Skip to content

Commit

Permalink
Update documentation for LAPI self registration (#623)
Browse files Browse the repository at this point in the history
  • Loading branch information
blotus authored Sep 20, 2024
1 parent 6d7dd0d commit 1dc7633
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 1 deletion.
50 changes: 49 additions & 1 deletion crowdsec-docs/docs/configuration/crowdsec_configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,11 @@ api:
#- 127.0.0.1
#- ::1
#- 10.0.0.0/24
auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
prometheus:
enabled: "(true|false)"
level: "(full|aggregated)"
Expand Down Expand Up @@ -706,7 +711,11 @@ api:
- bouncers_ou
crl_path: "<path_to_crl_file>"
cache_expiration: "<cache_duration_for_revocation_check>"
auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
```

#### `cti`
Expand Down Expand Up @@ -808,6 +817,11 @@ server:
- bouncers_ou
crl_path: "<path_to_crl_file>"
cache_expiration: "<cache_duration_for_revocation_check>"
auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
```

##### `enable`
Expand Down Expand Up @@ -953,6 +967,40 @@ The format must be compatible with golang [time.Duration](https://pkg.go.dev/tim
IPs or IP ranges which have admin access to API. The APIs would still need to have API keys.
127.0.0.1 and ::1 are always given admin access whether specified or not.

#### `auto_registration`

This section configures LAPI to automatically accept new machine registrations

```yaml
auto_registration:
enabled: <true|false>
token: <string>
allowed_ranges:
- 10.0.0.0/24
```

##### `enabled`
> bool

Whether automatic registration should be enabled.

Defaults to `false`.

##### `token`
> string

Token that should be passed in the registration request if LAPI needs to automatically validate the machine.

It must be at least 32 chars, and is mandatory if the feature is enabled.

##### `allowed_ranges`
> []string

IP ranges that are allowed to use the auto registration features.

It must have at least one entry if the feature is enabled


### `prometheus`

This section is used by local API and crowdsec.
Expand Down
39 changes: 39 additions & 0 deletions crowdsec-docs/unversioned/user_guides/machines_management.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -101,3 +101,42 @@ import CodeBlock from '@theme/CodeBlock';
</TabItem>

</Tabs>

### Machine auto validation

:::warning

If you enabled this feature, make sure to restrict the IP ranges as much as possible.

Any rogue machine registered in your LAPI will be able to push arbitrary alerts, and potentially lock you out.

:::

In some situation, it's not practical to manually create or validate new machines in LAPI (eg, when running in an environment that uses auto-scaling).

It is possible to configure LAPI to automatically accept new machines upon creation with the `api.server.auto_registration` section:

```yaml
api:
server:
auto_registration:
enabled: true
token: "long_token_that_is_at_least_32_characters_long"
allowed_ranges:
- 10.2.0.42/32
- 10.0.0.0/24
```
You have to specify both the `token` and `allowed_ranges`.

Once the configuration is done, you can pass the token to your registration request with the `--token` parameter:

```bash
cscli lapi register --machine my_machine --token long_token_that_is_at_least_32_characters_long
```

If the token is valid and the request is coming from an authorized IP range, LAPI will automatically validate the machine and it will be able to login without any further configuration.

If no token is sent, LAPI will treat the request as a normal registration, regardless of the configuration.

If a token is set but invalid, the request will be refused.

0 comments on commit 1dc7633

Please sign in to comment.