* Several updates 2022_06_26. See full commit log.

* Published my real middlewares.yml, middlewares-chains.yml, and tls-opts.yml, thanks to the previous commit that allowed usage of environmental variables in rules.
* Added LOCAL_IPS and CLOUDFLARE_IPS variables to simplify Traefik compose.
* Added CrowdSec, CrowdSec Dashboard, and Traefik Bouncer. This appears to be working well but will check for a few more days before publishing a separate guide on it.
* Updated middlewares and chains to include crowdsec middleware.
* Updated Traefik logs and its path to support parsing with Crowdsec. Also separated traefik log and access log.

.env.example

@@ -51,6 +51,7 @@ SECRETSDIR=/home/username/docker/secrets
 SERVER_IP=
 PIHOLE_IP=
 LOCAL_NETWORK=
+LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
 
 ##### DOMAIN
 
@@ -60,6 +61,7 @@ CLOUDFLARE_API_KEY=
 CLOUDFLARE_API_TOKEN=
 CLOUDFLARE_ZONEID=
 DUCKDNS_TOKEN=
+CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
 
 ##### DATABASE
 

.gitignore

@@ -91,6 +91,9 @@ appdata/traefik2/rules/synology/*
 !appdata/traefik2/rules/cloudserver
 appdata/traefik2/rules/cloudserver/*
 !appdata/traefik2/rules/cloudserver/*.example
+!appdata/traefik2/rules/cloudserver/tls-opts.yml
+!appdata/traefik2/rules/cloudserver/middlewares.yml
+!appdata/traefik2/rules/cloudserver/middlewares-chains.yml
 
 !appdata/authelia
 appdata/authelia/*

appdata/traefik2/rules/cloudserver/middlewares-chains.yml.example → appdata/traefik2/rules/cloudserver/middlewares-chains.yml

@@ -3,6 +3,7 @@ http:
     chain-no-auth:
       chain:
         middlewares:
+          - middlewares-crowdsec-bouncer-traefik
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers
@@ -11,6 +12,7 @@ http:
     chain-basic-auth:
       chain:
         middlewares:
+          - middlewares-crowdsec-bouncer-traefik
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers
@@ -20,6 +22,7 @@ http:
     chain-oauth:
       chain:
         middlewares:
+          - middlewares-crowdsec-bouncer-traefik
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers
@@ -29,6 +32,7 @@ http:
     chain-oauth-external:
       chain:
         middlewares:
+          - middlewares-crowdsec-bouncer-traefik
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers
@@ -38,6 +42,7 @@ http:
     chain-authelia:
       chain:
         middlewares:
+          - middlewares-crowdsec-bouncer-traefik
           - middlewares-rate-limit
           - middlewares-https-redirectscheme
           - middlewares-secure-headers

appdata/traefik2/rules/cloudserver/middlewares.yml.example → appdata/traefik2/rules/cloudserver/middlewares.yml

@@ -50,6 +50,11 @@ http:
         authResponseHeaders:
           - "X-Forwarded-User"
 
+    middlewares-crowdsec-bouncer-traefik:
+      forwardAuth:
+        address: "http://crowdsec-bouncer:8080/api/v1/forwardAuth" # Make sure you have the crowdsec-bouncer service in docker-compose.yml
+        trustForwardHeader: true
+
     middlewares-oauth-external:
       forwardAuth:
         address: "https://oauth.{{env "DOMAINNAME_CLOUD_SERVER"}}" # Make sure you have the OAuth service in a remote server

docker-compose-t2-obsolete.yml

@@ -1440,21 +1440,6 @@ services:
       - "traefik.http.routers.traefik-error-pages-rtr.service=traefik-error-pages-svc"
       - "traefik.http.services.traefik-error-pages-svc.loadbalancer.server.port=80"
 
