0ct0pu5/crowdsec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

docker/README: automatic registration with tls (#1909)

Browse source
This commit is contained in:
mmetc 2022-12-06 11:58:32 +01:00 committed by GitHub
parent 311cda31fe
commit 9131d9d568
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
docker/README.md
View file

@ -138,10 +138,18 @@ agents on each machine that runs the protected applications, and a LAPI that
gathers all signals from agents and communicates with the `central API`.
## Register a new agent with LAPI
Without TLS:
```shell
docker exec -it crowdsec_lapi_container_name cscli machines add agent_user_name --password agent_password
```
With TLS:
Agents are automatically registered and don't need a username or password. The
agents' names are derived from the IP address from which they connect.
## Run an agent connected to LAPI
Add the following environment variables to the docker run command:
@ -163,13 +171,20 @@ https://docs.crowdsec.net/docs/user_guides/bouncers_configuration/
### Automatic Bouncer Registration
You can automatically register bouncers with the crowdsec container at startup, using environment variables or Docker secrets. You cannot use this process to update an existing bouncer without first deleting it.
Without TLS:
You can register bouncers with the crowdsec container at startup, using environment variables or Docker secrets. You cannot use this process to update an existing bouncer without first deleting it.
To use environment variables, they should be in the format `BOUNCER_KEY_<name>=<key>`. e.g. `BOUNCER_KEY_nginx=mysecretkey12345`.
To use Docker secrets, the secret should be named `bouncer_key_<name>` with a content of `<key>`. e.g. `bouncer_key_nginx` with content `mysecretkey12345`.
A bouncer key can be any string but we recommend an alphanumeric value for consistency with crowdsec-generated keys and avoid problems with escaping special characters.
A bouncer key can be any string but we recommend an alphanumeric value for consistency with the crowdsec-generated keys and to avoid problems with escaping special characters.
With TLS:
Bouncers are automatically registered and don't need an API key. The
bouncers' names are derived from the IP address from which they connect.
## Console
We provide a web-based interface to get more from Crowdsec: https://docs.crowdsec.net/docs/console
@ -213,7 +228,7 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
| `USE_TLS` | false | Enable TLS on the LAPI |
| `CERT_FILE` | /etc/ssl/cert.pem | TLS Certificate path |
| `KEY_FILE` | /etc/ssl/key.pem | TLS Key path |
| `CACERT_FILE` | | CA certificate |
| `CACERT_FILE` | | CA certificate bundle |
| `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma |
| `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma |
| | | |