From ce2da582e6fbf2e99e67b40e9208e0c9204c361e Mon Sep 17 00:00:00 2001
From: rohow <rohow@foxmail.com>
Date: Thu, 31 Oct 2024 19:00:59 +0800
Subject: [PATCH] =?UTF-8?q?fix(crowdsec):=20=E4=BC=98=E5=8C=96=E9=99=90?=
 =?UTF-8?q?=E9=80=9F=E7=9B=B8=E5=85=B3=E9=85=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/infra/monitor/crowdsec/helmchart.yaml |  5 ++++-
 apps/infra/net/nginx/helmchart.yaml        | 12 ++++++++----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/apps/infra/monitor/crowdsec/helmchart.yaml b/apps/infra/monitor/crowdsec/helmchart.yaml
index c566113..fb85b30 100644
--- a/apps/infra/monitor/crowdsec/helmchart.yaml
+++ b/apps/infra/monitor/crowdsec/helmchart.yaml
@@ -76,7 +76,10 @@ spec:
       profiles.yaml: |
         name: captcha_remediation
         filters:
-          - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http" && GetDecisionsSinceCount(Alert.GetValue(), "24h") <= 3
+          # 规则过滤条件 1.范围为Ip 2.触发场景为http或nginx 3.24小时内决策次数小于等于3
+          - Alert.Remediation == true && Alert.GetScope() == "Ip" && 
+            (Alert.GetScenario() contains "http" || Alert.GetScenario() contains "nginx") && 
+            GetDecisionsSinceCount(Alert.GetValue(), "24h") <= 3
         decisions:
           - type: captcha
             duration: 4h
diff --git a/apps/infra/net/nginx/helmchart.yaml b/apps/infra/net/nginx/helmchart.yaml
index 09def10..c9d95ff 100644
--- a/apps/infra/net/nginx/helmchart.yaml
+++ b/apps/infra/net/nginx/helmchart.yaml
@@ -35,6 +35,8 @@ spec:
         # 自定义错误页面
         custom-http-errors: "403,404,502,503"
         http-snippet: |
+          # lua插件配置
+          lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
           # 缓存配置
           proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=cache:2m max_size=100m inactive=7d use_temp_path=off;
           proxy_cache_key $uri$is_args$args;
@@ -42,12 +44,12 @@ spec:
           proxy_cache_use_stale updating;
           # 限速配置
           limit_req_zone $binary_remote_addr zone=global_limit:10m rate=10r/s;
-        server-snippet : |
-          # dns配置
+        server-snippet: |
+          # dns配置 配置在http块下会出现重复配置 所以配置在server块下
           resolver 169.254.20.10 10.43.0.10 ipv6=off;
         location-snippet: |
           # 限速配置
-          limit_req zone=global_limit burst=30 nodelay;
+          limit_req zone=global_limit burst=20 nodelay;
         # 启用geoip2模块
         use-geoip: "false"
         use-geoip2: "true"
@@ -102,7 +104,7 @@ spec:
         plugins: "crowdsec"
         lua-shared-dicts: "crowdsec_cache: 50m"
       # 启用geoip2模块
-      maxmindLicenseKey: "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"
+      maxmindLicenseKey: "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"
       extraArgs:
         default-ssl-certificate: "infra-net/dev-cm-crt"
       # crowdsec插件配置
@@ -117,6 +119,8 @@ spec:
               value: "rgILO2mh/t+30LMvzyyMXbfHRmDfBkDDkhEflzHaoQ0"
             - name: BOUNCER_CONFIG
               value: "/crowdsec/crowdsec-bouncer.conf"
+            - name: MODE
+              value: "stream"
             - name: CAPTCHA_PROVIDER
               value: "turnstile"
             - name: SITE_KEY