Merge branch 'main' into console_enterprise_support

crowdsecurity · Nov 4, 2024 · e8fec00 · e8fec00
2 parents b8616dc + a7db8dd
commit e8fec00
Show file tree

Hide file tree

Showing 28 changed files with 16,543 additions and 25,518 deletions.
diff --git a/README.md b/README.md
@@ -2,4 +2,29 @@
 
 This repository holds the documentation for the [crowdsec project](https://github.com/crowdsecurity/crowdsec).
 
-Online version of this documentation is available here: https://doc.crowdsec.net/
+Online version of this documentation is available here: https://doc.crowdsec.net/
+
+The documentation is built using [Docusaurus](https://docusaurus.io/), a modern static website generator.
+
+## Installation
+
+```console
+npm install
+```
+
+## Local Development
+
+```console
+npm run start
+```
+
+This command starts a local development server and opens up a browser window. Most changes are reflected live without having to restart the server.
+
+## Build
+
+```console
+npm run build
+```
+
+This command generates static content into the `build` directory and can be served using any static contents hosting service.
+you can also use the `npm run serve` command to test the build locally.
diff --git a/crowdsec-docs/README.md b/crowdsec-docs/README.md
diff --git a/crowdsec-docs/blog/2020-08-04-crowdsec_firewall_freebsd.md b/crowdsec-docs/blog/2020-08-04-crowdsec_firewall_freebsd.md
@@ -1,8 +1,7 @@
 ---
 slug: crowdsec_firewall_freebsd
 title: How to install CrowdSec Firewall Bouncer on FreeBSD
-author: Sofian Brabez
-author_url: https://github.com/sbz
+authors: [sbz]
 tags: [bouncer, firewall, crowdsec]
 ---
 

diff --git a/crowdsec-docs/blog/2021-08-30-metabase_without_docker.md b/crowdsec-docs/blog/2021-08-30-metabase_without_docker.md
@@ -1,8 +1,7 @@
 ---
 slug: metabase_without_docker
 title: How to configure metabase dasbhoard without docker
-author: Crowdsec Team
-author_url: https://github.com/crowdsecurity
+authors: crowdsec
 tags: [dashboard, metabase]
 ---
 

diff --git a/crowdsec-docs/blog/2024-06-11-cscli_dashboard_deprecation.md b/crowdsec-docs/blog/2024-06-11-cscli_dashboard_deprecation.md
@@ -1,8 +1,7 @@
 ---
 slug: cscli_dashboard_deprecation
 title: Cscli dashboard deprecation
-author: Crowdsec Team
-author_url: https://github.com/crowdsecurity
+authors: crowdsec
 tags: [dashboard, Metabase]
 ---
 

diff --git a/crowdsec-docs/blog/authors.yml b/crowdsec-docs/blog/authors.yml
@@ -0,0 +1,8 @@
+sbz:
+    name: Sofian Brabez
+    url: https://github.com/sbz
+
+crowdsec:
+    name: Crowdsec Team
+    url: https://github.com/crowdsecurity
+    image_url: /img/crowdsec_logo.png
diff --git a/crowdsec-docs/docs/appsec/intro.md b/crowdsec-docs/docs/appsec/intro.md
@@ -12,55 +12,65 @@ Meet the Crowdsec **Application Security Component** (AKA : **AppSec Component**
 
 The **AppSec Component** offers:
 
-- Low-effort **virtual patching** capabilities.
-- Support for your legacy **ModSecurity** rules.
-- Combining classic WAF benefits with advanced CrowdSec features for otherwise difficult **advanced behavior detection**.
-- **Full integration** with the Crowdsec software stack, including the console and remediation components.
+-   Low-effort **virtual patching** capabilities.
+-   Support for your legacy **ModSecurity** rules.
+-   Combining classic WAF benefits with advanced CrowdSec features for otherwise difficult **advanced behavior detection**.
+-   **Full integration** with the Crowdsec software stack, including the console and remediation components.
 
 <!-- xx :  links -->
 
 This component capitalizes on existing remediation functions in web servers (such as Nginx, Traefik, Haproxy, etc.) to provide web application firewall capabilities.
 
