add standalone mode

Author: mobula9

.gitignore

@@ -16,4 +16,5 @@ crowdsec-wp*
 .cache/
 *.log
 .vagrant
-.env
+.env
+inc/standalone-settings.php

crowdsec.php

@@ -30,6 +30,8 @@ class WordpressCrowdSecBouncerException extends \RuntimeException
 }
 
 require_once __DIR__.'/inc/constants.php';
+$crowdsecRandomLogFolder = get_option('crowdsec_random_log_folder') ?: '';
+crowdsecDefineConstants($crowdsecRandomLogFolder);
 require_once __DIR__.'/inc/scheduling.php';
 require_once __DIR__.'/inc/plugin-setup.php';
 register_activation_hook(__FILE__, 'activate_crowdsec_plugin');
@@ -38,7 +40,4 @@ class WordpressCrowdSecBouncerException extends \RuntimeException
 require_once __DIR__.'/inc/admin/init.php';
 require_once __DIR__.'/inc/bounce-current-ip.php';
 
-// Apply bouncing via Wordpress instanciation, only if standalone mode is disabled.
-if ((bool) get_option('crowdsec_standalone_mode')) {
-    add_action('plugins_loaded', 'safelyBounceCurrentIp');
-}
+add_action('plugins_loaded', 'safelyBounceCurrentIp');

docker-compose.yml

@@ -28,7 +28,7 @@ services:
         build:
             context: .
             dockerfile: ./docker/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -46,12 +46,13 @@ services:
             - "80:80"
         volumes:
             - .:/var/www/html/wp-content/plugins/cs-wordpress-bouncer:rw
+            - ./docker/tests.htaccess:/var/www/html/.htaccess:rw
 
     wordpress5-5:
         build:
             context: .
             dockerfile: ./docker/wp5.5/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -69,12 +70,13 @@ services:
             - "80:80"
         volumes:
             - .:/var/www/html/wp-content/plugins/cs-wordpress-bouncer:rw
-    
+            - ./docker/tests.htaccess:/var/www/html/.htaccess:rw
+
     wordpress5-4:
         build:
             context: .
             dockerfile: ./docker/wp5.4/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -92,12 +94,13 @@ services:
             - "80:80"
         volumes:
             - .:/var/www/html/wp-content/plugins/cs-wordpress-bouncer:rw
-    
+            - ./docker/tests.htaccess:/var/www/html/.htaccess:rw
+
     wordpress5-3:
         build:
             context: .
             dockerfile: ./docker/wp5.3/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -115,12 +118,13 @@ services:
             - "80:80"
         volumes:
             - .:/var/www/html/wp-content/plugins/cs-wordpress-bouncer:rw
+            - ./docker/tests.htaccess:/var/www/html/.htaccess:rw
 
     wordpress5-2:
         build:
             context: .
             dockerfile: ./docker/wp5.2/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -138,12 +142,13 @@ services:
             - "80:80"
         volumes:
             - .:/var/www/html/wp-content/plugins/cs-wordpress-bouncer:rw
+            - ./docker/tests.htaccess:/var/www/html/.htaccess:rw
 
     wordpress5-1:
         build:
             context: .
             dockerfile: ./docker/wp5.1/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -166,7 +171,7 @@ services:
         build:
             context: .
             dockerfile: ./docker/wp5.0/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -184,12 +189,13 @@ services:
             - "80:80"
         volumes:
             - .:/var/www/html/wp-content/plugins/cs-wordpress-bouncer:rw
+            - ./docker/tests.htaccess:/var/www/html/.htaccess:rw
 
     wordpress4-9:
         build:
             context: .
             dockerfile: ./docker/wp4.9/php-${CS_WORDPRESS_BOUNCER_PHP_VERSION}.Dockerfile
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         depends_on:
@@ -207,10 +213,11 @@ services:
             - "80:80"
         volumes:
             - .:/var/www/html/wp-content/plugins/cs-wordpress-bouncer:rw
+            - ./docker/tests.htaccess:/var/www/html/.htaccess:rw
 
     crowdsec:
         image: crowdsecurity/crowdsec:latest
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         environment:
@@ -219,30 +226,30 @@ services:
             - "8051:8080"
     mysql:
         image: mysql:5.7
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         environment:
             - MYSQL_ROOT_PASSWORD=super_secret_password
             - MYSQL_DATABASE=wordpress
     redis:
         image: redis:6-alpine
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
     memcached:
         image: memcached:1-alpine
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
     wpscan:
         image: wpscanteam/wpscan
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
     e2e:
         image: mcr.microsoft.com/playwright:focal
-        networks: 
+        networks:
             - wordpress_bouncer_network_ipv4
             - wordpress_bouncer_network_ipv6
         environment:
@@ -269,11 +276,11 @@ networks:
         enable_ipv6: false
         ipam:
             config:
-                -   subnet: ${NETWORK_SUBNET}
+                - subnet: ${NETWORK_SUBNET}
     wordpress_bouncer_network_ipv6:
         name: wordpress_bouncer_network
         enable_ipv6: true
         ipam:
             config:
-                -   subnet: 2001:3200:3200::/64
-                    gateway: 2001:3200:3200::1
+                - subnet: 2001:3200:3200::/64
+                  gateway: 2001:3200:3200::1

docker/tests.htaccess

@@ -0,0 +1,16 @@
+
+# BEGIN WordPress
+# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
+# dynamically generated, and should only be modified via WordPress filters.
+# Any changes to the directives between these markers will be overwritten.
+<IfModule mod_rewrite.c>
+RewriteEngine On
+RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+RewriteBase /
+RewriteRule ^index\.php$ - [L]
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule . /index.php [L]
+</IfModule>
+
+# END WordPress

