crowdsecurity · sabban · Apr 15, 2025 · Apr 15, 2025 · Apr 16, 2025 · Apr 16, 2025
diff --git a/lib/crowdsec.lua b/lib/crowdsec.lua
@@ -50,10 +50,16 @@ end
 -- @param userAgent the user agent of the bouncer
 -- @return boolean: true if the init is successful, false otherwise
 function csmod.init(configFile, userAgent)
-  local conf, err = config.loadConfig(configFile)
+  local conf, err = config.loadConfig(configFile, true)
   if conf == nil then
     return nil, err
   end
+  local localConf, _ = config.loadConfig(configFile .. ".local", false)
+  if localConf ~= nil then
+    for k, v in pairs(localConf) do
+      conf[k] = v
+    end
+  end
   runtime.conf = conf
   runtime.userAgent = userAgent
   runtime.cache = ngx.shared.crowdsec_cache

diff --git a/lib/plugins/crowdsec/config.lua b/lib/plugins/crowdsec/config.lua
@@ -1,5 +1,34 @@
 local config = {}
 
+local valid_params = {'ENABLED', 'ENABLE_INTERNAL', 'API_URL', 'API_KEY', 'BOUNCING_ON_TYPE', 'MODE', 'SECRET_KEY', 'SITE_KEY', 'BAN_TEMPLATE_PATH' ,'CAPTCHA_TEMPLATE_PATH', 'REDIRECT_LOCATION', 'RET_CODE', 'CAPTCHA_RET_CODE', 'EXCLUDE_LOCATION', 'FALLBACK_REMEDIATION', 'CAPTCHA_PROVIDER', 'APPSEC_URL', 'APPSEC_FAILURE_ACTION', 'ALWAYS_SEND_TO_APPSEC', 'SSL_VERIFY'}
+local valid_int_params = {'CACHE_EXPIRATION', 'CACHE_SIZE', 'REQUEST_TIMEOUT', 'UPDATE_FREQUENCY', 'CAPTCHA_EXPIRATION', 'APPSEC_CONNECT_TIMEOUT', 'APPSEC_SEND_TIMEOUT', 'APPSEC_PROCESS_TIMEOUT', 'STREAM_REQUEST_TIMEOUT'}
+local valid_bouncing_on_type_values = {'ban', 'captcha', 'all'}
+local valid_truefalse_values = {'false', 'true'}
+local default_values = {
+    ['ENABLED'] = "true",
+    ['ENABLE_INTERNAL'] = "false",
+    ['API_URL'] = "",
+    ['REQUEST_TIMEOUT'] = 500,
+    ['STREAM_REQUEST_TIMEOUT'] = 15000,
+    ['BOUNCING_ON_TYPE'] = "ban",
+    ['MODE'] = "stream",
+    ['UPDATE_FREQUENCY'] = 10,
+    ['CAPTCHA_EXPIRATION'] = 3600,
+    ['REDIRECT_LOCATION'] = "",
+    ['EXCLUDE_LOCATION'] = {},
+    ['RET_CODE'] = 0,
+    ['CAPTCHA_PROVIDER'] = "recaptcha",
+    ['APPSEC_URL'] = "",
+    ['APPSEC_CONNECT_TIMEOUT'] = 100,
+    ['APPSEC_SEND_TIMEOUT'] = 100,
+    ['APPSEC_PROCESS_TIMEOUT'] = 500,
+    ['APPSEC_FAILURE_ACTION'] = "passthrough",
+    ['SSL_VERIFY'] = "true",
+    ['ALWAYS_SEND_TO_APPSEC'] = "false",
+    ['CAPTCHA_RET_CODE'] = 0,
+}
+
+
 function config.file_exists(file)
     local f = io.open(file, "rb")
     if f then
@@ -8,16 +37,8 @@ function config.file_exists(file)
     return f ~= nil
 end
 
-  function split(s, delimiter)
-    result = {};
-    for match in (s..delimiter):gmatch("(.-)"..delimiter.."(.-)") do
-        table.insert(result, match);
-    end
-    return result;
-end
-
 local function has_value (tab, val)
-    for index, value in ipairs(tab) do
+    for _, value in ipairs(tab) do
         if value == val then
             return true
         end
@@ -34,38 +55,16 @@ local function trim(s)
     return (string.gsub(s, "^%s*(.-)%s*$", "%1"))
 end
 
