✨ Add env for RemediationStatusCode (#250)

* ✨ Add env for defaultStatusCode

* 📝 doc

* ✨change name of the parameter

* 🔧 Add config check

* fix lint

Author: maxlerebourg

README.md

@@ -439,6 +439,10 @@ _By careful when you upgrade to >1.4.x_
   - int64
   - default: 60
   - Used only in `live` mode, maximum decision duration
+- RemediationStatusCode
+  - int
+  - default: 403
+  - HTTP status code for banned user (not captcha)
 - CrowdsecCapiMachineId
   - string
   - Used only in `alone` mode, login for Crowdsec CAPI
@@ -518,6 +522,7 @@ http:
           updateIntervalSeconds: 60
           updateMaxFailure: 0
           defaultDecisionSeconds: 60
+          remediationStatusCode: 403
           httpTimeoutSeconds: 10
           crowdsecMode: live
           crowdsecAppsecEnabled: false
@@ -527,7 +532,6 @@ http:
           crowdsecAppsecUnreachableBlock: true
           crowdsecAppsecBodyLimit: 10485760
           crowdsecLapiKey: privateKey-foo
-          crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
           crowdsecLapiScheme: http
           crowdsecLapiHost: crowdsec:8080
           crowdsecLapiPath: "/"
@@ -556,22 +560,19 @@ http:
             ...
             Q0veeNzBQXg1f/JxfeA39IDIX1kiCf71tGlT
             -----END CERTIFICATE-----
-          crowdsecLapiTLSCertificateAuthorityFile: /etc/traefik/crowdsec-certs/ca.pem
           crowdsecLapiTLSCertificateBouncer: |-
             -----BEGIN CERTIFICATE-----
             MIIEHjCCAwagAwIBAgIUOBTs1eqkaAUcPplztUr2xRapvNAwDQYJKoZIhvcNAQEL
             ...
             RaXAnYYUVRblS1jmePemh388hFxbmrpG2pITx8B5FMULqHoj11o2Rl0gSV6tHIHz
             N2U=
             -----END CERTIFICATE-----
-          crowdsecLapiTLSCertificateBouncerFile: /etc/traefik/crowdsec-certs/bouncer.pem
           crowdsecLapiTLSCertificateBouncerKey: |-
             -----BEGIN RSA PRIVATE KEY-----
             MIIEogIBAAKCAQEAtYQnbJqifH+ZymePylDxGGLIuxzcAUU4/ajNj+qRAdI/Ux3d
             ...
             ic5cDRo6/VD3CS3MYzyBcibaGaV34nr0G/pI+KEqkYChzk/PZRA=
             -----END RSA PRIVATE KEY-----
-          crowdsecLapiTLSCertificateBouncerKeyFile: /etc/traefik/crowdsec-certs/bouncer-key.pem
           captchaProvider: hcaptcha
           captchaSiteKey: FIXME
           captchaSecretKey: FIXME
@@ -582,7 +583,7 @@ http:
 
 #### Fill variable with value of file
 
-`CrowdsecLapiTlsCertificateBouncerKey`, `CrowdsecLapiTlsCertificateBouncer`, `CrowdsecLapiTlsCertificateAuthority`, `CrowdsecCapiMachineId`, `CrowdsecCapiPassword`, `CrowdsecLapiKey`, `CaptchaSiteKey` and `CaptchaSecretKey` can be provided with the content as raw or through a file path that Traefik can read.  
+`CrowdsecLapiTlsCertificateBouncerKey`, `CrowdsecLapiTlsCertificateBouncer`, `CrowdsecLapiTlsCertificateAuthority`, `CrowdsecCapiMachineId`, `CrowdsecCapiPassword`, `CrowdsecLapiKey`, `CaptchaSiteKey`, `CaptchaSecretKey` and `RedisCachePassword` can be provided with the content as raw or through a file path that Traefik can read.  
 The file variable will be used as preference if both content and file are provided for the same variable.
 
 Format is:

bouncer.go

@@ -77,6 +77,7 @@ type Bouncer struct {
 	updateInterval          int64
 	updateMaxFailure        int
 	defaultDecisionTimeout  int64
+	remediationStatusCode   int
 	remediationCustomHeader string
 	forwardedCustomHeader   string
 	crowdsecStreamRoute     string
@@ -170,6 +171,7 @@ func New(_ context.Context, next http.Handler, config *configuration.Config, nam
 		remediationCustomHeader: config.RemediationHeadersCustomName,
 		forwardedCustomHeader:   config.ForwardedHeadersCustomName,
 		defaultDecisionTimeout:  config.DefaultDecisionSeconds,
+		remediationStatusCode:   config.RemediationStatusCode,
 		redisUnreachableBlock:   config.RedisCacheUnreachableBlock,
 		banTemplateString:       banTemplateString,
 		crowdsecStreamRoute:     crowdsecStreamRoute,
@@ -355,11 +357,11 @@ func handleBanServeHTTP(bouncer *Bouncer, rw http.ResponseWriter) {
 		rw.Header().Set(bouncer.remediationCustomHeader, "ban")
 	}
 	if bouncer.banTemplateString == "" {
-		rw.WriteHeader(http.StatusForbidden)
+		rw.WriteHeader(bouncer.remediationStatusCode)
 		return
 	}
 	rw.Header().Set("Content-Type", "text/html; charset=utf-8")
-	rw.WriteHeader(http.StatusForbidden)
+	rw.WriteHeader(bouncer.remediationStatusCode)
 	_, err := fmt.Fprint(rw, bouncer.banTemplateString)
 	if err != nil {
 		bouncer.log.Error("handleBanServeHTTP could not write template to ResponseWriter")

pkg/configuration/configuration.go

@@ -68,6 +68,7 @@ type Config struct {
 	UpdateIntervalSeconds                    int64    `json:"updateIntervalSeconds,omitempty"`
 	UpdateMaxFailure                         int      `json:"updateMaxFailure,omitempty"`
 	DefaultDecisionSeconds                   int64    `json:"defaultDecisionSeconds,omitempty"`
+	RemediationStatusCode                    int      `json:"remediationStatusCode,omitempty"`
 	HTTPTimeoutSeconds                       int64    `json:"httpTimeoutSeconds,omitempty"`
 	RemediationHeadersCustomName             string   `json:"remediationHeadersCustomName,omitempty"`
 	ForwardedHeadersCustomName               string   `json:"forwardedHeadersCustomName,omitempty"`
@@ -119,6 +120,7 @@ func New() *Config {
 		UpdateIntervalSeconds:          60,
 		UpdateMaxFailure:               0,
 		DefaultDecisionSeconds:         60,
+		RemediationStatusCode:          http.StatusForbidden,
 		HTTPTimeoutSeconds:             10,
 		CaptchaProvider:                "",
 		CaptchaSiteKey:                 "",
@@ -355,6 +357,9 @@ func validateParamsRequired(config *Config) error {
 	if config.CrowdsecAppsecBodyLimit < 0 {
 		return errors.New("CrowdsecAppsecBodyLimit: cannot be less than 0")
 	}
+	if config.RemediationStatusCode < 100 || config.RemediationStatusCode >= 600 {
+		return errors.New("RemediationStatusCode: cannot be less than 100 and more than 600")
+	}
 
 	if !contains([]string{NoneMode, LiveMode, StreamMode, AloneMode, AppsecMode}, config.CrowdsecMode) {
 		return errors.New("CrowdsecMode: must be one of 'none', 'live', 'stream', 'alone' or 'appsec'")