@@ -98,6 +98,22 @@ $remediation = $bouncer->getRemediationForIp($requestedIp);
9898echo "\nResult: $remediation\n\n"; // "ban", "captcha" or "bypass"
9999```
100100
101+ #### Test your bouncer
102+
103+ To test your bouncer, you could add decision to ban your own IP for 5 minutes for example:
104+
105+ ``` bash
106+ cscli decisions add --ip < YOUR_IP> --duration 5m --type ban
107+ ```
108+
109+ You can also test a captcha:
110+
111+ ``` bash
112+ cscli decisions delete --all # be careful with this command!
113+ cscli decisions add --ip < YOUR_IP> --duration 15m --type captcha
114+ ```
115+
116+
101117#### Configurations
102118
103119You can pass an array of configurations in the ` $bouncer->configure($configs) ` method.
@@ -226,8 +242,6 @@ $configs = [...] // Retrieve configs from somewhere (database, static file, etc)
226242$bounce->safelyBounce($configs);
227243```
228244
229-
230-
231245To go further and learn how to include this library in your
232246project, you should follow the [ ` DEVELOPER GUIDE ` ] ( DEVELOPER.md ) .
233247
@@ -239,226 +253,3 @@ WordPress :
239253- [ CrowdSec Bouncer plugin for WordPress ] ( https://github.com/crowdsecurity/cs-wordpress-bouncer )
240254
241255
242- ### Auto Prepend File mode (standalone mode)
243-
244- This library can also be used on its own if you are running a server with PHP.
245-
246- In this mode, every browser access to a php script will be bounced.
247-
248- To enable the ` auto prepend file ` mode, you have to:
249-
250-
251- - copy the ` scripts/auto-prepend/settings.example.php ` to a ` scripts/auto-prepend/settings.php ` and fill the
252- necessary settings in it (see below for the settings details).
253-
254-
255-
256- - configure your server by adding an ` auto_prepend_file ` directive for your php setup.
257-
258-
259- Adding an ` auto_prepend_file ` directive can be done in different ways:
260-
261- #### PHP
262-
263- You should add this line to a ` .ini ` file :
264-
265- auto_prepend_file = /absolute/path/to/scripts/auto-prepend/bounce.php
266-
267-
268- #### Nginx
269-
270-
271- If you are using Nginx, you should modify your nginx configuration file by adding a ` fastcgi_param `
272- directive. The php block should look like below:
273-
274- ```
275- location ~ \.php$ {
276- ...
277- ...
278- ...
279- fastcgi_param PHP_VALUE "/absolute/path/to/scripts/auto-prepend/bounce.php";
280- }
281- ```
282-
283- #### Apache
284-
285- If you are using Apache, you should add this line to your ` .htaccess ` file:
286-
287- php_value auto_prepend_file "/absolute/path/to/scripts/auto-prepend/bounce.php"
288-
289-
290- #### Standalone settings
291-
292- Once you have created the ` scripts/auto-prepend/settings.php ` file, you have to fill the necessary fields:
293-
294- ``` php
295- use CrowdSecBouncer\Constants;
296- $crowdSecStandaloneBouncerConfig = [
297- /** The bouncer api key to access LAPI.
298- *
299- * Key generated by the cscli (CrowdSec cli) command like "cscli bouncers add bouncer-php-library"
300- */
301- 'api_key'=> 'YOUR_BOUNCER_API_KEY',
302-
303- /** Define the URL to your LAPI server, default to http://localhost:8080.
304- *
305- * If you have installed the CrowdSec agent on your server, it should be "http://localhost:8080"
306- */
307- 'api_url'=> Constants::DEFAULT_LAPI_URL,
308-
309- // In seconds. The timeout when calling LAPI. Must be greater or equal than 1. Defaults to 1 sec.
310- 'api_timeout'=> 1,
311-
312- // HTTP user agent used to call LAPI. Default to this library name/current version.
313- 'api_user_agent'=> 'CrowdSec PHP Library/x.x.x',
314-
315- // true to enable verbose debug log.
316- 'debug_mode' => false,
317-
318- /** Absolute path to store log files.
319- *
320- * Important note: be sur this path won't be publicly accessible
321- */
322- 'log_directory_path' => __DIR__.'/.logs',
323-
324- // true to stop the process and display errors if any.
325- 'display_errors' => false,
326-
327- /** Only for test or debug purpose. Default to empty.
328- *
329- * If not empty, it will be used for all remediation and geolocation processes.
330- */
331- 'forced_test_ip' => '1.2.3.4',
332-
333- /** Select from 'bouncing_disabled', 'normal_bouncing' or 'flex_bouncing'.
334- *
335- * Choose if you want to apply CrowdSec directives (Normal bouncing) or be more permissive (Flex bouncing).
336- * With the `Flex mode`, it is impossible to accidentally block access to your site to people who don’t
337- * deserve it. This mode makes it possible to never ban an IP but only to offer a Captcha, in the worst-case
338- * scenario.
339- */
340- 'bouncing_level' => Constants::BOUNCING_LEVEL_NORMAL,
341-
342- /** Select from 'bypass' (minimum remediation), 'captcha' or 'ban' (maximum remediation).
343- * Default to 'captcha'.
344- *
345- * Handle unknown remediations as.
346- */
347- 'fallback_remediation'=> Constants::REMEDIATION_CAPTCHA,
348-
349- /** Select from 'bypass' (minimum remediation),'captcha' or 'ban' (maximum remediation).