-function config.loadConfig(file)
+--- Load configuration from file
+-- called from crowdsec.lua
+-- @param file string path to the configuration file
+-- @param default boolean if true, load default values for missing parameters
+-- @return conf table with configuration values
+function config.loadConfig(file, default)
     if not config.file_exists(file) then
         return nil, "File ".. file .." doesn't exist"
     end
     local conf = {}
-    local valid_params = {'ENABLED', 'ENABLE_INTERNAL', 'API_URL', 'API_KEY', 'BOUNCING_ON_TYPE', 'MODE', 'SECRET_KEY', 'SITE_KEY', 'BAN_TEMPLATE_PATH' ,'CAPTCHA_TEMPLATE_PATH', 'REDIRECT_LOCATION', 'RET_CODE', 'CAPTCHA_RET_CODE', 'EXCLUDE_LOCATION', 'FALLBACK_REMEDIATION', 'CAPTCHA_PROVIDER', 'APPSEC_URL', 'APPSEC_FAILURE_ACTION', 'ALWAYS_SEND_TO_APPSEC', 'SSL_VERIFY'}
-    local valid_int_params = {'CACHE_EXPIRATION', 'CACHE_SIZE', 'REQUEST_TIMEOUT', 'UPDATE_FREQUENCY', 'CAPTCHA_EXPIRATION', 'APPSEC_CONNECT_TIMEOUT', 'APPSEC_SEND_TIMEOUT', 'APPSEC_PROCESS_TIMEOUT', 'STREAM_REQUEST_TIMEOUT'}
-    local valid_bouncing_on_type_values = {'ban', 'captcha', 'all'}
-    local valid_truefalse_values = {'false', 'true'}
-    local default_values = {
-        ['ENABLED'] = "true",
-        ['ENABLE_INTERNAL'] = "false",
-        ['API_URL'] = "",
-        ['REQUEST_TIMEOUT'] = 500,
-        ['STREAM_REQUEST_TIMEOUT'] = 15000,
-        ['BOUNCING_ON_TYPE'] = "ban",
-        ['MODE'] = "stream",
-        ['UPDATE_FREQUENCY'] = 10,
-        ['CAPTCHA_EXPIRATION'] = 3600,
-        ['REDIRECT_LOCATION'] = "",
-        ['EXCLUDE_LOCATION'] = {},
-        ['RET_CODE'] = 0,
-        ['CAPTCHA_PROVIDER'] = "recaptcha",
-        ['APPSEC_URL'] = "",
-        ['APPSEC_CONNECT_TIMEOUT'] = 100,
-        ['APPSEC_SEND_TIMEOUT'] = 100,
-        ['APPSEC_PROCESS_TIMEOUT'] = 500,
-        ['APPSEC_FAILURE_ACTION'] = "passthrough",
-        ['SSL_VERIFY'] = "true",
-        ['ALWAYS_SEND_TO_APPSEC'] = "false",
-        ['CAPTCHA_RET_CODE'] = 0,
-    }
     for line in io.lines(file) do
         local isOk = false
         if starts_with(line, "#") then
@@ -80,15 +79,15 @@ function config.loadConfig(file)
            ngx.log(ngx.ERR, "invalid configuration line: " .. line)
            break
         end
-            local key = trim(line:sub(1, sep_pos - 1))
+        local key = trim(line:sub(1, sep_pos - 1))
         local value = trim(line:sub(sep_pos + 1))
         if has_value(valid_params, key) then
             if key == "ENABLED" then
                 if not has_value(valid_truefalse_values, value) then
                     ngx.log(ngx.ERR, "unsupported value '" .. value .. "' for variable '" .. key .. "'. Using default value 'true' instead")
                     value = "true"
                 end
-              elseif key == "ENABLE_INTERNAL" then
+            elseif key == "ENABLE_INTERNAL" then
                 if not has_value(valid_truefalse_values, value) then
                     ngx.log(ngx.ERR, "unsupported value '" .. value .. "' for variable '" .. key .. "'. Using default value 'false' instead")
                     value = "false"
@@ -108,35 +107,41 @@ function config.loadConfig(file)
                 ngx.log(ngx.ERR, "unsupported value '" .. value .. "' for variable '" .. key .. "'. Using default value 'stream' instead")
                 value = "stream"
                 end
-            elseif key == "EXCLUDE_LOCATION" then
-                exclude_location = {}
-                if value ~= "" then
-                for match in (value..","):gmatch("(.-)"..",") do
-                    table.insert(exclude_location, match)
-                end
-                end
-                value = exclude_location
             elseif key == "FALLBACK_REMEDIATION" then
                 if not has_value({'captcha', 'ban'}, value) then
                 ngx.log(ngx.ERR, "unsupported value '" .. value .. "' for variable '" .. key .. "'. Using default value 'ban' instead")
                 value = "ban"
                 end
             end
-
             conf[key] = value
 
