New config param to allow ban checking on internal requests. (#69)

2024-08-23 11:31:45 +01:00 · 2024-08-23 11:31:45 +01:00 · 5249a8c4e8
commit 5249a8c4e8
parent ec3885e6f9
3 changed files with 14 additions and 5 deletions
--- a/config_example.conf
+++ b/config_example.conf
@ -7,6 +7,9 @@ BOUNCING_ON_TYPE=all
 FALLBACK_REMEDIATION=ban
 REQUEST_TIMEOUT=3000
 UPDATE_FREQUENCY=10
+# By default internal requests are ignored, such as any path affected by rewrite rule.
+# set ENABLE_INTERNAL=true to allow checking on these internal requests.
+ENABLE_INTERNAL=false
 # live or stream
 MODE=live
 # exclude the bouncing on those location
--- a/lib/crowdsec.lua
+++ b/lib/crowdsec.lua
@ -608,7 +608,7 @@ function csmod.Allow(ip)
    ngx.exit(ngx.DECLINED)
  end

-  if ngx.req.is_internal() then
+  if runtime.conf["ENABLE_INTERNAL"] == "false" and ngx.req.is_internal() then
    ngx.exit(ngx.DECLINED)
  end

--- a/lib/plugins/crowdsec/config.lua
+++ b/lib/plugins/crowdsec/config.lua
@ -39,12 +39,13 @@ function config.loadConfig(file)
        return nil, "File ".. file .." doesn't exist"
    end
    local conf = {}
-    local valid_params = {'ENABLED','API_URL', 'API_KEY', 'BOUNCING_ON_TYPE', 'MODE', 'SECRET_KEY', 'SITE_KEY', 'BAN_TEMPLATE_PATH' ,'CAPTCHA_TEMPLATE_PATH', 'REDIRECT_LOCATION', 'RET_CODE', 'EXCLUDE_LOCATION', 'FALLBACK_REMEDIATION', 'CAPTCHA_PROVIDER', 'APPSEC_URL', 'APPSEC_FAILURE_ACTION', 'ALWAYS_SEND_TO_APPSEC', 'SSL_VERIFY'}
+    local valid_params = {'ENABLED', 'ENABLE_INTERNAL', 'API_URL', 'API_KEY', 'BOUNCING_ON_TYPE', 'MODE', 'SECRET_KEY', 'SITE_KEY', 'BAN_TEMPLATE_PATH' ,'CAPTCHA_TEMPLATE_PATH', 'REDIRECT_LOCATION', 'RET_CODE', 'EXCLUDE_LOCATION', 'FALLBACK_REMEDIATION', 'CAPTCHA_PROVIDER', 'APPSEC_URL', 'APPSEC_FAILURE_ACTION', 'ALWAYS_SEND_TO_APPSEC', 'SSL_VERIFY'}
    local valid_int_params = {'CACHE_EXPIRATION', 'CACHE_SIZE', 'REQUEST_TIMEOUT', 'UPDATE_FREQUENCY', 'CAPTCHA_EXPIRATION', 'APPSEC_CONNECT_TIMEOUT', 'APPSEC_SEND_TIMEOUT', 'APPSEC_PROCESS_TIMEOUT', 'STREAM_REQUEST_TIMEOUT'}
    local valid_bouncing_on_type_values = {'ban', 'captcha', 'all'}
    local valid_truefalse_values = {'false', 'true'}
    local default_values = {
        ['ENABLED'] = "true",
+        ['ENABLE_INTERNAL'] = "false",
        ['API_URL'] = "",
        ['REQUEST_TIMEOUT'] = 500,
        ['STREAM_REQUEST_TIMEOUT'] = 15000,
@ -87,6 +88,11 @@ function config.loadConfig(file)
                    ngx.log(ngx.ERR, "unsupported value '" .. value .. "' for variable '" .. key .. "'. Using default value 'true' instead")
                    value = "true"
                end
+              elseif key == "ENABLE_INTERNAL" then
+                if not has_value(valid_truefalse_values, value) then
+                    ngx.log(ngx.ERR, "unsupported value '" .. value .. "' for variable '" .. key .. "'. Using default value 'false' instead")
+                    value = "false"
+                end
            elseif key == "BOUNCING_ON_TYPE" then
                if not has_value(valid_bouncing_on_type_values, value) then
                    ngx.log(ngx.ERR, "unsupported value '" .. value .. "' for variable '" .. key .. "'. Using default value 'ban' instead")