Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx bouncer error: request failed: bad uri: ${CROWDSEC_LAPI_URL} #52

Open
usma0118 opened this issue Sep 5, 2024 · 4 comments
Open

Nginx bouncer error: request failed: bad uri: ${CROWDSEC_LAPI_URL} #52

usma0118 opened this issue Sep 5, 2024 · 4 comments

Comments

@usma0118
Copy link

usma0118 commented Sep 5, 2024

What happened?

Nginx throws error:
[Crowdsec] bouncer error: request failed: bad uri: ${CROWDSEC_LAPI_URL}/v1/decisions?ip=*.*.*.*, client: *.*.*.*, server: [redacted], request: "GET /startpage/ HTTP/2.0", host: "[redacted]", referrer: "[redacted]"

What did you expect to happen?

Should use API_URL variable as per docs.

How can we reproduce it (as minimally and precisely as possible)?

Deploy nginx bouncer on kubernetes via:

controller:
  extraVolumes:
    - name: crowdsec-bouncer-plugin
      emptyDir: {}
  extraInitContainers:
    - name: init-clone-crowdsec-bouncer
      image: crowdsecurity/lua-bouncer-plugin
      tag: v1.0.2@sha256:608f0ff0b78bdcc3eb68669900020352095671c0952c13e17155b584d3419085
      imagePullPolicy: IfNotPresent
      env:
        - name: CROWDSEC_LAPI_URL
          value: "http://crowdsec-service.watchtower.svc.cluster.local:8080" # crowdsec lapi service-name
        - name: API_URL
          value: "http://crowdsec-service.watchtower.svc.cluster.local:8080" # crowdsec lapi service-name
        - name: API_KEY
          valueFrom:
            secretKeyRef:
              name: ingress-nginx
              key: BOUNCER_KEY
        - name: BOUNCER_CONFIG
          value: "/crowdsec/crowdsec-bouncer.conf"
        - name: BAN_TEMPLATE_PATH
          value: /etc/nginx/lua/plugins/crowdsec/templates/ban.html
      # Due to https://discourse.crowdsec.net/t/problems-installing-nginx-bouncer-in-k3s/1273
      # command: ['sh', '-c', "sh /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/"]
      command:
        [
          "sh",
          "-c",
          "apk update; apk add bash; bash /docker_start.sh; mkdir -p /lua_plugins/crowdsec/; cp -R /crowdsec/* /lua_plugins/crowdsec/",
        ]
      volumeMounts:
        - name: crowdsec-bouncer-plugin
          mountPath: /lua_plugins
  extraVolumeMounts:
    - name: crowdsec-bouncer-plugin
      mountPath: /etc/nginx/lua/plugins/crowdsec
      subPath: crowdsec
  config:
    plugins: "crowdsec"
    lua-shared-dicts: "crowdsec_cache: 50m"
    server-snippet: |
      resolver local=on ipv6=off;

Anything else we need to know?

Tried setting CROWDSEC_LAPI_URL as env variable.

Crowdsec version

v1.6.2

OS version

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

$ cscli config show
# paste output here

Prometheus metrics

$ cscli metrics
# paste output here

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 5, 2024

@usma0118: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

@LaurenceJJones
Copy link
Contributor

Transferring to appropriate repository.

@LaurenceJJones LaurenceJJones transferred this issue from crowdsecurity/crowdsec Sep 5, 2024
@LaurenceJJones
Copy link
Contributor

Will look into this currently it should detect the API_URL within the bash script and replace the whole configuration line.

cs-openresty-bouncer/docker/docker_start.sh

Lines 8 to 10 in 3ae4af0

if [ "$API_URL" != "" ]; then
sed -i "s,API_URL.*,API_URL=$API_URL," "$CROWDSEC_BOUNCER_CONFIG"
fi

Can you check the loaded configuration location does not include duplicated API_URL keys by execing into the nginx ingress?

@usma0118
Copy link
Author

usma0118 commented Sep 5, 2024

ok, issue is if initContainer fails due to some reason... currently that's not resulting in process failure. and system continues.

Related #35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@usma0118 @LaurenceJJones