[FEATURE] Allow separate schemes for LAPI and Appsec endpoints #131
Comments
|
Hi, Thanks for using the plugin. When we added the support for appsec, we thought about "scheme" to connect to the LAPI and Appsec. Because we already have a lot of variables we decided to not add support by default for different supported scheme. I believe it needs at least 2 variables, scheme + insecure and 2 objects in the bouncer httpClient containing a tlsconfig. |
|
Yeah, I understand the desire not to add a bunch more configuration options but unfortunately the way Crowdsec have implemented their appsec component it's perfectly legitimate to have your bouncer talking to a Central LAPI endpoint for normal decisions but a local crowdsec instance for appsec - and in a docker setup that means that configuring https for that appsec instance is a lot of work for little gain because you can push it all over a private docker network. In the meantime I'm sending all my appsec traffic back to the central LAPI to keep everything secure, and the latency isn't a huge issue in my setup, but it would be nice to be able to split them up. |
|
Hi @thespad, This has been added to the todo of the project. Will work on it when we got the time |
Is your feature request related to a problem? Please describe. 🐛
Currently (or rather in the RC) the appsec and LAPI endpoints both use
crowdsecLapiSchemehttps://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/pull/123/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R79 but there are scenarios where this doesn't work - such as pointing at a central LAPI service served over https and a local appsec service over an internal docker network served over http.Describe the solution you'd like ✨
Allow separate schemes for LAPI and Appsec endpoints
The text was updated successfully, but these errors were encountered: