Skip to content

Commit

Permalink
crowdsec: add Traefik router whitelist configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
saltydk committed Oct 5, 2024
1 parent 84fbf23 commit 5fbad01
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 0 deletions.
3 changes: 3 additions & 0 deletions roles/crowdsec/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ crowdsec_prometheus_level: "full"
crowdsec_prometheus_listen_addr: "127.0.0.1"
crowdsec_prometheus_listen_port: "6060"

# Takes a list of exact router names to ignore when parsing Traefik access logs.
crowdsec_whitelisted_routers: []

################################
# Lookups
################################
Expand Down
8 changes: 8 additions & 0 deletions roles/crowdsec/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,14 @@
group: "root"
mode: "0644"

- name: Import 'saltbox.yml'
ansible.builtin.template:
src: saltbox.yml.j2
dest: "/etc/crowdsec/parsers/s02-enrich/saltbox.yml"
owner: "root"
group: "root"
mode: "0600"

- name: Enable and restart 'crowdsec' service
ansible.builtin.systemd_service:
name: crowdsec
Expand Down
22 changes: 22 additions & 0 deletions roles/crowdsec/templates/saltbox.yml.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: saltbox/traefik-router-allowlist
description: "Allowlist events from specific Traefik routers"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
reason: "Traefik Router Allowlist"
expression:
{% for item in plex_instances %}
- evt.Meta.traefik_router_name == '{{ item }}'
- evt.Meta.traefik_router_name == '{{ item }}-http'
{% endfor %}
{% for item in jellyfin_instances %}
- evt.Meta.traefik_router_name == '{{ item }}'
- evt.Meta.traefik_router_name == '{{ item }}-http'
{% endfor %}
{% for item in emby_instances %}
- evt.Meta.traefik_router_name == '{{ item }}'
- evt.Meta.traefik_router_name == '{{ item }}-http'
{% endfor %}
{% for item in crowdsec_whitelisted_routers %}
- evt.Meta.traefik_router_name == '{{ item }}'
- evt.Meta.traefik_router_name == '{{ item }}-http'
{% endfor %}

0 comments on commit 5fbad01

Please sign in to comment.