[GH-ISSUE #15] Support stream mode for CrowdSec plugin #11

New issue

Closed

opened 2026-03-02 02:59:21 +03:00 by kerem · 3 comments

kerem commented 2026-03-02 02:59:21 +03:00

Owner

Copy link

Originally created by @DimitryVo on GitHub (Jul 28, 2023).
Original GitHub issue: https://github.com/bunkerity/bunkerweb-plugins/issues/15

Hello, I have problem ban IP on BunkerWeb from crowdsec.

Plugin(s)
crowdsec

Description
I see in crowdsec container some banned IP, but I can't see it in bunkerweb.

How to reproduce

For all services is activated "Use CrowdSec" option.

docker-compose exec crowdsec cscli bouncers list
Name IP Address Valid Last API pull Type Version Auth Type
bunkerweb 10.20.31.2 ✔ 2023-07-28T12:58:59Z crowdsec-bunkerweb-bouncer v0.1 api-key

docker-compose exec crowdsec cscli decisions list
│ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │
│ 435131 │ crowdsec │ Ip:59.18.150.155 │ crowdsecurity/thinkphp-cve-2018-20062 │ ban │ KR │ 4766 Korea Telecom │ 1 │ 3h30m18.129711836s │ 160 │
│ 435130 │ crowdsec │ Ip:146.190.33.8 │ crowdsecurity/CVE-2022-26134 │ ban │ US │ 14061 DIGITALOCEAN-ASN │ 1 │ 3h15m33.070097333s │ 159 │
│ 435127 │ crowdsec │ Ip:167.94.138.49 │ crowdsecurity/http-bad-user-agent │ ban │ US │ 398324 CENSYS-ARIN-01 │ 2 │ 1h16m53.328785208s │ 156 │
│ 435123 │ crowdsec │ Ip:139.59.182.142 │ crowdsecurity/jira_cve-2021-26086 │ ban │ GB │ 14061 DIGITALOCEAN-ASN │ 1 │ 8m36.788698052s │ 152 │

docker-compose exec bunkerweb bwcli bans
[2023-07-28 18:01:03] - API - ℹ - Successfully sent API request to http://127.0.0.1:5000/bans
[2023-07-28 18:01:03] - CLI - ℹ - CLI command status : ✔ (success)
List of bans for 127.0.0.1:
No ban found

dockec-compose.yaml

services:
bunkerweb:
image: bunkerity/bunkerweb
ports:
- 80:8080
- 443:8443
labels:
- "bunkerweb.INSTANCE"
environment:
...
- USE_CROWDSEC=yes
- CROWDSEC_API=http://crowdsec:8080
- CROWDSEC_API_KEY=xxxxx
...

crowdsec:
image: crowdsecurity/crowdsec:v1.5.1
environment:
- BOUNCER_KEY_bunkerweb=xxxxx

BunkerWeb version
BunkerWeb - actual version 1.5.0

docker-compose exec crowdsec cscli version
2023/07/28 18:09:07 version: v1.5.1-eddb994c0b48d77b34a3f22b719dc5716670d2ae
2023/07/28 18:09:07 Codename: alphaga
2023/07/28 18:09:07 BuildDate: 2023-05-17_11:05:12
2023/07/28 18:09:07 GoVersion: 1.20.4
2023/07/28 18:09:07 Platform: docker
2023/07/28 18:09:07 Constraint_parser: >= 1.0, <= 2.0
2023/07/28 18:09:07 Constraint_scenario: >= 1.0, < 3.0
2023/07/28 18:09:07 Constraint_api: v1
2023/07/28 18:09:07 Constraint_acquis: >= 1.0, < 2.0

