Feature/allow setting ban status code (#94)

* chore: allow setting ban status code

* chore: tests probably not needed, fix unit tests

* chore: actually return the set status value

* chore: return 500 on error

Author: hydazz

README.md

@@ -31,7 +31,7 @@ The bouncer integrates with Envoy Proxy as an external authorization service, si
     - If enabled and no blocking decision exists then the request is forwarded to Crowdsec AppSec for inspection
 4. **Decision Enforcement**
     - **Allow** - Request proceeds to backend
-    - **Ban** - Returns 403 with ban page
+    - **Ban** - Returns configurable status code (defaults to 403) with ban page
     - **Captcha** - Creates session and redirects to challenge
 
 ### Ban Flow

bouncer/bouncer.go

@@ -446,16 +446,16 @@ func (b *Bouncer) Check(ctx context.Context, req *auth.CheckRequest) CheckedRequ
 		return captchaResult
 	case "deny", "ban":
 		if bouncerResult.HTTPStatus == 0 {
-			bouncerResult.HTTPStatus = http.StatusForbidden
+			bouncerResult.HTTPStatus = b.getBanStatusCode()
 		}
 		b.recordFinalMetric(bouncerResult)
 		return bouncerResult
 	case "error":
-		finalResult := NewCheckedRequest(parsed.RealIP, "deny", bouncerResult.Reason, http.StatusForbidden, nil, "", parsed, nil)
+		finalResult := NewCheckedRequest(parsed.RealIP, "error", bouncerResult.Reason, http.StatusInternalServerError, nil, "", parsed, nil)
 		b.recordFinalMetric(finalResult)
 		return finalResult
 	default:
-		finalResult := NewCheckedRequest(parsed.RealIP, "deny", "unknown decision cache action", http.StatusForbidden, nil, "", parsed, nil)
+		finalResult := NewCheckedRequest(parsed.RealIP, "deny", "unknown decision cache action", b.getBanStatusCode(), nil, "", parsed, nil)
 		b.recordFinalMetric(finalResult)
 		return finalResult
 	}
@@ -515,14 +515,21 @@ func (b *Bouncer) checkDecisionCache(ctx context.Context, parsed *ParsedRequest)
 		if decision.Scenario != nil && *decision.Scenario != "" {
 			reason = *decision.Scenario
 		}
-		return NewCheckedRequest(parsed.RealIP, "ban", reason, http.StatusForbidden, decision, "", parsed, nil)
+		return NewCheckedRequest(parsed.RealIP, "ban", reason, b.getBanStatusCode(), decision, "", parsed, nil)
 	case "captcha":
 		return NewCheckedRequest(parsed.RealIP, "captcha", "crowdsec captcha", http.StatusFound, decision, "", parsed, nil)
 	default:
 		return NewCheckedRequest(parsed.RealIP, "allow", "decision allows", http.StatusOK, nil, "", parsed, nil)
 	}
 }
 
+func (b *Bouncer) getBanStatusCode() int {
+	if b.config.Bouncer.BanStatusCode != 0 {
+		return b.config.Bouncer.BanStatusCode
+	}
+	return http.StatusForbidden
+}
+
 func (b *Bouncer) checkCaptcha(ctx context.Context, parsed *ParsedRequest, decision *models.Decision) CheckedRequest {
 	logger := logger.FromContext(ctx)
 	if b.CaptchaService == nil || !b.CaptchaService.IsEnabled() {
@@ -568,7 +575,7 @@ func (b *Bouncer) checkWAF(ctx context.Context, parsed *ParsedRequest) CheckedRe
 	}
 
 	if wafResult.Action != "allow" {
-		return NewCheckedRequest(parsed.RealIP, wafResult.Action, "ban", http.StatusForbidden, nil, "", parsed, nil)
+		return NewCheckedRequest(parsed.RealIP, wafResult.Action, "ban", b.getBanStatusCode(), nil, "", parsed, nil)
 	}
 
 	return NewCheckedRequest(parsed.RealIP, wafResult.Action, "ok", http.StatusOK, nil, "", parsed, nil)

bouncer/bouncer_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/kdwils/envoy-proxy-bouncer/bouncer/components"
 	remediationmocks "github.com/kdwils/envoy-proxy-bouncer/bouncer/mocks"
 	"github.com/kdwils/envoy-proxy-bouncer/cache"
+	"github.com/kdwils/envoy-proxy-bouncer/config"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/mock/gomock"
 )
@@ -577,7 +578,16 @@ func TestBouncer_Check(t *testing.T) {
 
 		mb := remediationmocks.NewMockDecisionCache(ctrl)
 		mw := remediationmocks.NewMockWAF(ctrl)
-		r := Bouncer{DecisionCache: mb, WAF: mw, metrics: cache.New[RemediationMetrics]()}
+		r := Bouncer{
+			DecisionCache: mb,
+			WAF:           mw,
+			metrics:       cache.New[RemediationMetrics](),
+			config: config.Config{
+				Bouncer: config.Bouncer{
+					BanStatusCode: 403,
+				},
+			},
+		}
 
 		req := mkReq("1.2.3.4", "http", "example.com", "/foo", "GET", "HTTP/1.1", "")
 
@@ -586,12 +596,12 @@ func TestBouncer_Check(t *testing.T) {
 
 		got := r.Check(context.Background(), req)
 		want := CheckedRequest{
-			IP:            "1.2.3.4",
-			Action:        "ban",
-			Reason:        "crowdsec ban",
-			HTTPStatus:    403,
-			RedirectURL:   "",
-			Decision:      &models.Decision{Type: ptr("ban")},
+			IP:          "1.2.3.4",
+			Action:      "ban",
+			Reason:      "crowdsec ban",
+			HTTPStatus:  403,
+			RedirectURL: "",
+			Decision:    &models.Decision{Type: ptr("ban")},
 			ParsedRequest: &ParsedRequest{
 				IP:         "1.2.3.4",
 				RealIP:     "1.2.3.4",
@@ -624,20 +634,29 @@ func TestBouncer_Check(t *testing.T) {
 
 		mb := remediationmocks.NewMockDecisionCache(ctrl)
 		mw := remediationmocks.NewMockWAF(ctrl)
-		r := Bouncer{DecisionCache: mb, WAF: mw, metrics: cache.New[RemediationMetrics]()}
+		r := Bouncer{
+			DecisionCache: mb,
+			WAF:           mw,
+			metrics:       cache.New[RemediationMetrics](),
+			config: config.Config{
+				Bouncer: config.Bouncer{
+					BanStatusCode: 403,
+				},
+			},
+		}
 
 		req := mkReq("2.2.2.2", "http", "example.com", "/foo", "GET", "HTTP/1.1", "")
 
 		mb.EXPECT().GetDecision(gomock.Any(), "2.2.2.2").Return(&models.Decision{Type: ptr("ban"), Scenario: ptr("crowdsecurity/test"), Origin: ptr("CAPI"), Duration: ptr("1h"), Scope: ptr("Ip"), Value: ptr("2.2.2.2")}, nil)
 
 		got := r.Check(context.Background(), req)
 		want := CheckedRequest{
-			IP:            "2.2.2.2",
-			Action:        "ban",
-			Reason:        "crowdsecurity/test",
-			HTTPStatus:    403,
-			RedirectURL:   "",
-			Decision:      &models.Decision{Type: ptr("ban"), Scenario: ptr("crowdsecurity/test"), Origin: ptr("CAPI"), Duration: ptr("1h"), Scope: ptr("Ip"), Value: ptr("2.2.2.2")},
+			IP:          "2.2.2.2",
+			Action:      "ban",
+			Reason:      "crowdsecurity/test",
+			HTTPStatus:  403,
+			RedirectURL: "",
+			Decision:    &models.Decision{Type: ptr("ban"), Scenario: ptr("crowdsecurity/test"), Origin: ptr("CAPI"), Duration: ptr("1h"), Scope: ptr("Ip"), Value: ptr("2.2.2.2")},
 			ParsedRequest: &ParsedRequest{
 				IP:         "2.2.2.2",
 				RealIP:     "2.2.2.2",
@@ -660,7 +679,8 @@ func TestBouncer_Check(t *testing.T) {
 
 		mb := remediationmocks.NewMockDecisionCache(ctrl)
 		mw := remediationmocks.NewMockWAF(ctrl)
-		r := Bouncer{DecisionCache: mb, WAF: mw, metrics: cache.New[RemediationMetrics]()}
+		mc := remediationmocks.NewMockCaptchaService(ctrl)
+		r := Bouncer{DecisionCache: mb, WAF: mw, CaptchaService: mc, metrics: cache.New[RemediationMetrics]()}
 
 		req := mkReq("5.6.7.8", "http", "example.com", "/foo", "GET", "HTTP/1.1", "")
 