+            if key == "EXCLUDE_LOCATION" then
+                local exclude_location = {}
+                if value ~= "" then
+                for match in (value..","):gmatch("(.-)"..",") do
+                    table.insert(exclude_location, match)
+                end
+                end
+                conf[key] = exclude_location
+            end
+
+
         elseif has_value(valid_int_params, key) then
             conf[key] = tonumber(value)
         else
             ngx.log(ngx.ERR, "unsupported configuration '" .. key .. "'")
         end
+        end
     end
-    end
-    for k, v in pairs(default_values) do
-        if conf[k] == nil then
-            conf[k] = v
+    if default then
+        for k, v in pairs(default_values) do
+            if conf[k] == nil then
+                conf[k] = v
+            end
         end
     end
     return conf, nil
 end
+
+
 return config
diff --git a/t/16_lua_local_config.t b/t/16_lua_local_config.t
@@ -0,0 +1,62 @@
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: Load lua configuration
+
+--- main_config
+load_module /usr/share/nginx/modules/ndk_http_module.so;
+load_module /usr/share/nginx/modules/ngx_http_lua_module.so;
+
+--- http_config
+lua_package_path "./lib/?.lua;;";
+lua_shared_dict crowdsec_cache 50m;
+
+#  luacov -r lcov
+#  genhtml luacov.report.out -o destination_directory/
+init_by_lua_block {
+        cs = require "crowdsec"
+        local ok, err = cs.init("t/conf_t/16_conf_crowdsec_nginx_bouncer.conf", "crowdsec-nginx-bouncer/v1.0.8")
+        if ok == nil then
+                ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+                error()
+        end
+        ngx.log(ngx.ALERT, "[Crowdsec] Initialisation done")
+}
+
+access_by_lua_block {
+        local cs = require "crowdsec"
+        if ngx.var.unix == "1" then
+                ngx.log(ngx.DEBUG, "[Crowdsec] Unix socket request ignoring...")
+        else
+                cs.Allow(ngx.var.remote_addr)
+        end
+}
+
+init_worker_by_lua_block {
+        cs = require "crowdsec"
+        local mode = cs.get_mode()
+        if string.lower(mode) == "stream" then
+           ngx.log(ngx.INFO, "Initilizing stream mode for worker " .. tostring(ngx.worker.id()))
+           cs.SetupStream()
+        end
+
+        if ngx.worker.id() == 0 then
+           ngx.log(ngx.INFO, "Initilizing metrics for worker " .. tostring(ngx.worker.id()))
+           cs.SetupMetrics()
+        end
+}
+
+--- config
+location = /t {
+    content_by_lua_block {
+        ngx.say("hello, world")
+    }
+}
+--- request
+GET /t
+--- response_body
+hello, world
+--- error_code: 200
diff --git a/t/conf_t/16_conf_crowdsec_nginx_bouncer.conf b/t/conf_t/16_conf_crowdsec_nginx_bouncer.conf
@@ -0,0 +1,29 @@
+APPSEC_URL=test
+ENABLED=true
+API_URL=http://127.0.0.1:8081
+API_KEY=LFrdL+aiecMTSxpGE9vLkx5sGMwdIpgVovpVMfXp3J0
+CACHE_EXPIRATION=1
+# bounce for all type of remediation that the bouncer can receive from the local API
+BOUNCING_ON_TYPE=all
+FALLBACK_REMEDIATION=ban
+REQUEST_TIMEOUT=3000
+UPDATE_FREQUENCY=10
+# live or stream
+MODE=live
+# exclude the bouncing on those location
+EXCLUDE_LOCATION=
+#those apply for "ban" action
+# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
+BAN_TEMPLATE_PATH=./ban
+REDIRECT_LOCATION=
+RET_CODE=
+#those apply for "captcha" action
+#valid providers are recaptcha, hcaptcha, turnstile
+CAPTCHA_PROVIDER=
+# Captcha Secret Key
+SECRET_KEY=
+# Captcha Site key
+SITE_KEY=
+CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/captcha.html
+CAPTCHA_EXPIRATION=3600
+#METRICS_PERIOD=60
diff --git a/t/conf_t/16_conf_crowdsec_nginx_bouncer.conf.local b/t/conf_t/16_conf_crowdsec_nginx_bouncer.conf.local
@@ -0,0 +1,5 @@
+APPSEC_URL=http://127.0.0.1:7422
+ENABLED=true
+EXCLUDE_LOCATION=/v1/decisions
+#those apply for "ban" action
+# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE