[BUG] CrowdsecAppsecFailureBlock false should also not block when crowdsec is down

Question

[BUG] CrowdsecAppsecFailureBlock false should also not block when crowdsec is down

trunneml opened this issue a month ago · comments

Describe the bug 🐛
Setting CrowdsecAppsecFailureBlock to false works for 500, but if a connection to crowdsec is not possible crowdsec-bouncer-traefik-plugin still returns 403

Expected behavior 👀
When crowdsec api is not available and CrowdsecAppsecFailureBlock is set to false Traefik should just work as normal.

To Reproduce
Steps to reproduce the behavior:

Configure crowdsec-bouncer-traefik-plugin with CrowdsecAppsecFailureBlock set to false
Stop crowdsec
Try to open a service behinde Traefik
See error

mathieuHa · Answer 1 · Fri Jun 07 2024 00:20:54 GMT+0800 (China Standard Time)

Hi we'll look into it.
In the mean time could you provide some informations like the version of the plugin, runtime (docker, kubernetes, binary, vm..).

maxlerebourg · Answer 2 · Sun Jun 09 2024 16:14:36 GMT+0800 (China Standard Time)

Hey @trunneml
I looked into the code, the CrowdsecAppsecFailureBlock: false handle the appsec response status code 500 only. We followed the protocol from Crowdsec to implement our plugin.

I don't know if it's smart to totally bypass our plugin when crowdsec is unreachable.

We could add a new variable CrowdsecAppsecUnreachableBlock to handle this case, and by default is true.

What do you think ?

Michael Graf · Answer 3 · Sun Jun 09 2024 16:28:29 GMT+0800 (China Standard Time)

An extra flag fixes my problem.
Background: Croudsec LAPI is in an different network segment.