to have the LAPI running
CrowdSec
CrowdSec4w ago
Resolving Caddy Appsec This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?