Proteggiamo i nostri stack docker con CrowdSec e il bouncer sulla macchina host.

File docker-compose.yml di riferimento

version: '3'

services:
  #the application itself : static html served by apache2.
  #the html can be found in ./app/
  app:
    image: httpd:alpine
    restart: unless-stopped
    volumes:
      - ./app/:/usr/local/apache2/htdocs/
    networks:
      - crowdsec_test

  #the reverse proxy that will serve the application
  #you can see nginx's config in ./reverse-proxy/nginx.conf
  reverse-proxy:
    image: nginx:alpine
    restart: unless-stopped
    ports:
      - 8000:80
    depends_on:
      - 'app'
    volumes:
      - ./reverse-proxy/nginx.conf:/etc/nginx/nginx.conf
      - logs:/var/log/nginx
    networks:
      - crowdsec_test

  #crowdsec : it will be fed nginx's logs
  #and later we're going to plug a firewall bouncer to it
  crowdsec:
    image: crowdsecurity/crowdsec:latest
    restart: unless-stopped
    environment:
      #this is the list of collections we want to install
      #https://hub.crowdsec.net/author/crowdsecurity/collections/nginx
      COLLECTIONS: "crowdsecurity/nginx"
      GID: "${GID-1000}"
    depends_on:
      - 'reverse-proxy'
    ports:
      - 127.0.0.1:8080:8080
    volumes:
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
      - logs:/var/log/nginx
      - crowdsec-db:/var/lib/crowdsec/data/
      - crowdsec-config:/etc/crowdsec/
    networks:
      - crowdsec_test

  #metabase, because security is cool, but dashboards are cooler
  dashboard:
    #we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
    build: ./crowdsec/dashboard
    restart: unless-stopped
    ports:
      - 3000:3000
    environment:
      MB_DB_FILE: /data/metabase.db
      MGID: "${GID-1000}"
    depends_on:
      - 'crowdsec'
    volumes:
      - crowdsec-db:/metabase-data/
    networks:
      - crowdsec_test

volumes:
  logs:
  crowdsec-db:
  crowdsec-config:

networks:
  crowdsec_test:
Continua a leggere