Compare commits
6 commits
master
...
add_docker
Author | SHA1 | Date | |
---|---|---|---|
|
a619e57d7e | ||
|
efa16fc2df | ||
|
0fa0e71ae7 | ||
|
6916c94883 | ||
|
a6bf03e2be | ||
|
9250d7caa2 |
8 changed files with 171 additions and 0 deletions
|
@ -16,6 +16,15 @@ if [ "$DISABLE_ONLINE_API" == "" ] && [ "$CONFIG_FILE" == "" ] ; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# crowdsec sqlite database permissions
|
||||
if [ "$GID" != "" ]; then
|
||||
IS_SQLITE=$(yq eval '.db_config.type == "sqlite"' /etc/crowdsec/config.yaml)
|
||||
DB_PATH=$(yq eval '.db_config.db_path' /etc/crowdsec/config.yaml)
|
||||
if [ "$IS_SQLITE" == "true" ]; then
|
||||
chown :$GID $DB_PATH
|
||||
fi
|
||||
fi
|
||||
|
||||
## Install collections, parsers & scenarios
|
||||
cscli hub update
|
||||
cscli collections upgrade crowdsecurity/linux
|
||||
|
|
58
examples/docker-compose/README.md
Normal file
58
examples/docker-compose/README.md
Normal file
|
@ -0,0 +1,58 @@
|
|||
# Docker Compose
|
||||
|
||||
This example explains how to integrate Crowdsec in environment deployed with docker-compose. It set up multiple containers :
|
||||
|
||||
![Schema](schema.png)
|
||||
|
||||
This example contains multiple containers :
|
||||
* app : apache server serving index.html containing an `hello world`
|
||||
* reverse-proxy : nginx that serving this app from the host
|
||||
* crowdsec : it will read reverse-proxy logs from the shared volume
|
||||
* dashboard : we use [metabase](https://hub.docker.com/r/metabase/metabase) to display crowdsec database data.
|
||||
|
||||
We have chosen the simplest way to collect logs (by sharing volumes between containers), if you are in production, you are probably using [logging-driver](https://docs.docker.com/config/containers/logging/configure/) to centralize logs with rsyslog or another driver, so don't forget to adapt the crowdsec docker-compose configuration to read your logs properly.
|
||||
|
||||
**Prerequisites:** [Docker](https://docs.docker.com/engine/install/) / [Docker Compose](https://docs.docker.com/compose/install/)
|
||||
|
||||
## Step 1: Run all services in docker-compose.yml
|
||||
|
||||
[docker compose file](docker-compose.yml) contains the yaml configuration to deploy all the containers together by on command.
|
||||
|
||||
Deploy the stack using : `docker-compose up -d`
|
||||
|
||||
Then to see the status : `docker-compose ps`
|
||||
|
||||
## Step 2: Install & Configure bouncer on host
|
||||
|
||||
Now we have crowdsec up and running, we can deploy the firewall bouncer on the host machine. It will fetch IPs to block from the crowdsec Local API deploy in docker container.
|
||||
|
||||
```bash
|
||||
wget https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v0.0.10/cs-firewall-bouncer.tgz
|
||||
tar xvzf cs-firewall-bouncer.tgz
|
||||
cd cs-firewall-bouncer-v0.0.10/
|
||||
sudo ./install.sh
|
||||
```
|
||||
|
||||
Then you need to create bouncer API key to permit the bouncer to query crowdsec Local API.
|
||||
|
||||
```
|
||||
$ docker-compose exec crowdsec cscli bouncers add test
|
||||
Api key for 'test':
|
||||
|
||||
c7eb8d2789dcff96a7aa6fd0b52425ea
|
||||
|
||||
Please keep this key since you will not be able to retreive it!
|
||||
```
|
||||
|
||||
Then add it to the cs-firewall-bouncer config file on the host
|
||||
|
||||
```
|
||||
sudo vim /etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml
|
||||
```
|
||||
|
||||
## Step 3: Configure dashboard
|
||||
|
||||
The dashboard is deployed using static metabase.db ([explained here](https://docs.crowdsec.net/faq/#how-to-have-a-dashboard-without-docker)), so you have to use the defaults credentials to connect to the database, then update immediatly those credentials.
