From fc5ca7fbe3c31f00eb74947061acba6fdcf1f92e Mon Sep 17 00:00:00 2001 From: kappa Date: Sat, 28 Mar 2026 10:34:44 +0900 Subject: [PATCH] =?UTF-8?q?docs:=20cf-worker-bouncer=20=EC=9A=B4=EC=98=81?= =?UTF-8?q?=20=EC=A0=88=EC=B0=A8=20=EB=B0=8F=20sed=20-i=20=EC=A3=BC?= =?UTF-8?q?=EC=9D=98=EC=82=AC=ED=95=AD=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- infra/crowdsec-safeline.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/infra/crowdsec-safeline.md b/infra/crowdsec-safeline.md index 243b659..22ae89d 100644 --- a/infra/crowdsec-safeline.md +++ b/infra/crowdsec-safeline.md @@ -1,6 +1,6 @@ --- title: CrowdSec 및 SafeLine WAF -updated: 2026-03-18 +updated: 2026-03-28 --- ## DB 테이블 @@ -15,6 +15,27 @@ DB 테이블은 blocklist (ip PK, reason, origin, expires_at), verified_ips, met Bouncer 목록: [[apisix]]-waf-bouncer, bunny-cdn-bouncer, cs-[[cloudflare|cf]]-worker-bouncer +### cs-cf-worker-bouncer 상세 + +- **위치**: jp1 Incus `cs-cf-worker-bouncer` 컨테이너 +- **설정**: `/etc/crowdsec/bouncers/crowdsec-cloudflare-worker-bouncer.yaml` +- **정본**: `gitea.inouter.com/kaffa/k3s-config` → `crowdsec/crowdsec-cloudflare-worker-bouncer.yaml` +- **LAPI**: `http://10.253.100.240:8080` (jp1 `crowdsec` 컨테이너) +- **동기화 주기**: 10초 (decision stream polling) +- **방식**: CrowdSec LAPI → bouncer → Cloudflare Worker KV (bloom filter) → Worker에서 IP 차단/captcha +- **보호 zone**: keepanker.cv, actions.it.com, ironclad.it.com, inouter.com, servidor.it.com +- **Turnstile**: 5개 zone 모두 managed 모드, 168시간마다 secret key 자동 로테이션 + +#### 설정 변경 시 주의 + +**`sed -i` 사용 금지** — Incus 컨테이너 내에서 `sed -i`로 파일 수정 시 이전 내용이 파일 끝에 남아 YAML이 깨짐. 반드시 전체 파일을 덮어쓰는 방식으로 변경: + +```bash +# 올바른 방법: 로컬에서 수정 후 전체 파일 push +cat updated-config.yaml | ssh incus-jp1 "incus file push - cs-cf-worker-bouncer/etc/crowdsec/bouncers/crowdsec-cloudflare-worker-bouncer.yaml" +ssh incus-jp1 "incus exec cs-cf-worker-bouncer -- systemctl restart crowdsec-cloudflare-worker-bouncer" +``` + ### bunny-cdn-bouncer 상세 - **동기화**: jp1 `infra-tool` 컨테이너, `/opt/crowdsec-bouncer/bouncer.py`