From c998c99bfcbfe071a765cad6f53f18d8f15c6673 Mon Sep 17 00:00:00 2001 From: jasmine Date: Sat, 31 Jan 2026 14:13:08 +0800 Subject: [PATCH] refactor(traefik): remove geoblock middleware in favor of crowdsec Geoblocking is easily bypassed via VPNs and provides false security. CrowdSec handles this better with behavioral detection. --- README.md | 2 +- nixos/viridian/services/traefik/default.nix | 9 +-- .../viridian/services/traefik/middlewares.nix | 56 ------------------- 3 files changed, 2 insertions(+), 65 deletions(-) diff --git a/README.md b/README.md index b72b6c6..fe0cc4b 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Based upon [Misterio77's starter configs](https://github.com/Misterio77/nix-star * __Opt-in persistence with ephemeral btrfs root and 14-day snapshot retention.__ * __Snapper automated snapshots with tiered retention (24h/7d/4w/12m).__ * __Automated borgbackup of mutable service and container data.__ -* __Traefik reverse proxy with geoblock and crowdsec security middleware.__ +* __Traefik reverse proxy with crowdsec security middleware.__ * __Secrets managed with agenix and rekeyed with yubikey.__ * __Standalone nixvim configuration for neovim.__ * __Custom haskell packages for xmonad & xmobar.__ diff --git a/nixos/viridian/services/traefik/default.nix b/nixos/viridian/services/traefik/default.nix index 0e59b4b..8d736cc 100644 --- a/nixos/viridian/services/traefik/default.nix +++ b/nixos/viridian/services/traefik/default.nix @@ -70,13 +70,7 @@ # Install plugins experimental.plugins = { - # Block or allow requests based on their country of origin. - geoblock = { - moduleName = "github.com/PascalMinder/geoblock"; - version = "v0.2.7"; - }; - - # Authorize or block requests from IPs based on there reputation and behaviour. + # Authorize or block requests from IPs based on their reputation and behaviour. bouncer = { moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; version = "v1.3.5"; @@ -101,7 +95,6 @@ # Enable some middlewares on all routers that use this entrypoint http.middlewares = [ - "geoblock@file" "crowdsec@file" ]; diff --git a/nixos/viridian/services/traefik/middlewares.nix b/nixos/viridian/services/traefik/middlewares.nix index 0f2f474..13aa305 100644 --- a/nixos/viridian/services/traefik/middlewares.nix +++ b/nixos/viridian/services/traefik/middlewares.nix @@ -1,62 +1,6 @@ {...}: { # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service services.traefik.dynamicConfigOptions.http.middlewares = { - # Restrict access based on geo-location - geoblock.plugin.geoblock = { - silentStartUp = "false"; - allowLocalRequests = "true"; - # If set to true will show a log message - logLocalRequests = "false"; - logAllowedRequests = "false"; - logApiRequests = "false"; - # Application programming interface - api = "https://get.geojs.io/v1/ip/country/{ip}"; - apiTimeoutMs = "750"; - # Max size of least recently used cache - cacheSize = "25"; - # OFAC (US) sanctions list - countries = [ - "AF" # Afghanistan - "AL" # Albania - "BA" # Bosnia and Herzegovina - "BY" # Belarus - "CF" # Central African Republic (the) - "CN" # China - "CD" # Congo (the Democratic Republic of the) - "CU" # Cuba - "ET" # Ethiopia - "HK" # Hong Kong - "IR" # Iran (Islamic Republic of) - "IQ" # Iraq - "KP" # Korea (the Democratic People's Republic of) - "LB" # Lebanon - "LY" # Libya - "ML" # Mali - "ME" # Montenegro - "MM" # Myanmar - "MK" # Republic of North Macedonia - "NI" # Nicaragua - "RU" # Russian Federation (the) - "RS" # Serbia - "SO" # Somalia - "SS" # South Sudan - "SD" # Sudan (the) - "SY" # Syrian Arab Republic - "UA" # Ukraine - "VE" # Venezuela (Bolivarian Republic of) - "YE" # Yemen - ]; - # Inverts filter logic - blackListMode = "true"; - # Unknown Countries (IPs with no country association) - allowUnknownCountries = "false"; - unknownCountryApiResponse = "nil"; - # Adds the X-IPCountry header to the HTTP request header. - addCountryHeader = "false"; - # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month. - forceMonthlyUpdate = "true"; - }; - # Intrusion Prevention System crowdsec.plugin.bouncer = { enabled = "true";