|
||||
|
||||
## Step 4: Simulate an attack and check detection + prevention
|
||||
|
1
examples/docker-compose/app/index.html
Normal file
1
examples/docker-compose/app/index.html
Normal file
|
@ -0,0 +1 @@
|
|||
Hello world !
|
4
examples/docker-compose/crowdsec/acquis.yaml
Normal file
4
examples/docker-compose/crowdsec/acquis.yaml
Normal file
|
@ -0,0 +1,4 @@
|
|||
filenames:
|
||||
- /var/log/nginx/example.*.log
|
||||
labels:
|
||||
type: nginx
|
3
examples/docker-compose/crowdsec/dashboard/Dockerfile
Normal file
3
examples/docker-compose/crowdsec/dashboard/Dockerfile
Normal file
|
@ -0,0 +1,3 @@
|
|||
FROM metabase/metabase
|
||||
|
||||
RUN mkdir /data/ && wget https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip && unzip metabase_sqlite.zip -d /data/
|
72
examples/docker-compose/docker-compose.yml
Normal file
72
examples/docker-compose/docker-compose.yml
Normal file
|
@ -0,0 +1,72 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
app:
|
||||
image: httpd:alpine
|
||||
restart: always
|
||||
volumes:
|
||||
- ./app/:/usr/local/apache2/htdocs/
|
||||
networks:
|
||||
crowdsec_test:
|
||||
ipv4_address: 172.20.0.2
|
||||
|
||||
reverse-proxy:
|
||||
image: nginx:alpine
|
||||
restart: always
|
||||
ports:
|
||||
- 8000:80
|
||||
depends_on:
|
||||
- 'app'
|
||||
volumes:
|
||||
- ./reverse-proxy/nginx.conf:/etc/nginx/nginx.conf
|
||||
- logs:/var/log/nginx
|
||||
networks:
|
||||
crowdsec_test:
|
||||
ipv4_address: 172.20.0.3
|
||||
|
||||
crowdsec:
|
||||
image: crowdsecurity/crowdsec:v1.0.7
|
||||
#build: ../..
|
||||
restart: always
|
||||
environment:
|
||||
COLLECTIONS: "crowdsecurity/nginx"
|
||||
GID: "${GID-1000}"
|
||||
depends_on:
|
||||
- 'reverse-proxy'
|
||||
volumes:
|
||||
- /home/hess/cs/crowdsec/docker/docker_start.sh:/docker_start.sh
|
||||
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
|
||||
- logs:/var/log/nginx
|
||||
- crowdsec-db:/var/lib/crowdsec/data/
|
||||
- crowdsec-config:/etc/crowdsec/
|
||||
networks:
|
||||
crowdsec_test:
|
||||
ipv4_address: 172.20.0.4
|
||||
|
||||
dashboard:
|
||||
build: ./crowdsec/dashboard
|
||||
restart: always
|
||||
ports:
|
||||
- 3000:3000
|
||||
environment:
|
||||
MB_DB_FILE: /data/metabase.db
|
||||
MGID: "${GID-1000}"
|
||||
depends_on:
|
||||
- 'crowdsec'
|
||||
volumes:
|
||||
- crowdsec-db:/metabase-data/
|
||||
networks:
|
||||
crowdsec_test:
|
||||
ipv4_address: 172.20.0.5
|
||||
|
||||
volumes:
|
||||
logs:
|
||||
crowdsec-db:
|
||||
crowdsec-config:
|
||||
|
||||
networks:
|
||||
crowdsec_test:
|
||||
ipam:
|
||||
driver: default
|
||||
config:
|
||||
- subnet: 172.20.0.0/24
|
24
examples/docker-compose/reverse-proxy/nginx.conf
Normal file
24
examples/docker-compose/reverse-proxy/nginx.conf
Normal file
|
@ -0,0 +1,24 @@
|
|||
worker_processes 1;
|
||||
|
||||
events { worker_connections 1024; }
|
||||
|
||||
http {
|
||||
|
||||
sendfile on;
|
||||
|
||||
upstream docker-app {
|
||||
server app:80;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/example.access.log;
|
||||
error_log /var/log/nginx/example.error.log;
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
||||
location / {
|
||||
proxy_pass http://docker-app;
|
||||
proxy_redirect off;
|
||||
}
|
||||
}
|
||||
}
|
BIN
examples/docker-compose/schema.png
Normal file
BIN
examples/docker-compose/schema.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 174 KiB |
Loading…
Reference in a new issue