fix: update HAProxy config paths and header names (#110)

LaurenceJJones · web-flow · commit 10eec3b33e9a · 2025-11-18T15:36:34.000Z
* fix: update HAProxy config paths and header names

Update HAProxy configuration files to use standardized paths and canonical
header names:

- Fix setenv paths from /var/lib/crowdsec/lua/haproxy/templates/ to
  /var/lib/crowdsec-haproxy-spoa-bouncer/html/ to match Debian/RPM/Docker
  packaging
- Update header names from X-CrowdSec-* to X-Crowdsec-* (canonical form)

This ensures consistency across all deployment methods.

* fix: update Dockerfile paths to match standardized locations

Update Dockerfile to use the same standardized paths as Debian/RPM packaging:
- Lua files: /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
- Templates: /var/lib/crowdsec-haproxy-spoa-bouncer/html/

This ensures consistency across all deployment methods (Docker, Debian, RPM).

* fix: update docker-compose volume mount paths

Update volume mount paths in docker-compose files to match standardized
locations:
- Templates: /var/lib/crowdsec-haproxy-spoa-bouncer/html/
- Lua files: /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/

This ensures consistency with Dockerfile, Debian, and RPM packaging.
diff --git a/Dockerfile b/Dockerfile
@@ -26,16 +26,17 @@ RUN addgroup -S crowdsec-spoa && adduser -S -D -H -s /sbin/nologin -g crowdsec-s
 ## Create a socket for the spoa to inherit crowdsec-spoa:haproxy user from official haproxy image
 RUN mkdir -p /run/crowdsec-spoa/ && chown crowdsec-spoa:haproxy /run/crowdsec-spoa/ && chmod 770 /run/crowdsec-spoa/
 
-## Copy templates
-RUN mkdir -p /var/lib/crowdsec/lua/haproxy/templates/
-COPY --from=build /go/src/cs-spoa-bouncer/templates/* /var/lib/crowdsec/lua/haproxy/templates/
+## Copy Lua files (matching Debian/RPM paths)
+RUN mkdir -p /usr/lib/crowdsec-haproxy-spoa-bouncer/lua
+COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
 
-RUN mkdir -p /usr/local/crowdsec/lua/haproxy/
-COPY --from=build /go/src/cs-spoa-bouncer/lua/* /usr/local/crowdsec/lua/haproxy/
+## Copy templates (matching Debian/RPM paths)
+RUN mkdir -p /var/lib/crowdsec-haproxy-spoa-bouncer/html
+COPY --from=build /go/src/cs-spoa-bouncer/templates/* /var/lib/crowdsec-haproxy-spoa-bouncer/html/
 
-RUN chown -R root:haproxy /var/lib/crowdsec/lua/haproxy /usr/local/crowdsec/lua/haproxy
+RUN chown -R root:haproxy /usr/lib/crowdsec-haproxy-spoa-bouncer/lua /var/lib/crowdsec-haproxy-spoa-bouncer/html
 
-VOLUME [ "/usr/local/crowdsec/lua/haproxy/", "/var/lib/crowdsec/lua/haproxy/templates/" ]
+VOLUME [ "/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/", "/var/lib/crowdsec-haproxy-spoa-bouncer/html/" ]
 
 RUN chmod +x /docker_start.sh
 
diff --git a/config/haproxy-upstreamproxy.cfg b/config/haproxy-upstreamproxy.cfg
@@ -6,8 +6,8 @@ global
     log stdout format raw local0
     lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
     lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
-    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/ban.html
-    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/captcha.html
+    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
+    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html
 
 defaults
     log global
@@ -41,9 +41,9 @@ frontend test
     # tcp-request content reject if { var(txn.crowdsec.remediation) -m str "ban" }
 
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
+    http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
+    http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
 
     ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
     http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
diff --git a/config/haproxy.cfg b/config/haproxy.cfg
@@ -3,8 +3,8 @@ global
     log stdout format raw local0
     lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
     lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
-    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/ban.html
-    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec/lua/haproxy/templates/captcha.html
+    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
+    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html
 
 defaults
     log global
@@ -31,9 +31,9 @@ frontend test
     # tcp-request content reject if { var(txn.crowdsec.remediation) -m str "ban" }
 
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
+    http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
     ## Set a custom header on the request for upstream services to use
-    http-request set-header X-CrowdSec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
+    http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
 
     ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
     http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
diff --git a/docker-compose.proxy-test.yaml b/docker-compose.proxy-test.yaml
@@ -8,8 +8,8 @@ services:
       - crowdsec
     volumes:
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
-      - lua:/usr/local/crowdsec/lua/haproxy/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
+      - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
       - geodb:/var/lib/crowdsec/data/
       - ./config/crowdsec-spoa-bouncer.yaml.local:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml.local
     networks:
@@ -35,7 +35,7 @@ services:
       - ./config/haproxy-upstreamproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
       - ./config/crowdsec-upstreamproxy.cfg:/etc/haproxy/crowdsec.cfg
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
       - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
     # HAProxy is now only accessible via nginx (not exposed directly)
     depends_on:
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -9,8 +9,8 @@ services:
       - crowdsec
     volumes:
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
-      - lua:/usr/local/crowdsec/lua/haproxy/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
+      - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
       - geodb:/var/lib/crowdsec/data/
       - ./config/crowdsec-spoa-bouncer.yaml.local:/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml.local
     networks:
@@ -37,7 +37,7 @@ services:
       - ./config/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg
       - ./config/crowdsec.cfg:/etc/haproxy/crowdsec.cfg
       - sockets:/run/
-      - templates:/var/lib/crowdsec/lua/haproxy/templates/
+      - templates:/var/lib/crowdsec-haproxy-spoa-bouncer/html/
       - lua:/usr/lib/crowdsec-haproxy-spoa-bouncer/lua/
     ports:
       - "9090:9090"
