Skip to main content
Version: v1.2.2

Ingress Nginx Bouncer

CrowdSec

๐Ÿ“š Documentation๐Ÿ’  Hub๐Ÿ’ฌ Discourse

A lua plugin bouncer for Ingress Nginx Controller.

How does it work ?#

This bouncer leverages OpenResty lua's API, used the ingress nginx controller as a plugin.

New/unknown IP are checked against crowdsec API, and if request should be blocked, a 403 is returned to the user, and put in cache.

Installation#

Before installation

The Ingress nginx controller should be installed using the official helm chart

Using Helm#

First you need to create new ingress-nginx chart values file (crowdsec-ingress-bouncer.yaml) to upgrade the ingress controller with the crowdsec plugin.

controller:  extraVolumes:  - name: crowdsec-bouncer-plugin    emptyDir: {}  extraInitContainers:  - name: init-clone-crowdsec-bouncer    image: crowdsec-lua    imagePullPolicy: IfNotPresent    env:      - name: API_URL        value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" # crowdsec lapi service-name      - name: API_KEY        value: "<API KEY>" # generated with `cscli bouncers add -n <bouncer_name>      - name: DISABLE_RUN        value: "true"      - name: BOUNCER_CONFIG        value: "/crowdsec/crowdsec-bouncer.conf"    command: ['sh', '-c', "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp /crowdsec/* /lua_plugins/crowdsec/"]    volumeMounts:    - name: crowdsec-bouncer-plugin      mountPath: /lua_plugins  extraVolumeMounts:  - name: crowdsec-bouncer-plugin    mountPath: /etc/nginx/lua/plugins/crowdsec    subPath: crowdsec  config:    plugins: "crowdsec"

This values upgrade your ingress deployment to add crowdsec lua lib as a plugin and run with the ingress controller. It used this docker image to copy the crowdsec lua library.

Once you have this patch we can upgrade the ingress-nginx chart.

helm -n ingress-nginx upgrade -f ingress-nginx-values.yaml -f crowdsec-ingress-bouncer.yaml ingress-nginx ingress-nginx

And then check if the ingress controller is running well.

kubectl -n ingress-nginx get pods

Configuration#

As you are using this docker image, you can configure it using environment variables listed in the docker image README.

Testing#

When your IP is blocked, any request should lead to a 403 http response.