Skip to content

Allow the SSL_CERTS_PATH to be configurable in the install.sh file #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 7, 2022
Merged

Allow the SSL_CERTS_PATH to be configurable in the install.sh file #28

merged 6 commits into from
Apr 7, 2022

Conversation

LePresidente
Copy link
Contributor

Fixes #27

This removes lua_ssl_trusted_certificate through my testing everything still works as expected on both ssl and normal sites.

@LePresidente LePresidente mentioned this pull request Apr 2, 2022
Open
@LePresidente
Copy link
Contributor Author

Actually according to the docs this is only required for the following which doesn't even look used

Specifies a file path with trusted CA certificates in the PEM format used to verify the certificate of the SSL/TLS server in the [tcpsock:sslhandshake](github://github.com/?anchor=tcpsocksslhandshake) method.

@he2ss
Copy link
Member

he2ss commented Apr 5, 2022

We added this because when using captcha mode in the bouncer, it need this to work.
Did you check that the captcha mode is still working ?

@LePresidente
Copy link
Contributor Author

I just tested this now using a V2 recaptcha key [v2 Tickbox] and it worked as expected

@he2ss
Copy link
Member

he2ss commented Apr 6, 2022
edited
Loading

I just tested locally and I have the same issue has we faced when using captcha:

2022/04/06 10:44:10 [error] 11#11: *1 [lua] crowdsec.lua:444: Allow(): Error while validating captcha: no resolver defined to resolve "www.google.com", client: 172.17.0.1, server: localhost, request: "POST / HTTP/1.1", host: "helloworld.local", referrer: "http://helloworld.local/"

Did you checked your error logs ?
As the resolver is not found, the request not banned if the captcha is wrong.

Also, I realized that you need to remove the lua_ssl_trusted_certificate from ./openresty/crowdsec_openresty.conf file in the docker image. You forgot because you're using the install script instead of the docker image.

How to reproduce

  • Check out this PR
  • Remove the line 3 from ./openresty/crowdsec_openresty.conf
  • Change Dockerfile line 20 by COPY ./openresty/crowdsec_openresty.conf /etc/nginx/conf.d/crowdsec_openresty.conf
  • Build the image, add a decision with type captcha and run the image with secret et site key to have captcha running

@LePresidente
Copy link
Contributor Author

LePresidente commented Apr 6, 2022
edited
Loading

Ok i'm going to put this on hold for now, it is required for the captcha I just don't think the overhead is worth it. So going to try figure out if this is possible to improve

@LePresidente
Change the approach, allow the SSL_CERTS_PATHv to be configurable
aef9f9c 
There is better performance using the single Google SSL CA certificate then the entire ca-certificates file.
@LePresidente LePresidente changed the title Removes lua_ssl_trusted_certificate from crowdsec_openresty.conf in Docker Mode Allow the SSL_CERTS_PATH to be configurable in the install.sh file Apr 6, 2022
@LePresidente
Copy link
Contributor Author

Ok Changed my approach, Just need to be able to change the SSL_CERTS_PATH

Using the existing ca-certificate.crt file my ram usage was 1.145GiB for my 7 vhosts
Using the Google CA certificate directly /etc/ssl/certs/GTS_root_R1.pem with my 7 vhosts has my ram usage at 104.6MiB with nothing else changed.

@LePresidente
Copy link
Contributor Author

I'm not exactly sure whats causing the extreme memory usage, but this at least fixes it for my case

he2ss
he2ss reviewed Apr 6, 2022
View reviewed changes
@LePresidente
Remove resolver from crowdsec_openresty.conf file.
066d65a 
Add resolver line to Docker image crowdsec_openresty.conf for testing
@LePresidente
Copy link
Contributor Author

I did edit the Dockerfile to add the resolver line back into crowdsec_openresty.conf for testing though

@LePresidente LePresidente requested a review from he2ss April 6, 2022 16:34
he2ss
he2ss approved these changes Apr 7, 2022
View reviewed changes
Copy link
Member

@he2ss he2ss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@he2ss he2ss merged commit 90212ad into crowdsecurity:main Apr 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@he2ss he2ss he2ss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Docker] lua_ssl_trusted_certificate causes a Memory Leak/Crash on certain systems
2 participants
@LePresidente @he2ss