Added crowdsec openresty bouncer support

[LePresidente]

Re Opened old PR that was closed due to force sync on develop branch

https://github.com/NginxProxyManager/nginx-proxy-manager/pull/1875

This adds support for Nginx Proxy Manager to be a firewall bouncer for Crowdsec

Blog post on what this does https://crowdsec.net/blog/nginx-bouncer-v1/

Blog post on how to use this PR https://www.crowdsec.net/blog/crowdsec-with-nginx-proxy-manager

This has been expanded to be a permanent addon to Nginx Proxy Manager, This requires the following changes to the base image https://github.com/NginxProxyManager/docker-nginx-full/pull/7

There are three Configurations that would be needed to be configurable from Nginx Proxy Manager to configure the crowdsec-openresty-bouncer for the bare minimum to get it working

File: /data/crowdsec/crowdsec-openresty-bouncer.conf

#Enables/Disables the Proxy (true|false)
ENABLED=false
#URL to the crowdsec api
API_URL=
#APIKEY to the crowdsec api, generated on crowdsec using `cscli bouncers add NPM`
API_KEY=

I'm not really sure how to do the frontend, if I can get some guidance I could do it as well

This is also currently a global setting so if an IP is banned it won't be able to connect to any host.

Full config for crowdsec

ENABLED=true
API_URL=http://localhost:8080
API_KEY=
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=3000
UPDATE_FREQUENCY=10
# live or stream
MODE=stream
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/data/crowdsec/templates/ban.html
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
# ReCaptcha Secret Key
SECRET_KEY=
# Recaptcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/data/crowdsec/templates/captcha.html
CAPTCHA_EXPIRATION=3600

[a1ad]

@LePresidente can I just use: jc21/nginx-proxy-manager:github-pr-2677 to test the PR?

[LePresidente]

use this lepresidente/nginxproxymanager:latest as it requires a change in the base image

[pittbull]

I had your image running for a long time but after a recent update I am not able to get this back into a running state. I am using this image: lepresidente/nginx-proxy-manager and I've configured the image to point to my existing data (which works with jc21's original image). What I am seeing from the logs are this (which keeps on repeating): [app ] [3/28/2023] [9:48:51 PM] [Migrate ] › ℹ info Current database version: none [app ] [3/28/2023] [9:48:51 PM] [Global ] › ✖ error Command failed: . /opt/certbot/bin/activate && pip install certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare && deactivate [app ] /bin/sh: .: line 0: can't open '/opt/certbot/bin/activate': No such file or directory [supervisor ] all services started. [app ] [3/28/2023] [9:48:52 PM] [Global ] › ℹ info Manual db configuration already exists, skipping config creation from environment variables [app ] [3/28/2023] [9:48:52 PM] [Migrate ] › ℹ info Current database version: none [app ] [3/28/2023] [9:48:52 PM] [Global ] › ✖ error Command failed: . /opt/certbot/bin/activate && pip install certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare && deactivate [app ] /bin/sh: .: line 0: can't open '/opt/certbot/bin/activate': No such file or directory

[pittbull]

Having found this pull request and updated my docker to use the image you stated above I am now presented with a different error:

[3/28/2023] [10:18:02 PM] [SSL ] › ✖ error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Renewal configuration file /etc/letsencrypt/renewal/npm-1.conf (cert: npm-1) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-2.conf (cert: npm-2) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-3.conf (cert: npm-3) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-4.conf (cert: npm-4) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-5.conf (cert: npm-5) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-6.conf (cert: npm-6) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-7.conf (cert: npm-7) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-8.conf (cert: npm-8) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping. Renewal configuration file /etc/letsencrypt/renewal/npm-9.conf (cert: npm-9) produced an unexpected error: 'Namespace' object has no attribute 'dns_cloudflare_credentials'. Skipping.

[pittbull]

Manually executing this: pip3 install certbot-dns-cloudflare removes the error and the log states:

[3/28/2023] [10:41:15 PM] [Global ] › ℹ info Backend PID 106 listening on port 3000 ... [3/28/2023] [10:41:15 PM] [Nginx ] › ℹ info Reloading Nginx [3/28/2023] [10:41:15 PM] [SSL ] › ℹ info Renew Complete

I am not able to log in though using either my original username/password or admin@example.

[LePresidente]

I had your image running for a long time but after a recent update I am not able to get this back into a running state. I am using this image: lepresidente/nginx-proxy-manager and I've configured the image to point to my existing data (which works with jc21's original image). What I am seeing from the logs are this (which keeps on repeating): [app ] [3/28/2023] [9:48:51 PM] [Migrate ] › ℹ info Current database version: none [app ] [3/28/2023] [9:48:51 PM] [Global ] › ✖ error Command failed: . /opt/certbot/bin/activate && pip install certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare && deactivate [app ] /bin/sh: .: line 0: can't open '/opt/certbot/bin/activate': No such file or directory [supervisor ] all services started. [app ] [3/28/2023] [9:48:52 PM] [Global ] › ℹ info Manual db configuration already exists, skipping config creation from environment variables [app ] [3/28/2023] [9:48:52 PM] [Migrate ] › ℹ info Current database version: none [app ] [3/28/2023] [9:48:52 PM] [Global ] › ✖ error Command failed: . /opt/certbot/bin/activate && pip install certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare && deactivate [app ] /bin/sh: .: line 0: can't open '/opt/certbot/bin/activate': No such file or directory

ok so this was my image for https://github.com/jlesage/docker-nginx-proxy-manager which is a fork of this that was done for unraid, and dont think they compatible to interchange so you need to switch back. I'll have to see why its failing or if there is a change upstream since he reworked how the image was built which might of broken things

[LePresidente]

@pittbull please try the latest image from here for the /jlesage/docker-nginx-proxy-manager image lepresidente/nginx-proxy-manager:dev

[pittbull]

Using :dev on a replica of the original NPM folder did the trick. Came right up!