-  # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible
-  certdumper:
-    container_name: traefik_certdumper
-    image: humenius/traefik-certs-dumper:latest
-    network_mode: none
-    security_opt:
-      - no-new-privileges:true
-    # command: --restart-containers container1,container2,container3
-    volumes:
-      - $DOCKERDIR/traefik2/acme:/traefik:ro
-      - $DOCKERDIR/shared/certs:/output:rw
-      # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead)
-    environment:
-      DOMAIN: $DOMAINNAME
-
   # Dozzle - Real-time Docker Log Viewer
   dozzle:
     image: amir20/dozzle:latest
@@ -1918,3 +1903,16 @@ services:
       # Add hosts specified in rules here to force cf-companion to create the CNAMEs
       # Since cf-companion creates CNAMEs based on host rules, this a workaround for non-docker/external apps
       - "traefik.http.routers.cf-companion-rtr.rule=Host(`webmin.$DOMAINNAME2`) || Host(`shellh.$DOMAINNAME2`) || Host(`syno.$DOMAINNAME2`) || Host(`ibox.$DOMAINNAME2`) || Host(`synplex.$DOMAINNAME2`) || Host(`pirpi.$DOMAINNAME2`) || Host(`pidoc.$DOMAINNAME2` || Host(`stpc.$DOMAINNAME2`)"
+
+  # Traefik Certs Dumper - Extract LetsEncrypt Certificates - Traefik2 Compatible
+  certdumper:
+    <<: *common-keys-apps # See EXTENSION FIELDS at the top
+    container_name: traefik_certdumper
+    image: humenius/traefik-certs-dumper:latest
+    # command: --restart-containers container1,container2,container3
+    volumes:
+      - $DOCKERDIR/appdata/traefik2/acme:/traefik:ro
+      - $DOCKERDIR/shared/certs/$DOMAINNAME_CLOUD_SERVER:/output:rw
+      # - /var/run/docker.sock:/var/run/docker.sock:ro # Only needed if restarting containers (use Docker Socket Proxy instead)
+    environment:
+      DOMAIN: $DOMAINNAME_CLOUD_SERVER

docker-compose-t2.yml

@@ -67,6 +67,8 @@ secrets:
     file: $DOCKERDIR/secrets/guac_mysql_user
   guac_mysql_password:
     file: $DOCKERDIR/secrets/guac_mysql_password
+  #traefik_hub_agent_token:
+  #  file: $DOCKERDIR/secrets/traefik_hub_agent_token
 
 ########################### EXTENSION FIELDS
 # Helps eliminate repetition of sections
@@ -137,7 +139,7 @@ services:
       - --entryPoints.http.address=:80
       - --entryPoints.https.address=:443
       # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
-      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22
+      - --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
       - --entryPoints.traefik.address=:8080
       # - --entryPoints.ping.address=:8081
       - --api=true
@@ -146,11 +148,12 @@ services:
       #- --ping=true
       # - --serversTransport.insecureSkipVerify=true
       - --log=true
-      - --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
+      - --log.filePath=/logs/traefik.log
+      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
       - --accessLog=true
-      - --accessLog.filePath=/traefik.log
+      - --accessLog.filePath=/logs/access.log
       - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
-      - --accessLog.filters.statusCodes=400-499
+      - --accessLog.filters.statusCodes=204-299,400-499,500-599
       - --providers.docker=true
       # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
       - --providers.docker.endpoint=tcp://socket-proxy:2375
@@ -203,8 +206,9 @@ services:
       - $DOCKERDIR/appdata/traefik2/rules/cloudserver:/rules # file provider directory
       # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
       - $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must create this emtpy file and change permissions to 600
-      - $DOCKERDIR/logs/cloudserver/traefik.log:/traefik.log # for fail2ban - make sure to create empty file before starting container
+      - $DOCKERDIR/logs/cloudserver/traefik:/logs # for fail2ban or crowdsec
     environment:
+      - TZ=$TZ
       - CF_API_EMAIL_FILE=/run/secrets/cf_email
       - CF_API_KEY_FILE=/run/secrets/cf_api_key
       - HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
@@ -239,7 +243,7 @@ services:
       ## Middlewares
       #- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file" # For No Authentication
       #- "traefik.http.routers.traefik-rtr.middlewares=chain-auth-basic@file" # For Basic HTTP Authentication
-      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
+      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file" # For Google OAuth
       #- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # For Authelia Authentication
 
   # Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
@@ -397,6 +401,56 @@ services:
       - "traefik.http.routers.heimdall-rtr.service=heimdall-svc"
       - "traefik.http.services.heimdall-svc.loadbalancer.server.port=80"
 
+  # CrowdSec - Open-source & collaborative security IPS
+  crowdsec:
+    <<: *common-keys-core # See EXTENSION FIELDS at the top
+    image: crowdsecurity/crowdsec
+    container_name: crowdsec
+    environment:
+      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors"
+      GID: "${GID-1000}"
+      CUSTOM_HOSTNAME: cDoc
+    volumes:
+      - $DOCKERDIR/logs/cloudserver:/logs:ro
+      - $DOCKERDIR/appdata/crowdsec/data:/var/lib/crowdsec/data
+      - $DOCKERDIR/appdata/crowdsec/config:/etc/crowdsec
+
+  # CrowdSec Dashboard
+  # Uses a lot of resources. May be crowdsec's cloud dashboard or Prometheus Grafana may be a better option.
+  csdash:
+    <<: *common-keys-apps # See EXTENSION FIELDS at the top
+    container_name: crowdsec-dashboard
+    build:
+      context: $DOCKERDIR/custom/
+      dockerfile: Dockerfile-csdash
+    depends_on:
+      - crowdsec
+    environment:
+      - MB_DB_FILE=/data/metabase.db
+      - MGID=1000
+    volumes:
+      - $DOCKERDIR/appdata/crowdsec/data:/metabase-data/
+    labels:
+      - "traefik.enable=true"
+      ## HTTP Routers
+      - "traefik.http.routers.csdash-rtr.entrypoints=https"
+      - "traefik.http.routers.csdash-rtr.rule=Host(`csdash.$DOMAINNAME_CLOUD_SERVER`)"
+      ## Middlewares
+      - "traefik.http.routers.csdash-rtr.middlewares=chain-oauth@file"
+      ## HTTP Services
+      - "traefik.http.routers.csdash-rtr.service=csdash-svc"
+      - "traefik.http.services.csdash-svc.loadbalancer.server.port=3000"
+
+  # CrowdSec Bouncer - Traefik
+  crowdsec-bouncer:
+    <<: *common-keys-core # See EXTENSION FIELDS at the top
+    image: fbonalair/traefik-crowdsec-bouncer
+    container_name: crowdsec-bouncer
+    environment:
+      GIN_MODE: release # default is debug (more logs)
+      CROWDSEC_BOUNCER_API_KEY: $CROWDSEC_BOUNCER_TRAEFIK_API_KEY
+      CROWDSEC_AGENT_HOST: crowdsec:8080 # CrowdSec host and port
+
   ############################# DATABASE
 
   # MariaDB - MySQL Database

shared/config/bash_aliases

@@ -57,6 +57,19 @@ alias stopbasic='dcstop2 $(cat /home/$BA_USERNAME/docker/scripts/homeserver/basi
 alias stopmedia='dcstop2 $(cat /home/$BA_USERNAME/docker/scripts/homeserver/media-services.txt)'
 alias startmedia='dcup2 $(cat /home/$BA_USERNAME/docker/scripts/homeserver/media-services.txt)'
 
+# CROWDSEC
+alias cscli='dcrun2 exec -t crowdsec cscli'
+alias csdecisions='cscli decisions list'
+alias csalerts='cscli alerts list'
+alias csinspect='cscli alerts inspect -d'
+alias cshubs='cscli hub list'
+alias csparsers='cscli parsers list'
+alias cscollections='cscli collections list'
+alias cshubupdate='cscli hub update'
+alias cshubupgrade='cscli hub update'
+alias csmetrics='cscli metrics'
+alias csmachines='cscli machines list'
+
 # WEB STACK
 alias webrs='dcrec2 php7 redis nginx'