fosrl/docs
1
0
Fork 0
mirror of https://github.com/fosrl/docs.git synced 2025-05-15 14:40:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into docs-rewrite

Browse source
This commit is contained in:
Erik 2025-05-06 22:13:27 +01:00 committed by GitHub
commit 155667f8e3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 288 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
packages/docusaurus/docs/02-Getting Started/03-quick-install.md
View file

@ -15,7 +15,7 @@ import WgetQuickInstaller from "@site/src/components/WgetQuickInstaller";
## Using a VPS
If you need a VPS to run Pangolin, [RackNerd](https://my.racknerd.com/aff.php?aff=13788) is a great option, and often has generous promotions. More options can be found in our VPS guide.
If you need a VPS to run Pangolin, [RackNerd](https://my.racknerd.com/aff.php?aff=13788) is a great option, and often has generous promotions. More options can be found in our [VPS guide](./01-choosing-a-vps.md).
A good option is [**1 vCPU, 1GB RAM less than $1 a month**](https://my.racknerd.com/aff.php?aff=13788&pid=903).

63
packages/docusaurus/docs/03-Pangolin/06-Identity Providers/03-Providers/04-zitadel.md Normal file
View file

@ -0,0 +1,63 @@
# Zitadel
Follow these steps to integrate **Zitadel** with **Pangolin SSO** using OpenID Connect (OIDC).
## 1. Prerequisites
These instructions assume you have a working Zitadel organization and project setup already.
You need to configure an application in Zitadel:
1. Open an existing project and in `Applications` click `New`:
1. Set the name to something memorable (eg. Pangolin)
2. For `Type of application` choose `Web`
3. For `Authentication Method` choose `Code`
4. Leave `Redirect URIs` blank for now
5. When you click create, you'll be shown the `ClientSecret` and `ClientId`. Make sure to save these somewhere secure - you won't be able to see the Client Secret again.
2. Click `Token settings` then change `Auth Token Type` to `JWT` and check the `User Info inside ID Token` box finally hit `Save`
3. Open `URLs` and make note of:
- `Authorization Endpoint`
- `Token Endpoint`
## 2. Configure an Identity Provider in Pangolin
In Pangolin, go to `Identity Providers` and click `Add Identity Provider`:
1. Set the name to something memorable (eg. Zitadel)
2. In the `OAuth2/OIDC Configuration` section, fill the following fields:
1. `Client ID`: You should have the value for this from the Zitadel setup earlier
2. `Client Secret`: You should also have this value
3. `Authorization URL`: Use `Authorization Endpoint` from earlier
4. `Token URL`: Use `Token Endpoint` from earlier
3. In the `Token Configuration` section, set `Identifier Path` to `preferred_username`
When you're done, click `Create Identity Provider`.
Now copy the Redirect URL displayed in the `General Settings` section.
## 3. Complete the setup in your Zitadel application
Lastly, you need to edit your `Redirect Settings` in your Zitadel application. Add the URL you copied to the `Redirect URIs`, then hit the `+` button and finally `Save`.
## 4. Ready to Test!
The configuration is now complete. If you've configured a user (see below), try logging in!
## User Configuration in Pangolin
:::note
Username Configuration:
- Use the `Preferred login name` value from Zitadel as the username
- While Zitadel provides a `sub` claim in the JWT that matches the numeric user ID in Zitadel, we recommend using the preferred username for better user management and readability
:::
To create a user in an Organization, set the following:
- `User Type`: `External User`
- `Identity Provider`: The name you set for the identity provider (we'll assume `Zitadel` here)
- `Role`: Whatever role you want to give the user
The other fields are optional.