inc/Bounce.php

@@ -1,5 +1,7 @@
 <?php
 
+require_once __DIR__.'/constants.php';
+
 use CrowdSecBouncer\AbstractBounce;
 use CrowdSecBouncer\Bouncer;
 use CrowdSecBouncer\Constants;
@@ -20,28 +22,26 @@ class Bounce extends AbstractBounce implements IBounce
     public function init(array $crowdSecConfig): bool
     {
         $this->settings = $crowdSecConfig;
+        $crowdsecRandomLogFolder = $this->settings['crowdsec_random_log_folder'];
+        crowdsecDefineConstants($crowdsecRandomLogFolder);
         $this->initLogger();
 
         return true;
     }
 
     protected function getSettings(string $name)
     {
-        if (!array_key_exists($name, $this->settings)) {
-            $this->settings[$name] = get_option($name);
-        }
-
         return $this->settings[$name];
     }
 
     protected function escape(string $value)
     {
-        return esc_attr($value);
+        return htmlspecialchars($value, \ENT_QUOTES, 'UTF-8');
     }
 
     protected function specialcharsDecodeEntQuotes(string $value)
     {
-        return wp_specialchars_decode($value, \ENT_QUOTES);
+        return htmlspecialchars_decode($value, \ENT_QUOTES);
     }
 
     /**
@@ -59,10 +59,15 @@ public function getBouncerInstance(): Bouncer
         $crowdSecBouncerUserAgent = CROWDSEC_BOUNCER_USER_AGENT;
         $crowdSecLogPath = CROWDSEC_LOG_PATH;
         $crowdSecDebugLogPath = CROWDSEC_DEBUG_LOG_PATH;
-        $debugMode = (bool) WP_DEBUG;
 
-        $this->logger = getStandAloneCrowdSecLoggerInstance($crowdSecLogPath, $debugMode, $crowdSecDebugLogPath);
-        $this->bouncer = getBouncerInstanceStandAlone($apiUrl, $apiKey, $isStreamMode, $cleanIpCacheDuration, $badIpCacheDuration, $fallbackRemediation, $bouncingLevel, $crowdSecBouncerUserAgent, $this->logger);
+        $this->logger = getStandAloneCrowdSecLoggerInstance($crowdSecLogPath, $this->debug, $crowdSecDebugLogPath);
+
+        $cacheSystem = $this->escape($this->getSettings('crowdsec_cache_system'));
+        $memcachedDsn = $this->escape($this->getSettings('crowdsec_memcached_dsn'));
+        $redisDsn = $this->escape($this->getSettings('crowdsec_redis_dsn'));
+        $fsCachePath = CROWDSEC_CACHE_PATH;
+
+        $this->bouncer = getBouncerInstanceStandAlone($apiUrl, $apiKey, $isStreamMode, $cleanIpCacheDuration, $badIpCacheDuration, $fallbackRemediation, $bouncingLevel, $crowdSecBouncerUserAgent, $this->logger, $cacheSystem, $memcachedDsn, $redisDsn, $fsCachePath);
 
         return $this->bouncer;
     }
@@ -227,16 +232,37 @@ public function shouldBounceCurrentIp(): bool
             return false;
         }
 
+        // Don't bounce if standalone mode is enable and we are not in a auto_prepend_file context.
+        if ((bool) $this->getSettings('crowdsec_standalone_mode') && !defined('CROWDSEC_STANDALONE_RUNNING_CONTEXT')) {
+            return false;
+        }
+
         $shouldNotBounceWpAdmin = !empty($this->getSettings('crowdsec_public_website_only'));
         // when the "crowdsec_public_website_only" is disabled...
         if ($shouldNotBounceWpAdmin) {
-            // ...don't bounce back office pages
-            if (is_admin()) {
-                return false;
-            }
-            // ...don't bounce wp-login and wp-cron pages
-            if (in_array($GLOBALS['pagenow'], ['wp-login.php', 'wp-cron.php'])) {
-                return false;
+            // In standalone context, is_admin() does not work. So we check admin section with another method.
+            if (defined('CROWDSEC_STANDALONE_RUNNING_CONTEXT')) {
+                // TODO improve the way to detect these pages or add a warning near to the wp option "enable standalone mode"
+                // ...don't bounce back office pages
+                if (0 === strpos($_SERVER['PHP_SELF'], '/wp-admin')) {
+                    return false;
+                }
+                // ...don't bounce wp-login and wp-cron pages
+                if (0 === strpos($_SERVER['PHP_SELF'], '/wp-login.php')) {
+                    return false;
+                }
+                if (0 === strpos($_SERVER['PHP_SELF'], '/wp-cron.php')) {
+                    return false;
+                }
+            } else {
+                // ...don't bounce back office pages
+                if (is_admin()) {
+                    return false;
+                }
+                // ...don't bounce wp-login and wp-cron pages
+                if (in_array($GLOBALS['pagenow'], ['wp-login.php', 'wp-cron.php'])) {
+                    return false;
+                }
             }
         }
 
@@ -343,9 +369,8 @@ public function isConfigValid(): bool
 
     public function initLogger(): void
     {
-        $debugMode = (bool) WP_DEBUG;
         $crowdSecLogPath = CROWDSEC_LOG_PATH;
         $crowdSecDebugLogPath = CROWDSEC_DEBUG_LOG_PATH;
-        $this->logger = getStandAloneCrowdSecLoggerInstance($crowdSecLogPath, $debugMode, $crowdSecDebugLogPath);
+        $this->logger = getStandAloneCrowdSecLoggerInstance($crowdSecLogPath, $this->debug, $crowdSecDebugLogPath);
     }
 }