Traefik with CrowdSec - the ULTIMATE SECURITY layer!

Traefik with CrowdSec - the ULTIMATE SECURITY layer! - Tutorial

Рет қаралды 8,351

Күн бұрын

*Get 200$ worth of credits in the Digital Ocean Cloud: link.techwithmarco.com/digita... (*)
In this tutorial, I'll show you how to set up #CrowdSec with #Traefik to provide ultimate security for
your web applications. CrowdSec is an open-source security stack that helps protect your web applications from attacks, while #Traefik is a reverse proxy that helps route traffic to the right web application.
To get started, I'll assume you have already set up Traefik, otherwise have a look at my traefik tutorial • TRAEFIK - the BEST rev... . First, I'll show you how to configure CrowdSec and Traefik.
Then, I'll show you how to create the "crowdsec_config" folder with the "acquis.yml" file, which allows CrowdSec to read log files of Traefik. I'll also mount the log directory of Traefik to the CrowdSec container so that the CrowdSec container can read the log files of Traefik.
Finally, I'll show you how to connect crowdsec with the traefik-crowdsec-bouncer to take action on the above gathered information.
You can verify that everything is working by visiting your web application and triggering some attacks. You should see log entries in Traefik's logs showing that the requests were blocked by the Traefik bouncer.
Thank you for watching this tutorial. If you have any questions or comments, feel free to leave them in the comments section below. Don't forget to like and subscribe to our channel for more videos like this.
Here you can find the tutorials files on my github:
github.com/marcogreiveldinger...
Terraform - Cloudflare - Github Actions Automation: • Terraform and Cloudfla...
Traefik Tutorial: • TRAEFIK - the BEST rev...
00:00 - 00:14 Intro
00:15 - 00:50 What is CrowdSec
00:51 - 03:00 Create a new cloud server
03:01 - 06:40 Traefik Setup
06:41 - 11:25 CrowdSec configuration setup
11:26 - 17:20 CrowdSec Bouncer - take action on information
17:21 - 21:16 CrowdSec Console - Dashboard overview
21:17 - 22:10 CrowdSec Hub community
22:11 - 22:34 Outro
www.crowdsec.net/
traefik.io/traefik/
www.digitalocean.com/ #digitalocean
Music from #Uppbeat (free for Creators!):
uppbeat.io/t/avbe/night-in-kyoto
License code: HZXPGBZOG9PSJT0W
Support me at Patreon: / techwithmarco
--------------------------
(*) -links are affiliate links. (If you buy something through the link, I receive a commission of your purchases. There are no extra costs for you.)

Пікірлер: 19

@techwithmarco Жыл бұрын

Have you already seen my traefik tutorial? 😊 kzbin.info/www/bejne/h3SWqJireLqlbtE ---- 🔐If you want to improve your security stack even more, head over to my newest video about using a docker-socket-proxy instead of using it directly mounted from the host system! kzbin.info/www/bejne/mIDQn56Ajttmb68

@MMGroup72 Жыл бұрын

Another great video! Thank you Marco!

@techwithmarco Жыл бұрын

Always a pleasure!

@thomasgreiveldinger7879 Жыл бұрын

Großartig. ❤

@niklaskroehnke Жыл бұрын

Geil! ☺️👌👌 feier ich!

@techwithmarco Жыл бұрын

Sehr cool 😃 ich hoffe du konntest was lernen 😂😂

@nicoladellino8124 Жыл бұрын

Very useful video, THX.

@techwithmarco Жыл бұрын

Thanks! Always appreciate these comments 🙂

@Smoothi0815 5 ай бұрын

Hey Marco, ich bekomm das alles soweit super hin. Danke. Lokal funktioniert das auch sehr zuverlässig. Sobald ich eine lokale IP als Decision hinzufüge, blockt der Bouncer diese weg. Nun habe ich die entsprechende Portfreigabe gemacht und die DNS-Einträge für meine Domain angelegt (nutze Cloudflare). Dann habe ich übers Handy (natürlich nicht im WLAN) auf meine Domain zugegriffen und das klappt auch. Allerdings steht im Traefik-Access-Log nicht die richtige öffentliche IP des Geräts, sondern immer eine andere. Ist vermutlich nur eine Kleinigkeit, aber so macht Crowdsec ja erstmal noch keinen Sinn. Hast du einen Rat?

@techwithmarco 5 ай бұрын

hey, hast du cloudflare als proxy zwischen geschaltet oder als direkten A record verlinkt? Falls ersteres gibt es da ein paar Wege um die echte IP des Requests zu bekommen. Entweder mit Traefik Plugins wie "Traefik-Real-Ip" (plugins.traefik.io/plugins/628c9f01108ecc83915d776c/traefik-real-ip) oder "real-ip-from-cloudflare-proxy-tunnel" (plugins.traefik.io/plugins/62e97498e2bf06d4675b9443/real-ip-from-cloudflare-proxy-tunnel). Oder du kannst .forwardedHeaders.trustedIPs setzen und dort alle cloudflare netze auflisten. Die CIDRs gibts mit einer einfachen google suchen zu finden --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,... hier ein Beispiel (www.reddit.com/r/Traefik/comments/th33a3/comment/i15tdzp/?context=3) Ich hoffe das hilft :) Sonst melde dich gerne nochmal!

@Smoothi0815 5 ай бұрын

@@techwithmarco hey Marco, ich konnt es schon lösen. Ich musste nur noch die x-forwarded Headers aktivieren. 😉

@techwithmarco 5 ай бұрын

@@Smoothi0815 sehr cool! Ich habe das auch mal in die Docs in github einfach mal mit aufgenommen :)

@jschneekloth 10 ай бұрын

What are you using to get your terminal to look like that? Some oh my zsh theme?

@techwithmarco 10 ай бұрын

Yes I was using powerlevel10k at that time. I changed to Starship now. I think I'll do a video about zsh theme options in the future as I love to try different stuff for themes 😄

@faizansirajuddin 11 ай бұрын

What is username and password? how to create one not mentioned in both the videos

@techwithmarco 11 ай бұрын

You mean the basic authentication for the dashboard of traefik? This is mentioned in the traefik_config/dynamic_conf.yml on github. As an example this is user and as password demo. You can create new ones with the cli command: htpasswd -nb user 'demo'