Configuration
Configuration
Client
By default, crowdsec
and cscli
use 127.0.0.1:8080
as the default Local API. However you might want to use a remote API and configure a different endpoint for your api client.
Register to a Remote API server
- On the machine you want to connect to a Local API server, run the following command:
sudo cscli lapi register -u http://<remote_api>:<port>
- On the Local API server, validate the machine by running the command:
sudo cscli machines list # to get the name of the new registered machine
sudo cscli machines validate <machineName>
- Restart the CrowdSec service on the machine you registered once validated:
sudo systemctl restart crowdsec
Disable the registered machine Local API
On the machine you ran cscli lapi register
, it optimal to disable the Local API component to save on resources since it is now forwarding all alerts/decisions to the Local API server.
Within the config.yaml
file, set enable
under api.server
to false
:
api:
server:
enable: false
See where the config.yaml
file is located on your operating system here
Server
Configure listen URL
If you would like your Local API to be used by a remote CrowdSec installation, you will need to modify the URL it listens on as by default it will listen on the loopback interface.
Modify the listen_uri
option in the config.yaml
.
Enable SSL
If your Local API is exposed to the internet, it is recommended to enable SSL or at least use a reverse proxy with SSL termination to secure the communication between the Log Processors / Remediation Components and the Local API.
If your Log Processors and Remediation Components are apart of the same LAN or VPN, then this is not necessary step.
Local API SSL
You can configure the Local API to use SSL by setting the tls
option under api.server
in the config.yaml
file.
api:
server:
tls:
cert_file: "/path/to/cert.pem"
key_file: "/path/to/key.pem"
If you are using a self signed certificate on connecting Log Processors and Remediation Components you must enable insecure_skip_verify
options.
- Log Processors (machines)
api:
client:
insecure_skip_verify: true
- Remediation Components (bouncers)
This can differ based on the configuration please refer to the documentation of the component you are using.
If you would like to read the full configuration options for TLS on the Local API please see here.
You can also refer here for the documentation about TLS authentication.
Reverse Proxy
We cannot cover all the reverse proxies available, please refer to the documentation of the reverse proxy you are using. However, the reverse proxy must send the connecting IP address as the X-Forwarded-For
header to the Local API.
However, when the Local API is behind a reverse proxy you will need to configure the trusted_proxies
and use_forwarded_for_headers
options under api.server
within the config.yaml
file to be able to get the correct IP address within the database.
api:
server:
use_forwarded_for_headers: true
trusted_proxies:
- "127.0.0.1" ## Change this to the proxy IP this is presuming the proxy is on the same machine
See where the config.yaml
file is located on your operating system here
See the Local API public documentation.