Skip to content

v0.1.1-rc1

Pre-release
Pre-release

Choose a tag to compare

View all tags
@LaurenceJJones LaurenceJJones released this 16 Oct 14:52
· 17 commits to main since this release
v0.1.1-rc1
e1cc737
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

✨ Highlights

  • Upstream proxy/CDN support — You can now run HAProxy behind an upstream proxy (e.g., a CDN) and use a single SPOE message (crowdsec-http) that supports getting the real client IP from an HTTP header.
  • Safer defaults — If the remediation variable isn’t set by crowdsec-ip, the SPOA bouncer now falls back to IP-based remediation automatically.

What’s Changed

Full Changelog: v0.1.0...v0.1.1-rc1

Why this matters

When HAProxy is behind a CDN or another L7 proxy, the socket’s src is not the real client. This release lets the bouncer evaluate the true client IP (from a header like X-Real-IP) and still apply decisions correctly—even if HAProxy didn’t precompute a remediation variable.

Recommended SPOE config (single message)

Use only the crowdsec-http message. It extracts the real IP and includes all args the bouncer needs.
Adjust the header (x-real-ip) to match your proxy/CDN setup (e.g., x-forwarded-for).

# /etc/haproxy/spoe/crowdsec.cfg
# SPOE section
# - Uses a single message: crowdsec-http
# - Extracts real client IP from X-Real-IP (change if needed)
# - Falls back to IP remediation if 'remediation' var is not set

[crowdsec]

spoe-agent crowdsec-agent
    messages    crowdsec-http
    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout     hello           100ms
    timeout     idle            30s
    timeout     processing      500ms
    use-backend crowdsec-spoa
    log         global

# This message extracts the real IP via X-Real-IP and includes all arguments.
# IMPORTANT: req.hdr_ip() returns an IP type (required by SPOE protocol).
# If 'remediation' isn't provided by HAProxy, the bouncer will check IP remediation.
spoe-message crowdsec-http
    args remediation=var(txn.crowdsec.remediation) \
         crowdsec_captcha_cookie=req.cook(crowdsec_captcha_cookie) \
         id=unique-id host=hdr(Host) method=method path=path query=query \
         version=req.ver headers=req.hdrs body=req.body url=url ssl=ssl_fc \
         src-ip=req.hdr_ip(x-real-ip) src-port=src_port
    event on-frontend-http-request

Tip: If your upstream sets X-Forwarded-For, you can use:
src-ip=req.hdr_ip(x-forwarded-for)

Migration notes

If you do not use an upstream proxy like Cloudflare for example then these do not apply and still use the crowdsec-ip and crowdsec-http in unison

  • if you are using a upstream proxy infront of HAproxy then check #85 the examples files and alter to your setup.

Contributors

LaurenceJJones
Assets 19
Loading