Integrating CrowdSec with Traefik: interview with Fabien, developer of CrowdSec Traefik bouncer
We were so lucky to get an interview with early CrowdSec supporter and contributor of the CrowdSec Traefik bouncer Fabien Bonalair.
The Traefik bouncer empowers existing Traefik Proxy users to mitigate security threats from attackers directly in Traefik. Obviously, this is terrific – especially in a K8s environment where blocking traffic using a host firewall can be quite cumbersome.
Fabien is a really great guy and a valuable member of both the Traefik and the Crowdsec communities. So we hope you’ll enjoy hearing more about his background and incentives for creating the bouncer and engaging in both FOSS projects.
Can you tell us a bit about you and your background?
My name is Fabien Bonalair, I am 29 years old and born in the Caribbean, on a small island called Guadeloupe. My family crossed the ocean to Paris to study, where I obtained a Master of Plant Biology. Finding a job in a plant laboratory while being based in Paris is quite difficult, so I converted myself to a software developer. Fast forward a couple of transition headaches and years later, I am working at SFEIR, a technology consultancy in France. There I had a project with Romain Viau, our security wizard with whom I had a couple of eye-openers in security. To illustrate my knowledge of security back then in an anecdotal way, I was utterly surprised when he told me that when you filled out an account creation form, the “only” thing protecting your clear-text password, on the public internet, was HTTPS encryption.
Were you already a Traefik user? What do you use it for?
Also on the topic of security, Romain made me discover and appreciate Kubernetes (K8s), so I decided to switch my sandbox from OpenBSD to K8s, half knowing the rabbit hole I jumped into. I did not want to become a K8s expert, so I looked for an “easy” way in with K3s. Kudos to the K3s project because they are doing an excellent job and removing a lot of K8s complexity! Also, they’ve chosen to preload Traefik as an ingress which kickstarted this adventure.
What makes Traefik different from other ways to do a reverse proxy?
Based on my understanding, the K3s project chose Traefik because it is container-native and lightweight. Quite an important criteria for me, since I’ve put together a couple of leftover, old computers and am calling it a sandbox cluster.
During one of my cluster reinstallations, I decided to upgrade everything and went to version 2 of Traefik and look for what it has to offer. I was not ready for the plethora of features! What I really like is the dynamic config combined with Custom Resource Definition (CRD). A simple config file, a command line and a couple of seconds later you have a container, exposed to the internet without restarting anything or experiencing any downtime of services!
That ease kinda launched me into a “what more can I host on this cluster?” mindset, looking for another container to add to this Frankenstein cluster.
What was it about CrowdSec that made you want to engage in the project?
You hear news of hacks, security breaches, and leaks every week but at the same time, security is kinda left over as an afterthought – like something you should care about when you get the time at some undefined time in the future. On top of that, my Frankenstein cluster died again, so I decided to focus on security for this iteration.
Diving back into my flashbacks of OpenBSD, an ocean of guides and foggy memories, I stumbled into Fail2Ban. Nice software, the concept is interesting, though a bit too outdated and didn’t meet my container criteria. After searching for related software I found CrowdSec, that was the lighthouse I was looking for!
First of all, the web page was not a wiki, but a full-fledged website, with schemas for general understanding. I personally don’t like doing Front-End development but their work, together with UI and UX designers are mandatory. Kudos to you guys, that makes the advertised “Ease of use” much more plausible.
Secondly, CrowdSec met my criteria of being containerized, GDPR compliant, and did not need it to act as a reverse proxy. Since I already had Traefik and loved it, I did not need further protection.
Lastly, it was free and the cherry on top was the collaborative aspect: What better way to fight the tsunamis of internet trolls … than to use the entirety of the internet !?
Why did you choose to do a Traefik bouncer?
After checking both Traefik and Crowdsec documentation and doing some thought experiments, I could connect them thanks to Traefik’s middleware, ForwardAuth, and CrowdSec’s bouncer system. Plus, I discovered Golang recently and needed a web project without a front end to try the language: that was the perfect alignment of stars!
But first, I had to make CrowdSec work in the cluster and thanks to he2ss on the CrowdSec Discourse (CrowdSec developer Hamza Essahely), I managed to do it. Now I had a CrowdSec agent working and saw that the CrowdSec team was responsive and worked on a Traefik parser. My boat was now ready to sail.
Could you tell us about the development process of the bouncer?
Definitely not to my work standard, mainly because I happily hopped into another rabbit hole without seeing the bottom and forgot that it was on my personal time … But still, I wanted to implement some best practices like Cloud Native, Hexagonal Architecture, Service Statelessness, Containerization, Continuous Delivery to name a few. Doing that for work with a team is already a challenge but as a hobby? There are huge waves ahead! Mad respects for Free and Open Source software maintainers.
By the way, if some Golang expert could peer review my project, that would be awesome! Would anyone in the Traefik community, for instance, be up for that?
How did you find out how to do it?
Quite simple on digital paper: try something, crash into a reef, search for a solution, spend time on documentation, discover something new, repeat. In reality? That is a bit masochistic, but I guess that is how I learn in software development.
To give some examples of the questions :
- How does Traefik ForwardAuth middleware work? HTTP request.
- How do I get a HTTP request in Golang? Gin framework.
- How do I communicate with CrowdSec Agent? CrowdSec Swagger.
- How do I do Continuous Delivery? Github Actions.
- And of course, how on earth do I glue everything and code in Golang ?! Golang Doc
Maybe it is time for me to say that I like both Traefik and CrowdSec documentation? Could not have made a thing without them.
Both CrowdSec and Traefik have gained a lot of attention because of your bouncer. What do you think of that and how does it make you feel?
You may have guessed it but that bouncer was a project for fun and learning. I felt like a pirate – of the Caribbean (okay, I went too far with the sea theme) with this “hack” around Traefik ForwardAuth middleware because, I am pretty sure this was not the intent when they made it. Was it? If someone at Traefik could confirm, it would be interesting to know.
Anyway, although I am glad people have a use for my piece of code, I must say, success was not expected at all. It definitely feels nice being cited for my work and it’s fun to hear people trying to say my name.
What piece of advice would you give to someone who would start contributing to the Crowdsec project?
It is dangerous to go alone! Take this CrowdSec. Don’t think too much and go for it. One thing I discovered with this project is that any contribution is nice. CrowdSec is interesting, it makes security look simple and we definitely need more of that instead of it being reserved for some bold, long-bearded digital wizard. Plus my interaction with people at CrowdSec Team was always nice, and they are quite reactive if you have questions.
Last but not least, by design and it is even in the name, the project is collaborative so we need you.