@@ -669,9 +689,9 @@ func TestBouncer_Check(t *testing.T) {
 		got := r.Check(context.Background(), req)
 		want := CheckedRequest{
 			IP:          "5.6.7.8",
-			Action:      "deny",
+			Action:      "error",
 			Reason:      "decision cache error",
-			HTTPStatus:  403,
+			HTTPStatus:  500,
 			RedirectURL: "",
 			Decision:    nil,
 			ParsedRequest: &ParsedRequest{
@@ -712,7 +732,16 @@ func TestBouncer_Check(t *testing.T) {
 
 		mb := remediationmocks.NewMockDecisionCache(ctrl)
 		mw := remediationmocks.NewMockWAF(ctrl)
-		r := Bouncer{DecisionCache: mb, WAF: mw, metrics: cache.New[RemediationMetrics]()}
+		r := Bouncer{
+			DecisionCache: mb,
+			WAF:           mw,
+			metrics:       cache.New[RemediationMetrics](),
+			config: config.Config{
+				Bouncer: config.Bouncer{
+					BanStatusCode: 403,
+				},
+			},
+		}
 
 		req := mkReq("9.9.9.9", "https", "host", "/bar", "POST", "HTTP/2", "abc")
 
@@ -721,11 +750,11 @@ func TestBouncer_Check(t *testing.T) {
 
 		got := r.Check(context.Background(), req)
 		want := CheckedRequest{
-			IP:            "9.9.9.9",
-			Action:        "ban",
-			Reason:        "ban",
-			HTTPStatus:    403,
-			RedirectURL:   "",
+			IP:          "9.9.9.9",
+			Action:      "ban",
+			Reason:      "ban",
+			HTTPStatus:  403,
+			RedirectURL: "",
 			ParsedRequest: &ParsedRequest{
 				IP:         "9.9.9.9",
 				RealIP:     "9.9.9.9",
@@ -1069,7 +1098,17 @@ func TestBouncer_Check_AllScenarios(t *testing.T) {
 		mb := remediationmocks.NewMockDecisionCache(ctrl)
 		mw := remediationmocks.NewMockWAF(ctrl)
 		mc := remediationmocks.NewMockCaptchaService(ctrl)
-		r := Bouncer{DecisionCache: mb, WAF: mw, CaptchaService: mc, metrics: cache.New[RemediationMetrics]()}
+		r := Bouncer{
+			DecisionCache:  mb,
+			WAF:            mw,
+			CaptchaService: mc,
+			metrics:        cache.New[RemediationMetrics](),
+			config: config.Config{
+				Bouncer: config.Bouncer{
+					BanStatusCode: 403,
+				},
+			},
+		}
 
 		req := mkReq("3.3.3.3", "https", "example.com", "/test", "GET", "HTTP/1.1", "")
 
@@ -1078,9 +1117,9 @@ func TestBouncer_Check_AllScenarios(t *testing.T) {
 		got := r.Check(context.Background(), req)
 		want := CheckedRequest{
 			IP:          "3.3.3.3",
-			Action:      "deny",
+			Action:      "error",
 			Reason:      "decision cache error",
-			HTTPStatus:  403,
+			HTTPStatus:  500,
 			RedirectURL: "",
 			Decision:    nil,
 			ParsedRequest: &ParsedRequest{

cmd/root.go

@@ -53,6 +53,7 @@ func initConfig() {
 	viper.SetDefault("bouncer.metrics", false)
 	viper.SetDefault("bouncer.tickerInterval", "10s")
 	viper.SetDefault("bouncer.metricsInterval", "10m")
+	viper.SetDefault("bouncer.banStatusCode", 403)
 
 	viper.SetDefault("waf.enabled", false)
 	viper.SetDefault("waf.apiKey", "")

