Add IP remediation fallback when remediation variable not set (#86)

LaurenceJJones · web-flow · commit e1cc737ec8fc · 2025-10-14T16:10:01.000+01:00
Add IP remediation fallback when crowdsec-ip message not received

When HAProxy is behind an upstream proxy and only fires on-frontend-http-request,
the crowdsec-ip message may not set the remediation variable. This adds fallback
logic to check IP remediation directly in handleHTTPRequest when needed.

Changes:
- Extract IP checking logic into shared getIPRemediation() function (DRY)
- Add checkIPRemediation() fallback in handleHTTPRequest
- Include src-ip in crowdsec-http message args for fallback scenario
- Refactor handleIPRequest to use shared getIPRemediation() function

This enables configurations where crowdsec-http can work standalone with
req.hdr_ip() to extract real client IP from proxy headers.
diff --git a/config/crowdsec.cfg b/config/crowdsec.cfg
@@ -12,8 +12,9 @@ spoe-agent crowdsec-agent
     log         global
 
 ## This message is used to customise the remediation from crowdsec-ip based on the host header
+## src-ip is included as fallback in case crowdsec-ip message didn't fire
 spoe-message crowdsec-http
-    args remediation=var(txn.crowdsec.remediation) crowdsec_captcha_cookie=req.cook(crowdsec_captcha_cookie) id=unique-id host=hdr(Host) method=method path=path query=query version=req.ver headers=req.hdrs body=req.body url=url ssl=ssl_fc
+    args remediation=var(txn.crowdsec.remediation) crowdsec_captcha_cookie=req.cook(crowdsec_captcha_cookie) id=unique-id host=hdr(Host) method=method path=path query=query version=req.ver headers=req.hdrs body=req.body url=url ssl=ssl_fc src-ip=src src-port=src_port
     event on-frontend-http-request
 
 ## This message should be the first to trigger in the chain
diff --git a/pkg/spoa/root.go b/pkg/spoa/root.go
@@ -215,7 +215,10 @@ func (s *Spoa) handleHTTPRequest(req *request.Request, mes *message.Message) {
 		log.Debug("remediation: ", *rstring)
 		r = remediation.FromString(*rstring)
 	} else {
-		log.Info("ip remediation was not found in message, defaulting to allow")
+		// IP remediation not found - fallback to checking IP directly
+		// This handles cases where crowdsec-ip message didn't fire (e.g., on-client-session not triggered)
+		log.Debug("ip remediation was not found in message, checking IP directly")
+		s.checkIPRemediation(req, mes, &r)
 	}
 
 	hoststring, err := readKeyFromMessage[string](mes, "host")
@@ -493,26 +496,16 @@ func (s *Spoa) handleHTTPRequest(req *request.Request, mes *message.Message) {
 	// request.Header = headers
 }
 
-// Handles checking the IP address against the dataset
-func (s *Spoa) handleIPRequest(req *request.Request, mes *message.Message) {
-	var r remediation.Remediation
-
-	ipType, err := readKeyFromMessage[net.IP](mes, "src-ip")
-
-	if err != nil {
-		log.Error(err)
-		return
-	}
-
-	ipStr := ipType.String()
-
-	r, err = s.workerClient.GetIP(ipStr)
+// getIPRemediation performs IP and geo/country remediation checks
+// Returns the final remediation after checking IP, geo, and country
+func (s *Spoa) getIPRemediation(req *request.Request, ipStr string) remediation.Remediation {
+	r, err := s.workerClient.GetIP(ipStr)
 	if err != nil {
 		log.WithFields(log.Fields{
 			"ip":    ipStr,
 			"error": err,
 		}).Error("Failed to get IP remediation")
-		r = remediation.Allow // Safe default
+		return remediation.Allow // Safe default
 	}
 
 	if r < remediation.Unknown {
@@ -537,9 +530,40 @@ func (s *Spoa) handleIPRequest(req *request.Request, mes *message.Message) {
 		}
 	}
 
+	return r
+}
+
+// Handles checking the IP address against the dataset
+func (s *Spoa) handleIPRequest(req *request.Request, mes *message.Message) {
+	ipType, err := readKeyFromMessage[net.IP](mes, "src-ip")
+	if err != nil {
+		log.Error(err)
+		return
+	}
+
+	ipStr := ipType.String()
+	r := s.getIPRemediation(req, ipStr)
 	req.Actions.SetVar(action.ScopeTransaction, "remediation", r.String())
 }
 
+// checkIPRemediation extracts IP from the message and checks remediation
+// Used as fallback when crowdsec-ip message didn't set remediation variable
+func (s *Spoa) checkIPRemediation(req *request.Request, mes *message.Message, r *remediation.Remediation) {
+	ipType, err := readKeyFromMessage[net.IP](mes, "src-ip")
+	if err != nil {
+		log.WithError(err).Debug("failed to extract src-ip from message for fallback check")
+		return
+	}
+
+	ipStr := ipType.String()
+	*r = s.getIPRemediation(req, ipStr)
+
+	log.WithFields(log.Fields{
+		"ip":          ipStr,
+		"remediation": r.String(),
+	}).Debug("IP remediation checked via fallback")
+}
+
 func handlerWrapper(s *Spoa) func(req *request.Request) {
 	return func(req *request.Request) {
 		s.HAWaitGroup.Add(1)
