Skip to main content

📚 Documentation 💠 Hub 💬 Discourse

cs-fastly-bouncer

A bouncer that syncs the decisions made by CrowdSec with Fastly's VCL. Manages multi account, multi service setup. Supports IP, Country and AS scoped decisions. To learn how to setup crowdsec to consume fastly logs see this

Installation:

Using pip​

Make sure you have python3.8+ installed. Now in a virtual environment run the following:

pip install crowdsec-fastly-bouncer
crowdsec-fastly-bouncer -g <FASTLY_TOKEN_1>,<FASTLY_TOKEN_2> > config.yaml # generate config
vim config.yaml # Set crowdsec LAPI key, url, recaptcha keys, logging etc
crowdsec-fastly-bouncer -c config.yaml # Run it !

See how to obtain fastly account tokens here. The tokens must have write access for the configured services.

Note: If your bouncer is not installed on the same machine than LAPI, don't forget to set the lapi_url and lapi_key in the configuration file /etc/crowdsec/bouncers/crowdsec-fastly-bouncer.yaml

Note: For captcha to work you must provide the recaptcha_site_key and recaptcha_secret_key for each service. Learn how here

Using Docker​

Make sure you have docker or podman installed. In this guide we will use docker, but podman would work as a drop in replacement too.

Initial Setup​

docker run crowdsecurity/fastly-bouncer \
 -g <FASTLY_TOKEN_1>,<FASTLY_TOKEN_2> > cfg.yaml # auto-generate fastly config for provided comma separated tokens 
vi cfg.yaml # review config and set `crowdsec_lapi_key`
touch fastly-cache.json

The lapi_key can be obtained by running the following:

sudo cscli -oraw bouncers add fastlybouncer # -oraw flag can discarded for human friendly output.

The lapi_url must be accessible from the container.

Run the bouncer​

  docker run \
  -v $PWD/cfg.yaml:/etc/crowdsec/bouncers/crowdsec-fastly-bouncer.yaml \
  -v $PWD/fastly-cache.json:/var/lib/crowdsec/crowdsec-fastly-bouncer/cache/fastly-cache.json \
  crowdsecurity/fastly-bouncer

Activate the new configuration:​

After starting the bouncer, go in the fastly web UI. For each configured service review the version created by the bouncer. If everything looks good, you can activate the new configration !

Configuration:

crowdsec_config: 
  lapi_key: ${LAPI_KEY} 
  lapi_url: "http://localhost:8080/"

fastly_account_configs:
  - account_token: # Obtain this from fastly
    services: 
      - id: # The id of the service
        recaptcha_site_key: # Required for captcha support
        recaptcha_secret_key: # Required for captcha support
        max_items: 20000 # max_items refers to the capacity of IP/IP ranges to ban/captcha. 
        activate: false # # Set to true, to activate the new config in production
        reference_version: # version to clone/use
        clone_reference_version: true # whether to clone the "reference_version".
        captcha_cookie_expiry_duration: '1800'  # Duration to persist the cookie containing proof of solving captcha

bouncer_version:
update_frequency: 10 # Duration in seconds to poll the crowdsec API
log_level: info # Valid choices are either of "debug","info","warning","error"
log_mode: stdout # Valid choices are "file" or "stdout" or "stderr"
log_file: /var/log/crowdsec-fastly-bouncer.log # Ignore if logging to stdout or stderr

Helpers:

The bouncer has few builtin helper features:

Auto config generator:​

Usage:

crowdsec-fastly-bouncer -c <PATH_TO_BASE_CONFIG>\
    -g <FASTLY_TOKEN_1>,<FASTLY_TOKEN_2>

This will print boilerplate config with sane defaults for the provided comma separted fastly tokens. Always review the generated config before proceeding further.

Crowdsec config is copied from the config at PATH_TO_BASE_CONFIG.

Cleaner:​

Usage:

sudo crowdsec-fastly-bouncer -c <PATH_TO_BASE_CONFIG> -d

This deletes the fastly resources created by the bouncer. It only works if the configured service version is not locked. It is useful for quick iteration before activateing the new service.

CrowdSec ConsoleCrowdSec Console