Originally created by @DimitryVo on GitHub (Jul 28, 2023). Original GitHub issue: https://github.com/bunkerity/bunkerweb-plugins/issues/15 Hello, I have problem ban IP on BunkerWeb from crowdsec. **Plugin(s)** crowdsec **Description** I see in crowdsec container some banned IP, but I can't see it in bunkerweb. **How to reproduce** For all services is activated "Use CrowdSec" option. _docker-compose exec crowdsec cscli bouncers list_ Name IP Address Valid Last API pull Type Version Auth Type bunkerweb 10.20.31.2 ✔ 2023-07-28T12:58:59Z crowdsec-bunkerweb-bouncer v0.1 api-key _docker-compose exec crowdsec cscli decisions list_ │ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │ │ 435131 │ crowdsec │ Ip:59.18.150.155 │ crowdsecurity/thinkphp-cve-2018-20062 │ ban │ KR │ 4766 Korea Telecom │ 1 │ 3h30m18.129711836s │ 160 │ │ 435130 │ crowdsec │ Ip:146.190.33.8 │ crowdsecurity/CVE-2022-26134 │ ban │ US │ 14061 DIGITALOCEAN-ASN │ 1 │ 3h15m33.070097333s │ 159 │ │ 435127 │ crowdsec │ Ip:167.94.138.49 │ crowdsecurity/http-bad-user-agent │ ban │ US │ 398324 CENSYS-ARIN-01 │ 2 │ 1h16m53.328785208s │ 156 │ │ 435123 │ crowdsec │ Ip:139.59.182.142 │ crowdsecurity/jira_cve-2021-26086 │ ban │ GB │ 14061 DIGITALOCEAN-ASN │ 1 │ 8m36.788698052s │ 152 │ _docker-compose exec bunkerweb bwcli bans_ [2023-07-28 18:01:03] - API - ℹ - Successfully sent API request to http://127.0.0.1:5000/bans [2023-07-28 18:01:03] - CLI - ℹ - CLI command status : ✔ (success) List of bans for 127.0.0.1: No ban found _dockec-compose.yaml_ services: bunkerweb: image: bunkerity/bunkerweb ports: - 80:8080 - 443:8443 labels: - "bunkerweb.INSTANCE" environment: ... - USE_CROWDSEC=yes - CROWDSEC_API=http://crowdsec:8080 - CROWDSEC_API_KEY=xxxxx ... crowdsec: image: crowdsecurity/crowdsec:v1.5.1 environment: - BOUNCER_KEY_bunkerweb=xxxxx **BunkerWeb version** BunkerWeb - actual version 1.5.0 docker-compose exec crowdsec cscli version 2023/07/28 18:09:07 version: v1.5.1-eddb994c0b48d77b34a3f22b719dc5716670d2ae 2023/07/28 18:09:07 Codename: alphaga 2023/07/28 18:09:07 BuildDate: 2023-05-17_11:05:12 2023/07/28 18:09:07 GoVersion: 1.20.4 2023/07/28 18:09:07 Platform: docker 2023/07/28 18:09:07 Constraint_parser: >= 1.0, <= 2.0 2023/07/28 18:09:07 Constraint_scenario: >= 1.0, < 3.0 2023/07/28 18:09:07 Constraint_api: v1 2023/07/28 18:09:07 Constraint_acquis: >= 1.0, < 2.0

kerem 2026-03-02 02:59:21 +03:00

• closed this issue
• added the
  enhancement
  crowdsec
  labels

kerem commented 2026-03-02 02:59:22 +03:00

Author

Owner

Copy link

@fl0ppy-d1sk commented on GitHub (Aug 14, 2023):

Hello @DimitryVo,

IMO this is not a real "problem" because BW is still asking CS API when there is a new request. I did a quick test with BW 1.5.1 and plugins 1.1.