config/config.go

@@ -40,6 +40,7 @@ type Bouncer struct {
 	MetricsInterval time.Duration `yaml:"metricsInterval" json:"metricsInterval"`
 	ApiKey          string        `yaml:"apiKey" json:"apiKey"`
 	LAPIURL         string        `yaml:"lapiUrl" json:"lapiUrl"`
+	BanStatusCode   int           `yaml:"banStatusCode" json:"banStatusCode"`
 }
 
 type WAF struct {

docs/CONFIGURATION.md

@@ -31,6 +31,7 @@ bouncer:
   metrics: false
   tickerInterval: "10s"                     # How often to fetch decisions from LAPI
   metricsInterval: "10m"                    # How often to report metrics to LAPI
+  banStatusCode: 403                        # HTTP status code for ban responses
   lapiUrl: "http://crowdsec:8080"
   apiKey: "<lapi-key>"
 
@@ -79,6 +80,7 @@ export ENVOY_BOUNCER_BOUNCER_LAPIURL=http://crowdsec:8080
 export ENVOY_BOUNCER_BOUNCER_TICKERINTERVAL=10s
 export ENVOY_BOUNCER_BOUNCER_METRICSINTERVAL=10m
 export ENVOY_BOUNCER_BOUNCER_METRICS=false
+export ENVOY_BOUNCER_BOUNCER_BANSTATUSCODE=403
 
 # Trusted proxies (comma-separated) - no defaults
 export ENVOY_BOUNCER_TRUSTEDPROXIES=192.168.0.1,10.0.0.0/8
@@ -147,6 +149,7 @@ Controls CrowdSec bouncer integration.
 | `metrics` | bool | `false` | No | Enable metrics reporting to CrowdSec |
 | `tickerInterval` | duration | `"10s"` | No | Interval to fetch decisions from LAPI |
 | `metricsInterval` | duration | `"10m"` | No | Interval to report metrics to LAPI |
+| `banStatusCode` | int | `403` | No | HTTP status code for ban responses |
 
 **Note**: Generate API key with `cscli bouncers add <name>` on your CrowdSec instance.
 
@@ -162,6 +165,22 @@ bouncer:
 
 Metrics can be viewed using `cscli metrics` on your CrowdSec instance.
 
+#### Custom Ban Status Codes
+
+By default, the bouncer returns HTTP 403 (Forbidden) for banned IPs. You can customize this to avoid feedback loops when CrowdSec processes Envoy logs:
+
+```yaml
+bouncer:
+  banStatusCode: 418  # Use 418 "I'm a teapot" to distinguish from legitimate 403s
+```
+
+This is useful when CrowdSec analyzes Envoy access logs, as it can ignore ban responses (418) while still processing genuine errors (403).
+
+**Common alternatives**:
+- `418` - "I'm a teapot" (RFC 2324)
+- `429` - "Too Many Requests" 
+- `444` - Nginx-style "Connection closed without response"
+
 ### WAF
 
 Controls CrowdSec AppSec (WAF) integration.

server/server.go

@@ -304,7 +304,7 @@ func (s *Server) Check(ctx context.Context, req *auth.CheckRequest) (*auth.Check
 		return getRedirectResponse(result.RedirectURL), nil
 	case "deny", "ban":
 		body, headers := s.renderDeniedResponse(result)
-		return getDeniedResponse(envoy_type.StatusCode_Forbidden, body, headers), nil
+		return getDeniedResponse(httpStatusToEnvoyStatus(result.HTTPStatus), body, headers), nil
 	case "error":
 		return getDeniedResponse(envoy_type.StatusCode_InternalServerError, result.Reason, map[string]string{"Content-Type": s.config.Templates.DeniedTemplateHeaders}), nil
 	default:
@@ -385,6 +385,10 @@ func buildHeaderValues(headers map[string]string) []*envoy_core.HeaderValueOptio
 	return values
 }
 
+func httpStatusToEnvoyStatus(httpStatus int) envoy_type.StatusCode {
+	return envoy_type.StatusCode(httpStatus)
+}
+
 func getAllowedResponse() *auth.CheckResponse {
 	return &auth.CheckResponse{
 		Status: &status.Status{