This has crowdsec, right? How about modsec?

[garsiv1932]

@LePresidente, your image works perfectly, but i am experiencing problems with cloudflare SSL certificates.

Here is the error I got....

[LaurenceJJones]

Hey Laurence from crowdsec support. I can see there is a lot of interaction on this PR, I do not know the project very well. Will this be something that will be merged or will user have to rely on forks?

[garsiv1932]

I migrated my proxy manager to traefik, but its could be nice to get the original proxy manager with crowdsec.

[bmunro-peralex]

something went wrong yesterday when i tried to update my fork, i'll need to look into this and amybe redo a new squashed commit

[bmunro-peralex]

I'm going to clean this up and close this PR and open a new one.

[pittbull]

@pittbull please try the latest image from here for the /jlesage/docker-nginx-proxy-manager image lepresidente/nginx-proxy-manager:dev

There seem to be a bit of confusion on the various versions available. @LePresidente could you update me which image to now use and if this will get updated along the master image?

[a1ad]

@pittbull please try the latest image from here for the /jlesage/docker-nginx-proxy-manager image lepresidente/nginx-proxy-manager:dev

There seem to be a bit of confusion on the various versions available. @LePresidente could you update me which image to now use and if this will get updated along the master image?

Yeah same for me, I still use the old "baudneo" one, and I really want a more up-to-date version.

[LePresidente]

Lepresidente/nginx-proxy-manager = jlesange/nginx-proxy-manager (up-to-date) (unraid fork I use) Lepresidente/nginxproxymanager = jc21/nginx-proxy-manager (up-to-date)

They are inplace replacements for the official images.

didn't mean to delete the comment

[tobias86aa]

Should be nice to see something like this added.

[bensmith2697]

Any chance this will be added?

[a1ad]

Edit: never mind, the error is also present in the original base image: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3592

@LePresidente I still use your "Lepresidente/nginxproxymanager" version and just did a docker pull. And now the image won't start with error:

npm  | [3/12/2024] [8:29:55 AM] [Certbot  ] › ▶  start     Installing godaddy...
npm  | [3/12/2024] [8:29:55 AM] [Global   ] › ⬤  debug     CMD: . /opt/certbot/bin/activate && pip install --no-cache-dir  certbot-dns-godaddy==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+')  && deactivate
npm  | [3/12/2024] [8:29:56 AM] [Certbot  ] › ✖  error     ERROR: Could not find a version that satisfies the requirement certbot-dns-godaddy==2.9.0 (from versions: 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 2.6.0, 2.7.4, 2.8.0)
npm  | ERROR: No matching distribution found for certbot-dns-godaddy==2.9.0

Any idea?

[jrpetersjr]

Is there any chance that this gets worked on?

[LePresidente]

@jrpetersjr I mean it just needs to be tested and merged by the maintainer, I don't think there have been any real complaint from people using my builds that basically includes this PR and https://github.com/NginxProxyManager/docker-nginx-full/pull/8

[a1ad]

i am using it for ages, in production and public facing stuff.

[nginxproxymanagerci[bot]]

CI Error:

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
certbot-node: Pulling from nginxproxymanager/nginx-full
Digest: sha256:eaa2ebcb50dd87557c9a8f95a3230128d94cac1ea17800261c036e59378e7d49
Status: Image is up to date for nginxproxymanager/nginx-full:certbot-node
docker.io/nginxproxymanager/nginx-full:certbot-node
[1;34m❯ [1;36mBuilding Frontend ...[0m
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
error Command failed.
Exit code: 128
Command: git
Arguments: clone https://github.com/tabler/tabler.git /usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309
Directory: /app/frontend
Output:
Cloning into '/usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309'...
error: RPC failed; curl 92 HTTP/2 stream 5 was not closed cleanly: CANCEL (err 8)
error: 2040 bytes of body are still expected
fetch-pack: unexpected disconnect while reading sideband packet
fatal: early EOF
fatal: fetch-pack: invalid index-pack output

[github-actions[bot]]

PR is now considered stale. If you want to keep it open, please comment :+1:

[LePresidente]

I'm probably going to drop this as i don't use NPM anymore, I'll update my image once more then someone else can take it over if they wish

[WhoTheHeck]

@LePresidente, when you drop support, I'll finally have to move away on from NPM. Do you mind sharing what you use instead? I bet it supports crowdsec. Btw: many thanks for maintaining it that long!

[LaurenceJJones]

@WhoTheHeck im not LePresidente, but if you want to stick with NPM there is NPMPlus maintained by ZoeyVid https://github.com/ZoeyVid/NPMplus which supports CrowdSec

[LePresidente]

@LePresidente, when you drop support, I'll finally have to move away on from NPM. Do you mind sharing what you use instead? I bet it supports crowdsec. Btw: many thanks for maintaining it that long!

I moved over to Pangolin (https://github.com/fosrl/pangolin), which uses traefik under the hood, if you want to stay with NPM the only fork that does have it builtin is NPMPlus that Laureance posted above.