Decision on the 1.3.3.7 IP :

$ cscli decisions list
╭────┬──────────┬─────────────┬───────────────────────────────────┬────────┬─────────┬────┬────────┬──────────────────┬──────────╮
│ ID │  Source  │ Scope:Value │              Reason               │ Action │ Country │ AS │ Events │    expiration    │ Alert ID │
├────┼──────────┼─────────────┼───────────────────────────────────┼────────┼─────────┼────┼────────┼──────────────────┼──────────┤
│ 1  │ crowdsec │ Ip:1.3.3.7  │ crowdsecurity/jira_cve-2021-26086 │ ban    │ CN      │    │ 1      │ 3h58m18.9374069s │ 1        │
╰────┴──────────┴─────────────┴───────────────────────────────────┴────────┴─────────┴────┴────────┴──────────────────┴──────────╯

Send request from 1.3.3.7 (real IP activated for testing) :

curl -H "X-Forwarded-For: 1.3.3.7" "http://www.example.com

I can see that request is blocked by CS plugin :

[ACCESS] denied access from crowdsec : CrowSec bouncer denied request, client: 1.3.3.7, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"

<!-- gh-comment-id:1677663891 --> @fl0ppy-d1sk commented on GitHub (Aug 14, 2023): Hello @DimitryVo, IMO this is not a real "problem" because BW is still asking CS API when there is a new request. I did a quick test with BW 1.5.1 and plugins 1.1. Decision on the `1.3.3.7` IP : ```shell $ cscli decisions list ╭────┬──────────┬─────────────┬───────────────────────────────────┬────────┬─────────┬────┬────────┬──────────────────┬──────────╮ │ ID │ Source │ Scope:Value │ Reason │ Action │ Country │ AS │ Events │ expiration │ Alert ID │ ├────┼──────────┼─────────────┼───────────────────────────────────┼────────┼─────────┼────┼────────┼──────────────────┼──────────┤ │ 1 │ crowdsec │ Ip:1.3.3.7 │ crowdsecurity/jira_cve-2021-26086 │ ban │ CN │ │ 1 │ 3h58m18.9374069s │ 1 │ ╰────┴──────────┴─────────────┴───────────────────────────────────┴────────┴─────────┴────┴────────┴──────────────────┴──────────╯ ``` Send request from `1.3.3.7` (real IP activated for testing) : ```shell curl -H "X-Forwarded-For: 1.3.3.7" "http://www.example.com ``` I can see that request is blocked by CS plugin : ```log [ACCESS] denied access from crowdsec : CrowSec bouncer denied request, client: 1.3.3.7, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com" ```

kerem commented 2026-03-02 02:59:22 +03:00

Author

Owner

Copy link

@fl0ppy-d1sk commented on GitHub (Aug 14, 2023):

ATM the CS plugin only works in live mode. We need to support stream mode.

<!-- gh-comment-id:1677702575 --> @fl0ppy-d1sk commented on GitHub (Aug 14, 2023): ATM the CS plugin only works in live mode. We need to support stream mode.

kerem commented 2026-03-02 02:59:22 +03:00

Author

Owner

Copy link

@fl0ppy-d1sk commented on GitHub (Mar 26, 2024):

Hello @DimitryVo,

CS plugin now supports stream mode in version 1.4.

<!-- gh-comment-id:2019769936 --> @fl0ppy-d1sk commented on GitHub (Mar 26, 2024): Hello @DimitryVo, CS plugin now supports stream mode in version 1.4.

kerem referenced this issue 2026-03-02 02:59:30 +03:00

[PR #11] [MERGED] Remove "order" key from coraza plugin & fix discord and slack #24

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dev

dependabot/docker/coraza/api/dev/golang-1.26-alpine

dependabot/github_actions/dev/github/codeql-action-4.32.2

dependabot/github_actions/dev/docker/login-action-3.7.0

dependabot/github_actions/dev/actions/checkout-6.0.2

dependabot/go_modules/coraza/api/dev/github.com/corazawaf/coraza/v3-3.3.3

v1.10

v1.9

v1.8

v1.7

v1.6

v1.5

v1.4

v1.3

v1.2

v1.1

v1.0

v0.2

Labels

Clear labels   

bug

  

bug

  

clamav

  

crowdsec

  

documentation

  

enhancement

  

enhancement

  

enhancement

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

virustotal

  

virustotal

No labels

bug

bug

clamav

crowdsec

documentation

enhancement

enhancement

enhancement

pull-request

question

virustotal

virustotal

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/bunkerweb-plugins#11

No description provided.