infra 문서 업데이트: SafeLine 실시간 파이프라인, APISIX HA, 2.5G 수정

- crowdsec-safeline: SafeLine→CrowdSec 실시간 파이프라인 (PG LISTEN/NOTIFY, safeline-listener, :8088 acquisition), log-collector, ddos-detect 문서화 - apisix: K3s APISIX replica 2, etcd replica 3 HA 업그레이드 반영 - infra-hosts: APISIX HA, 2.5G USB autosuspend 장애 및 해결 기록, SafeLine 실시간 트래픽 흐름 추가 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 14:47:14 +09:00
parent dd43daaa0e
commit 8383326b03
3 changed files with 91 additions and 11 deletions
--- a/infra/crowdsec-safeline.md
+++ b/infra/crowdsec-safeline.md
@@ -1,6 +1,6 @@
 ---
 title: CrowdSec 및 SafeLine WAF
-updated: 2026-04-03
+updated: 2026-04-04
 ---

 ## CrowdSec LAPI
@@ -48,6 +48,75 @@ APISIX (global_rules http-logger 플러그인)
 | 인증 | `Authorization: apisix-crowdsec-log-2024` |
 | 파서 | `custom/apisix-json-logs` (로컬) |

+### APISIX → log-collector → CrowdSec (sandbox-tokyo)
+
+```
+sandbox-tokyo APISIX http-logger
+  → log-collector (jp1 crowdsec 컨테이너, :8087)
+  → SQLite (/var/lib/log-collector/requests.db)
+  → CrowdSec HTTP acquisition (:8085/apisix-logs) 포워딩
+```
+
+| 항목 | 값 |
+|------|-----|
+| log-collector | Go HTTP 서버, `/usr/local/bin/log-collector` (jp1 crowdsec 컨테이너) |
+| 소스 | jp1 `~/log-collector/main.go` |
+| 수신 포트 | 8087 |
+| 인증 | `Authorization: apisix-crowdsec-log-2024` |
+| SQLite | `/var/lib/log-collector/requests.db` |
+| 기능 | APISIX 로그 수신 → SQLite 저장 → CrowdSec 포워딩, 타임스탬프 밀리초 보정 |
+
+### SafeLine → CrowdSec (실시간, PG LISTEN/NOTIFY)
+
+```
+SafeLine WAF 차단 → mgt_detect_log_basic INSERT
+  → PG 트리거 (notify_detect_log) → pg_notify('safeline_detect', JSON)
+  → safeline-listener (kr2, Go) → detail 테이블 enrichment (x-real-ip, user-agent)
+  → CrowdSec HTTP acquisition (:8088/safeline-logs)
+  → custom/safeline-http-logs 파서
+  → custom/safeline-waf-blocked 시나리오 (trigger, 즉시 밴)
+```
+
+| 항목 | 값 |
+|------|-----|
+| safeline-listener | Go, `/usr/local/bin/safeline-listener` (kr2) |
+| 소스 | kr2 `~/safeline-listener/main.go` |
+| systemd | `safeline-listener.service` (kr2) |
+| PG DSN | SafeLine CE DB (10.43.8.243:5432, safeline-ce) |
+| CrowdSec 포트 | 8088 |
+| 인증 | `Authorization: safeline-crowdsec-2026` |
+| acquis 설정 | `/etc/crowdsec/acquis.d/safeline-http.yaml` |
+| 파서 | `custom/safeline-http-logs` (`/etc/crowdsec/parsers/s01-parse/safeline-http-logs.yaml`) |
+| 시나리오 | `custom/safeline-waf-blocked` (trigger 타입, 즉시 밴) |
+| enrichment | req_header에서 `x-real-ip`, `user-agent` 추출, detail 테이블에서 method/payload 조회 |
+
+PG 트리거 (SafeLine CE DB에 설치):
+```sql
+CREATE OR REPLACE FUNCTION notify_detect_log() RETURNS trigger AS $$
+BEGIN
+  PERFORM pg_notify('safeline_detect', json_build_object(
+    'id', NEW.id, 'ts', NEW.created_at,
+    'src_ip', NEW.src_ip, 'host', NEW.host,
+    'url_path', NEW.url_path, 'attack_type', NEW.attack_type
+  )::text);
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER trg_detect_log
+  AFTER INSERT ON mgt_detect_log_basic
+  FOR EACH ROW EXECUTE FUNCTION notify_detect_log();
+```
+
+### ddos-detect (AI 행위 분석)
+
+| 항목 | 값 |
+|------|-----|
+| 위치 | jp1 crowdsec 컨테이너 `/var/lib/log-collector/ddos-detect/` |
+| Gitea | `gitea.inouter.com/kaffa/ddos-detect` |
+| 기능 | SQLite 폴링 → IP별 행위 패턴 추출 → Claude AI 분석 → cscli 자동 밴 |
+| 설정 | `config.yaml` (poll 60s, Claude sonnet, ban 4h, max_workers 3) |
+
 ### 리얼 IP 처리

 | 경로 | 설정 | source IP 추출 |