Issue ordering directives with maxmind_geolocation

Filler3120 · October 27, 2024, 4:19pm

1. The problem I’m having:

I’m trying to use the global order on the directives so that maxmind_geolocation is called first, then crowdsec, then authelia, but I think I’m using the wrong name to call maxmind_geolocation.

Using the custom caddy build, serfriz/caddy-crowdsec-geoip, which uses the modules porech/caddy-maxmind-geolocation and hslatman/caddy-crowdsec-bouncer to secure a reverse proxy with my domain. Authelia is used as well.

Everything seems to be working when setting crowdsec first and not messing with the maxmind_geolocation order. I can authenticate through authelia, then login to the service, and if my ip is in a blocked country, it gives a blank screen. Think it makes more sense to block country first to reduce what is hitting authelia though.

2. Error messages and/or full log output:

INF ts=1730043575.319679 msg=using config from file file=/etc/caddy/Caddyfile
Error: adapting config using caddyfile: parsing caddyfile tokens for 'order': maxmind_geolocation is not a registered directive, at /etc/caddy/Caddyfile:5

3. Caddy version:

v2.8.4

4. How I installed and ran Caddy:

a. System environment:

OS: linux x86_64 QTS 5.1.7
Docker version 20.10.27-qnap1, build 662936b

b. Command:

Run through portainer as docker-compose

c. Service/unit/compose file:

services:
  caddy:
    image: serfriz/caddy-crowdsec-geoip:latest
    container_name: caddy
    environment:
      - PUID=1001
      - PGID=1000
      - TZ=America/Toronto
      - CROWDSEC_API_KEY=xxxxxxxxxxxxxxxxxxxxx
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
    volumes:
      - /share/docker-apps/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /share/docker-apps/caddy/data:/data
      - /share/docker-apps/caddy/config:/config
      - /share/docker-apps/caddy/logs:/var/log/caddy
    restart: unless-stopped

networks:
  default:
    name: caddy_net

d. My complete Caddy config:

{
    email my@email.com
    order maxmind_geolocation first
    order crowdsec after maxmind_geolocation
    crowdsec {
        api_url http://crowdsec:8080
        api_key xxxxxxxxxxxxxxxxxxxxxxx
    }
}

(geofilter) {
    @mygeofilter {
        not maxmind_geolocation {
            db_path "/config/GeoLite2-Country.mmdb"
            allow_countries CA
        }
        not remote_ip 172.29.20.0/22
    }
    respond @mygeofilter 403
}

(secure) {
    forward_auth {args[0]} authelia:9091 {
        uri /api/verify?rd=https://auth.domain.com
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
        header_up Host {upstream_hostport}
    }
}

auth.domain.com {
    reverse_proxy authelia:9091
}

news.domain.com {
    crowdsec
    log {
        output file /var/log/caddy/miniflux.log
    }
    import geofilter
    import secure *
    reverse_proxy miniflux:8080
}

5. Links to relevant resources:

francislavoie · October 27, 2024, 6:23pm

It’s a matcher, not a directive. Ordering is only for directives.

If you’re trying to do crowdsec after, then use the error directive instead of respond, then set crowdsec to after error, then they’ll be ordered properly.

system · November 26, 2024, 6:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.