Make sure that the line below, under virtual hosts, is in your nginx.conf, otherwise crowdsec-bouncer will not work. More information here https://info.linuxserver.io/issues/2022-08-20-nginx-base/
# Includes virtual hosts configs. include /etc/nginx/http.d/*.conf;This mod adds the CrowdSec nginx bouncer to SWAG, to be installed/updated during container start.
In SWAG docker arguments, set an environment variable DOCKER_MODS=linuxserver/mods:swag-crowdsec
If adding multiple mods, enter them in an array separated by |, such as DOCKER_MODS=linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-dbip
If running CrowdSec in a container it must be on a common docker network with SWAG.
You have 2 options to generate a Crowdsec API key:
- Create an arbitrary string and pass it as the
BOUNCER_KEY_swagenvironment variable in your crowdsec image - Generate an API key for the bouncer with
cscli bouncers add bouncer-swagordocker exec -t crowdsec cscli bouncers add bouncer-swag, if you're running CrowdSec in a container. Make a note of the API key as you can't retrieve it later without removing and re-adding the bouncer.
Set the following environment variables on your SWAG container.
CROWDSEC_API_KEY | Required | Your bouncer API key |
CROWDSEC_LAPI_URL | Required | Your local CrowdSec API endpoint, for example http://crowdsec:8080 |
CROWDSEC_SITE_KEY | Optional | CAPTCHA Site Key |
CROWDSEC_SECRET_KEY | Optional | CAPTCHA Secret Key |
CROWDSEC_CAPTCHA_PROVIDER | Optional | CAPTCHA Provider (currently supported providers are recaptcha, hcaptcha, turnstile), requires bouncer v1.0.5 or newer. |
CROWDSEC_F2B_DISABLE | Optional | Set to true to disable swag's built-in fail2ban service if you don't need it |
CROWDSEC_MODE | Optional | Set to live (immediate update) or stream to update requests every CROWDSEC_UPDATE_FREQUENCY seconds. Defaults to live |
CROWDSEC_UPDATE_FREQUENCY | Optional | Set update frequency for use with stream mode. Defaults to 10. |
CROWDSEC_APPSEC_URL | Optional | Set URL for AppSec component, requires bouncer v1.0.6 or newer and Crowdsec v1.6.0 or newer. |
The variables need to remain in place while you are using the mod. If you remove required variables the bouncer will be disabled the next time you recreate the container, if you remove optional variables the associated features will be disabled the next time you recreate the container.
Due to limitations in the nginx Lua module, if you enable Captcha or AppSec support in the bouncer you cannot safely use http/2 for any of your services. By default Swag ships with http/2 enabled, and so this will need to be changed in the /config/nginx/nginx.conf file. Simply change http2 on; to http2 off; and restart the container.
If you still have old versions of active proxy confs or the default.conf, you will need to remove the http2 definitions from them. For example, in the old subdomain template conf you would replace:
server { listen 443 ssl http2; listen [::]:443 ssl http2;with
server { listen 443 ssl; listen [::]:443 ssl;You can automate this using something like find /path/to/swag/config/nginx -name "*.conf" -type f -exec sed -i -E 's/^(\s+listen.*)http2(.*)/\1\2/g' {} \;
If you are not using Captcha or AppSec components make sure to omit or leave blank the related environment variables to avoid causing unnecessary issues.
If you're using the reCAPTCHA capability and you're running in an IPv4-only environment then you need to edit your /config/nginx/resolver.conf and add ipv6=off to the end of the resolver statement otherwise the bouncer will attempt to contact the reCAPTCHA endpoint over IPv6 and fail.
e.g. resolver 127.0.0.11 valid=30s ipv6=off;
- 11.09.24: - Move versioning to mod tags. Bundle tarball at build time.
- 05.06.24: - Add lua-resty-string.
- 06.02.24: - Add AppSec support.
- 29.03.23: - Support multiple captcha providers from upstream.
- 28.01.23: - Support mode selection, handle s6v3 init.
- 25.08.22: - Make hybrid mod.
- 14.03.22: - Initial Release.