8
packages/docusaurus/docs/07-Modules/01-overview.md → packages/docusaurus/docs/07-Community Guides/01-overview.md
View file

@ -1,5 +1,11 @@
# Overview
:::note
These are community written guides and are not officially supported. If you have any issues, please reach out to the authors or the community on [Discord](https://discord.gg/HCJR8Xhme4) or [Github discussions](https://github.com/orgs/fosrl/discussions).
:::
The modular design of this system enables the extension of its functionality through the integration of existing Traefik plugins, such as Crowdsec and Geoblock.
Additionally, Prometheus can collect metrics from both CrowdSec and Traefik, which can then be visualized in Grafana to monitor security events, request statistics, and traffic patterns in real time.
@ -9,7 +15,7 @@ For a complete list of available plugins, please refer to the [Plugin Catalog](h
### Crowdsec Bouncer
When installing Crowdsec via the Pangolin installer, the Crowdsec Traefik Bouncer will be automatically installed and configured by default. The configuration can be customized to meet your specific requirements. For detailed guidance, refer to the [documentation](https://docs.fossorial.io/Modules/crowdsec).
When installing Crowdsec via the Pangolin installer, the Crowdsec Traefik Bouncer will be automatically installed and configured by default. The configuration can be customized to meet your specific requirements.
The CrowdSec Bouncer plugin for Traefik integrates CrowdSecs security engine to block malicious traffic in real time. It runs as middleware within a Traefik container and enforces decisions based on CrowdSecs threat intelligence. This helps protect services from bots, attackers, and abusive IPs dynamically.

204
packages/docusaurus/docs/07-Community Guides/02-crowdsec.md Normal file
View file

@ -0,0 +1,204 @@
# Crowdsec
:::note
This is a community guide and is not officially supported. If you have any issues, please reach out to the [author](https://github.com/Lokowitz).
:::
CrowdSec is a modern, open-source, collaborative behavior detection engine, integrated with a global IP reputation network. It functions as a massively multiplayer firewall, analyzing visitor behavior and responding appropriately to various types of attacks.
## Installation
Crowdsec can be installed using the Pangolin Installer.
## Configuration
By default, Crowdsec is installed with a basic configuration, which includes the [Crowdsec Bouncer Traefik plugin](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin).
### Choose the right logs
#### Syslog
For systems utilizing Syslog, the following volumes should be added to the `docker-compose.yml` file:
```yaml
service:
crowdsec:
volumes:
- /var/log/auth.log:/var/log/auth.log:ro
- /var/log/syslog:/var/log/syslog:ro
```
Create a `syslog.yaml` file under `/config/crowdsec/acquis.d` with the following content:
```yaml
filenames:
- /var/log/auth.log
- /var/log/syslog
labels:
type: syslog
```
#### Journalctl
To log iptables to journalctl, execute the following command on your host system:
```bash
iptables -A INPUT -j LOG --log-prefix "iptables: "
```
Update the `docker-compose.yml` file as follows:
```yaml
service:
crowdsec:
image: crowdsecurity/crowdsec:latest-debian
environment:
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/linux crowdsecurity/iptables
volumes:
- ./config/crowdsec:/etc/crowdsec
- ./config/crowdsec/db:/var/lib/crowdsec/data
- ./config/traefik/logs:/var/log/traefik:ro
- /var/log/journal:/var/log/host:ro
```
Create a `journalctl.yaml` file under `/config/crowdsec/acquis.d` with the following content:
```yaml
source: journalctl
journalctl_filter:
- "--directory=/var/log/host/"
labels:
type: syslog
```
### Securing the Host System (SSH)
By default, only Traefik requests are secured through the Crowdsec bouncer. To extend protection to your host system (e.g., SSH), follow these steps to add a firewall bouncer:
1. Install the Crowdsec repositories. Refer to the [installation documentation](https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec/#install-our-repositories):
```bash
curl -s https://install.crowdsec.net | sudo sh
```
2. Install the firewall bouncer. For Debian/Ubuntu systems using IPTables, refer to the [documentation](https://docs.crowdsec.net/u/bouncers/firewall/):
```bash
sudo apt install crowdsec-firewall-bouncer-iptables
```
3. Create an API key for the firewall bouncer to communicate with your CrowdSec Docker container. ("vps-firewall" is a placeholder name for the key):
```bash
docker exec -it crowdsec cscli bouncers add vps-firewall
```
4. Copy the dispalyed API key and insert it into the bouncer's configuration file:
```bash
nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
```
5. Restart the firewall bouncer:
```bash
systemctl restart crowdsec-firewall-bouncer
```
6. Update the `docker-compose.yml` file to expose communication port `8080` for the CrowdSec container and restart the container:
```yaml
service:
crowdsec:
ports:
- 6060:6060 # Metrics port
- 8080:8080 # Local API port
```
:::warning
Dockers NAT-based port publishing feature automatically exposes all `ports:` defined in the `docker-compose` file on all network interfaces. This behavior can bypass your host firewall settings, potentially exposing services that you did not intend to make public.
Please see [complete warning about exposing ports](/Getting%20Started/dns-networking#ports-to-expose).
:::
7. Verify communication between the firewall bouncer and the CrowdSec container by running:
```bash
docker exec crowdsec cscli metrics
```
The output should look like this:
```bash
+------------------------------------------------------------------+
| Local API Bouncers Metrics |
+---------------------------+----------------------+--------+------+
| Bouncer | Route | Method | Hits |
+---------------------------+----------------------+--------+------+
| traefik-bouncer | /v1/decisions/stream | HEAD | 2 |
| traefik-bouncer@10.0.4.20 | /v1/decisions | GET | 3 |
| vps-firewall | /v1/decisions/stream | GET | 84 | <---------
+---------------------------+----------------------+--------+------+
```
## Custom Ban Page
To display a custom ban page to attackers, follow these steps:
1. Place a `ban.html` page in the `/config/traefik` directory. If you prefer not to create your own, you can download the official example:
```bash
wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/ban.html
```
2. Update the `/config/traefik/dynamic_config.yml` file to include the following:
```yaml
http:
middlewares:
crowdsec:
plugin:
crowdsec:
banHTMLFilePath: /etc/traefik/ban.html
```
## Custom Captcha Page
To use a custom captcha page, follow these steps:
1. Place a `captcha.html` page in the `/config/traefik` directory. If you don't want to create your own, you can download the official example:
```bash
wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/captcha.html
```
2. Update the `/config/traefik/dynamic_config.yml` file with the following configuration, replacing `<SERVICE>` with your captcha provider (e.g. hCaptcha, reCaptcha, Turnstile), and `<KEY>` with the appropriate site and secret keys:
```yaml
http:
middlewares:
crowdsec:
plugin:
crowdsec:
captchaHTMLFilePath: /etc/traefik/captcha.html
captchaGracePeriodSeconds: 300
captchaProvider: <SERVICE>
captchaSiteKey: <KEY>
captchaSecretKey: <KEY>
```
## Testing
You can test your configuration by adding a temporary ban or captcha for your IP. The ban will last for one minute.
To add a ban:
```bash
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type ban
```
To trigger a captcha challenge:
```bash
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type captcha
```

6
packages/docusaurus/docs/07-Modules/02-geoblock.md → packages/docusaurus/docs/07-Community Guides/03-geoblock.md
View file

@ -1,5 +1,11 @@
# GeoBlock
:::note
This is a community guide and is not officially supported. If you have any issues, please reach out to the [author](https://github.com/Lokowitz).
:::
GeoBlock is a Traefik middleware that uses IP-based geolocation to allow or block traffic from specific countries. It helps enhance security and access control by restricting unwanted or potentially harmful connections based on geographic regions.
## Installation

6
packages/docusaurus/docs/07-Modules/03-metrics.md → packages/docusaurus/docs/07-Community Guides/04-metrics.md
View file

@ -1,5 +1,11 @@
# Metrics
:::note
This is a community guide and is not officially supported. If you have any issues, please reach out to the [author](https://github.com/Lokowitz).
:::
This is a basic example of collecting metrics from Traefik and CrowdSec using Prometheus and visualizing them with Grafana dashboards.
:::warning

0
packages/docusaurus/docs/04-Newt/04-homeassistant.md → packages/docusaurus/docs/07-Community Guides/05-homeassistant.md
View file

0
packages/docusaurus/docs/07-Modules/img/traefik_dashboard.png → packages/docusaurus/docs/07-Community Guides/img/traefik_dashboard.png
View file

Side by side Swipe Overlay

Before

Width:  |  Height:  |  Size: 203 KiB

After

Width:  |  Height:  |  Size: 203 KiB

2
packages/docusaurus/src/pages/pricing.tsx
View file

@ -295,7 +295,7 @@ const PricingComponent = () => {
discounted by {discount.percentage}%
</>
) : (
<>Base price $125 + ${siteCount} x $5 per site</>
<>Base price $125 + {siteCount} x $5 per site</>
)}
</div>