Skip to content

Instantly share code, notes, and snippets.

@sbs2001

sbs2001/fastly_bouncer.md

Last active November 15, 2021 11:18
Show Gist options
  • Save sbs2001/9e2c29f4710da814b4e6901f9d62c291 to your computer and use it in GitHub Desktop.
Save sbs2001/9e2c29f4710da814b4e6901f9d62c291 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fastly_bouncer.md

Crowdsec X Fastly Integration

This integration would allow Fastly users to detect and remediate malevolent IPs using CrowdSec. This will be achieved by :

  1. Leveraging Fastly's ability to forward logs to a Syslog server of the user's choice.
  2. CrowdSec would consume the logs from the syslog server. It will detect and report malevolent IPs to Fastly bouncer.
  3. The fastly bouncer would make changes in the Fastly configuration to actualize suggestions made by CrowdSec.

Following proposal contains details about (3)

Fastly Bouncer

Objectives

  1. The bouncer implements captcha and block remediations.
  2. It can apply these remediations at the level of IP, IP range, AS and Country.
  3. It deploys the infrastructure required for (2).
  4. It allows cleaning up the infrastructure it deployed.

Architecture

image

Fastly's serverless functions would be used for: Presenting and validating the captcha. This will be provisioned by the bouncer hence no changes to the actual application would be required.

The VCL would contain rules which references some ACLs (Access Control Lists) and determine whether to allow/deny/captcha a request. ACLs are used only for providing IP, IP range scoped remediations.

Country and AS scoped remediations would be taken care by the bouncer by modifying the rules inplace.

After providing the initial setup, the bouncer would do the following:

  1. Sync CrowdSec's decisions with ACLs.
  2. Update rules if received AS, country scoped decisions.
  3. Maintain state of ACLs and the rules.

Implementation

The bouncer would heavily rely on fastly's terraform provider. This approach has following benefits.

  1. Free Infra State Management (handled by tf)
  2. No need to have code to make API calls to Fastly. This means 0 maintenance even if API is changed.

One tricky thing to handle is ACLs. 1 ACL can contain atmost 1k IPs . To get around this multiple ACLs would be created and new IPs would be "loadbalanced" into them.

So effectively we would be writing code which does

  1. Construct initial terraform config by importing user provided details.
  2. Updating the terraform file and running terraform apply

Note: Terraform's json syntax would be used.

Our code would be written in Python, because it's much easy to manipulate json in and it's fast to write.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment