LAB-linuxserver/docker-mods
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-mods.git synced 2026-03-23 00:05:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #861 from linuxserver/swag-crowdsec-http2

Browse Source 
Update readme with lua/http2 issue notes
This commit is contained in:
aptalca 2024-03-08 10:14:28 -05:00 committed by GitHub
commit d06a2bba55
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@ -4,8 +4,10 @@
Make sure that the line below, under virtual hosts, is in your nginx.conf, otherwise crowdsec-bouncer will not work. More information here https://info.linuxserver.io/issues/2022-08-20-nginx-base/
# Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf;
```nginx
# Includes virtual hosts configs.
include /etc/nginx/http.d/*.conf;
```
This mod adds the [CrowdSec](https://crowdsec.net) [nginx bouncer](https://github.com/crowdsecurity/cs-nginx-bouncer/) to SWAG, to be installed/updated during container start.
@ -39,6 +41,28 @@ Set the following environment variables on your SWAG container.
The variables need to remain in place while you are using the mod. If you remove **required** variables the bouncer will be disabled the next time you recreate the container, if you remove **optional** variables the associated features will be disabled the next time you recreate the container.
### Captcha & AppSec Limitations
Due to limitations in the nginx Lua module, if you enable Captcha or AppSec support in the bouncer you cannot safely use http/2 for any of your services. By default Swag ships with http/2 enabled, and so this will need to be changed in any and all active proxy confs as well as the default.conf. For example, in the [subdomain template conf](https://github.com/linuxserver/reverse-proxy-confs/blob/master/_template.subdomain.conf.sample#L9-L10) you would replace
```nginx
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
```
with
```nginx
server {
listen 443 ssl;
listen [::]:443 ssl;
```
You can automate this using something like `find /path/to/swag/config/nginx -name "*.conf" -type f -exec sed -i -E 's/^(\s+listen.*)http2(.*)/\1\2/g' {} \;`
If you are not using Captcha or AppSec components make sure to omit or leave blank the related environment variables to avoid causing unnecessary issues.
### reCAPTCHA Support Notes
If you're using the reCAPTCHA capability and you're running in an IPv4-only environment then you need to edit your `/config/nginx/resolver.conf` and add `ipv6=off` to the end of the `resolver` statement otherwise the bouncer will attempt to contact the reCAPTCHA endpoint over IPv6 and fail.