Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update documentation for LAPI self registration #623

Merged
merged 3 commits into from
Sep 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 49 additions & 1 deletion crowdsec-docs/docs/configuration/crowdsec_configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,11 @@ api:
#- 127.0.0.1
#- ::1
#- 10.0.0.0/24
auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
prometheus:
enabled: "(true|false)"
level: "(full|aggregated)"
Expand Down Expand Up @@ -706,7 +711,11 @@ api:
- bouncers_ou
crl_path: "<path_to_crl_file>"
cache_expiration: "<cache_duration_for_revocation_check>"

auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
```

#### `cti`
Expand Down Expand Up @@ -808,6 +817,11 @@ server:
- bouncers_ou
crl_path: "<path_to_crl_file>"
cache_expiration: "<cache_duration_for_revocation_check>"
auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
```

##### `enable`
Expand Down Expand Up @@ -953,6 +967,40 @@ The format must be compatible with golang [time.Duration](https://pkg.go.dev/tim
IPs or IP ranges which have admin access to API. The APIs would still need to have API keys.
127.0.0.1 and ::1 are always given admin access whether specified or not.

#### `auto_registration`

This section configures LAPI to automatically accept new machine registrations

```yaml
auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
```

##### `enabled`
> bool

Whether automatic registration should be enabled.

Defaults to `false`.

##### `token`
> string

Token that should be passed in the registration request if LAPI needs to automatically validate the machine.

It must be at least 32 chars, and is mandatory if the feature is enabled.

##### `allowed_ranges`
> []string

IP ranges that are allowed to use the auto registration features.

It must have at least one entry if the feature is enabled


### `prometheus`

This section is used by local API and crowdsec.
Expand Down
39 changes: 39 additions & 0 deletions crowdsec-docs/unversioned/user_guides/machines_management.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -101,3 +101,42 @@ import CodeBlock from '@theme/CodeBlock';
</TabItem>

</Tabs>

### Machine auto validation

:::warning

If you enabled this feature, make sure to restrict the IP ranges as much as possible.

Any rogue machine registered in your LAPI will be able to push arbitrary alerts, and potentially lock you out.

:::

In some situation, it's not practical to manually create or validate new machines in LAPI (eg, when running in an environment that uses auto-scaling).

It is possible to configure LAPI to automatically accept new machines upon creation with the `api.server.auto_registration` section:

```yaml
api:
server:
auto_registration:
enabled: true
token: "long_token_that_is_at_least_32_characters_long"
allowed_ranges:
- 10.2.0.42/32
- 10.0.0.0/24
```

You have to specify both the `token` and `allowed_ranges`.

Once the configuration is done, you can pass the token to your registration request with the `--token` parameter:

```bash
cscli lapi register --machine my_machine --token long_token_that_is_at_least_32_characters_long
```

If the token is valid and the request is coming from an authorized IP range, LAPI will automatically validate the machine and it will be able to login without any further configuration.

If no token is sent, LAPI will treat the request as a normal registration, regardless of the configuration.

If a token is set but invalid, the request will be refused.
Loading