350- * Default to 'ban'.
351- *
352- * Cap the remediation to the selected one.
353- */
354- 'max_remediation_level'=> Constants::REMEDIATION_BAN,
355-
356- /** If you use a CDN, a reverse proxy or a load balancer, set an array of IPs.
357- *
358- * For other IPs, the bouncer will not trust the X-Forwarded-For header.
359- */
360- 'trust_ip_forward_array' => [],
361-
362- // Select from 'phpfs' (File system cache), 'redis' or 'memcached'.
363- 'cache_system' => Constants::CACHE_SYSTEM_PHPFS,
364-
365- /** Will be used only if you choose File system as cache_system
366- *
367- * Important note: be sur this path won't be publicly accessible
368- */
369- 'fs_cache_path' => __DIR__.'/.cache',
370-
371- // Will be used only if you choose Redis cache as cache_system
372- 'redis_dsn' => 'redis://localhost:6379',
373-
374- // Will be used only if you choose Memcached as cache_system
375- 'memcached_dsn' => 'memcached://localhost:11211',
376-
377- // Set the duration we keep in cache the fact that an IP is clean. In seconds. Defaults to 5.
378- 'cache_expiration_for_clean_ip'=> Constants::CACHE_EXPIRATION_FOR_CLEAN_IP,
379-
380- // Optional. Set the duration we keep in cache the fact that an IP is bad. In seconds. Defaults to 20.
381- 'cache_expiration_for_bad_ip'=> Constants::CACHE_EXPIRATION_FOR_BAD_IP,
382-
383- /** true to enable stream mode, false to enable the live mode. Default to false.
384- *
385- * By default, the `live mode` is enabled. The first time a stranger connects to your website, this mode
386- * means that the IP will be checked directly by the CrowdSec API. The rest of your user’s browsing will be
387- * even more transparent thanks to the fully customizable cache system.
388- *
389- * But you can also activate the `stream mode`. This mode allows you to constantly feed the bouncer with the
390- * malicious IP list via a background task (CRON), making it to be even faster when checking the IP of your
391- * visitors. Besides, if your site has a lot of unique visitors at the same time, this will not influence the
392- * traffic to the API of your CrowdSec instance.
393- */
394- 'stream_mode'=> false,
395-
396- // Settings for geolocation remediation (i.e. country based remediation).
397- 'geolocation' => [
398- // true to enable remediation based on country. Default to false.
399- 'enabled' => false,
400- // Geolocation system. Only 'maxmind' is available for the moment. Default to 'maxmind'
401- 'type' => Constants::GEOLOCATION_TYPE_MAXMIND,
402- /** true to store the geolocalized country in session. Default to true.
403- *
404- * Setting true will avoid multiple call to the geolocalized system (e.g. maxmind database)
405- */
406- 'save_in_session' => true,
407- // MaxMind settings
408- 'maxmind' => [
409- /**Select from 'country' or 'city'. Default to 'country'
410- *
411- * These are the two available MaxMind database types.
412- */
413- 'database_type' => Constants::MAXMIND_COUNTRY,
414- // Absolute path to the MaxMind database (mmdb file).
415- 'database_path' => '/some/path/GeoLite2-Country.mmdb',
416- ]
417- ],
418-
419- //true to hide CrowdSec mentions on ban and captcha walls.
420- 'hide_mentions' => false,
421-
422- // Settings for ban and captcha walls
423- 'theme_color_text_primary' => 'black',
424- 'theme_color_text_secondary' => '#AAA',
425- 'theme_color_text_button' => 'white',
426- 'theme_color_text_error_message' => '#b90000',
427- 'theme_color_background_page' => '#eee',
428- 'theme_color_background_container' => 'white',
429- 'theme_color_background_button' => '#626365',
430- 'theme_color_background_button_hover' => '#333',
431- 'theme_custom_css' => '',
432- // Settings for captcha wall
433- 'theme_text_captcha_wall_tab_title' => 'Oops..',
434- 'theme_text_captcha_wall_title' => 'Hmm, sorry but...',
435- 'theme_text_captcha_wall_subtitle' => 'Please complete the security check.',
436- 'theme_text_captcha_wall_refresh_image_link' => 'refresh image',
437- 'theme_text_captcha_wall_captcha_placeholder' => 'Type here...',
438- 'theme_text_captcha_wall_send_button' => 'CONTINUE',
439- 'theme_text_captcha_wall_error_message' => 'Please try again.',
440- 'theme_text_captcha_wall_footer' => '',
441- // Settings for ban wall
442- 'theme_text_ban_wall_tab_title' => 'Oops..',
443- 'theme_text_ban_wall_title' => '🤭 Oh!',
444- 'theme_text_ban_wall_subtitle' => 'This page is protected against cyber attacks and your IP has been banned by our system.',
445- 'theme_text_ban_wall_footer' => '',
446- ];
447- ```
448-
449- #### Test the standalone bouncer
450-
451- Now you can a decision to ban your own IP for 5 minutes to test the correct behavior:
452-
453- ``` bash
454- cscli decisions add --ip < YOUR_IP> --duration 5m --type ban
455- ```
456-
457- You can also test a captcha:
458-
459- ``` bash
460- cscli decisions delete --all # be careful with this command!
461- cscli decisions add --ip < YOUR_IP> --duration 15m --type captcha
462- ```
463-
464-
0 commit comments