kaffa/was-cf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b87947e3e3400c10b5a0aaaa0ab3bb1083605778
was-cf/README.md
kappa d5440630f5 Update documentation with current infrastructure state 
- Update all resource IDs to match current deployment
- CloudFront Distribution: EATJ1HDQU8V51
- WAF Web ACL: d61073b6-27b1-473e-aa9f-d2aa4a4c75a6
- WAF IP Set: a9e47946-c186-4b28-83a8-fe3aeb9c296b
- ACM Certificate: b011e60a-1ea1-4dd3-844f-e0851ece4784
- Route53 Zone: Z01934581JQAF2GS71GG
- Reflect enabled ACM certificate and Route53 DNS management
- Update all AWS CLI commands with correct resource IDs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-09 15:32:35 +09:00

87 lines
2.7 KiB
Markdown
Raw Blame History

# AWS CloudFront + CrowdSec WAF Integration
🛡️ AWS CloudFront CDN with real-time CrowdSec threat protection via Lambda integration.
## 🏗️ Architecture
```
CrowdSec Container → API Gateway → Lambda → AWS WAF → CloudFront Distribution
```
## 📋 Project Overview
- **CloudFront Distribution**: `EATJ1HDQU8V51`
- **Origin Server**: `origin.servidor.it.com` (HTTP-only)
- **WAF Protection**: Real-time IP blocking via CrowdSec
- **Custom Domains**: `servidor.it.com`, `www.servidor.it.com`
- **ACM Certificate**: `b011e60a-1ea1-4dd3-844f-e0851ece4784`
## 🚀 Quick Start
```bash
# 1. Deploy infrastructure
tofu init
tofu apply
# 2. Configure CrowdSec
incus exec crowdsec -- cscli collections install crowdsecurity/nginx-proxy-manager
# 3. Verify WAF configuration
aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
--id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
--name aws-cf-dev-blocked-ips
```
## 📊 Key Resources
- **CloudFront URL**: https://d2mhxhntq3ezzr.cloudfront.net
- **WAF Web ACL ID**: `d61073b6-27b1-473e-aa9f-d2aa4a4c75a6`
- **WAF IP Set ID**: `a9e47946-c186-4b28-83a8-fe3aeb9c296b`
- **Route53 Zone ID**: `Z01934581JQAF2GS71GG`
## 🛡️ Security Features
1. **Priority 1**: CrowdSec real-time IP blocking
2. **Priority 2**: Rate limiting (10K req/5min)
3. **Priority 3**: AWS Managed Common Rules
4. **Priority 4**: AWS Managed Bad Input Rules
## 📁 Project Structure
```
├── README.md # This file
├── CLAUDE.md # Development guide for Claude Code
├── DEPLOYMENT_GUIDE.md # Detailed deployment instructions
├── CROWDSEC-WAF-INTEGRATION.md # CrowdSec integration documentation
├── main.tf # CloudFront and core infrastructure
├── security.tf # WAF and security configurations
├── lambda.tf # CrowdSec Lambda integration
├── lambda-crowdsec-waf.py # Lambda function code
└── terraform.tfvars # Configuration variables
```
## 📚 Documentation
- **🚀 [Deployment Guide](DEPLOYMENT_GUIDE.md)** - Complete deployment instructions
- **🛡️ [CrowdSec Integration](CROWDSEC-WAF-INTEGRATION.md)** - Real-time security setup
- **🔧 [Development Guide](CLAUDE.md)** - Claude Code specific instructions
## ⚡ Common Commands
```bash
# Check WAF blocked IPs
aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
--id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
--name aws-cf-dev-blocked-ips \
--query 'IPSet.Addresses'
# Monitor CrowdSec decisions
incus exec crowdsec -- cscli decisions list
# View Lambda logs
aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
```
---
**Status**: ✅ Production Ready | **Last Updated**: 2025-09-09
Reference in New Issue View Git Blame Copy Permalink