-![appsec-global](/img/appsec-global.png)
+![appsec-global](/img/appsec-global.svg)
 
-## Request inspection
+1. The Web Server receives the HTTP request
+2. The HTTP Request is intercepted and passed to the CrowdSec Security Engine via [the HTTP API](/appsec/protocol.md)
+3. The Security Engine answers to the Web Server once the Appsec inband rules have been processed.
+4. Based on the [Security Engine answer](/appsec/protocol#response-code), the Web Server either blocks the HTTP Request or processes it as usual
 
-Examining Three Key Layers of the AppSec Component's Request Inspection
+## Inband Rules and Out-Of-Band Rules
 
-### 1 Remediation component: request relaying
+The AppSec component relies on rules to inspect HTTP Requests:
 
-If the AppSec capability is activated on the remediation component, the incoming requests will be channeled to the CrowdSec Security engine.
+-   Inband rules are meant to interrupt request processing
+-   Out-Of-Band rules are non-blocking and are evaluated asynchronously
 
-### 2 Security Engine: inband rule processing
+### Inband rule processing
 
 The security engine first evaluates the inband rules, designed to identify and block specific requests.  
 Once these rules are evaluated, a response is relayed to the remediation component.
 
 This leads to two possible outcomes:
 
-1.  If no inband rule is triggered, the processing of the request will continue on the web-server side as usual
-2.  If an inband rule is triggered, the remediation component will answer with a 403 or a captcha request to the user of the incriminated request, stopping the request processing.
+1. If an inband rule is triggered, the remediation component will answer with a 403 or a captcha request to the user of the incriminated request, stopping the request processing.
+2. Otherwise, the request will be normally processed
 
-### 3 Security Engine: out-of-band rules processing
+### Out-of-band rules processing
 
 In the background, the security engine will then evaluate the out-of-band rules. These rules do not impact performance or response time, as they are evaluated after the AppSec Component instructs the webserver to continue or stop processing the request.
 
+They are usually meant to detect unwanted behaviors that exhibit a repetitive aspect (ie. Applicative Spam, Resource enumeration, Scalping etc.). When those rules trigger, they emit an event is processed by the Security Engine in the same way a log line is.
+
 ## Post processing
 
 When a request triggers one or more rules, either in the inband section (blocking) or out-of-band (non-blocking), several things happen:
 
-- Inband (blocking) rules will appear in your `cscli alerts list` (and thus in your [console dashboard](https://app.crowdsec.net)).
-- Inband and Out-Of-Band rules will trigger an internal crowdsec event that can be treated as any log lines.
+-   Inband (blocking) rules will appear in your `cscli alerts list` (and thus in your [console dashboard](https://app.crowdsec.net)).
+-   Inband and Out-Of-Band rules will trigger an internal crowdsec event that can be treated as any log lines.
 
 This is meant to allow for scenarios to exploit the WAF rules events, such as blocking for a longer time an IP that clearly engages in malevolent activities, triggering several virtual patching rules.
 
 ## Next steps
 
-Let's now start using this AppSec capabilities:
+You can follow our quick start guides depending on your web server:
+
+-   [Nginx/OpenResty](/appsec/quickstart/nginxopenresty.mdx)
+-   [Traefik](/appsec/quickstart/traefik.mdx)
+
+Or consider learning more about the AppSec capabilities:
 
-- **Installation**: [How to configure the Application Security Component with an existing remediation component](/appsec/installation.md)
-- **Rules**: [How to read, write and debug rules](/appsec/rules_syntax.md)
-- **Scenarios**: [How to create scenarios that leverage the AppSec Component events](#TODO)
-- **Hooks**: [For advanced use let's talk about possible Hooks](/appsec/hooks.md)
-- **Troubleshoot**: [How to troubleshoot the behavior of the AppSec Component](/appsec/troubleshooting.md)
-- **AppSec Protocol**: [if you're maintaining or creating a remedation component and want to add the AppSec capabilities](/appsec/protocol.md)
+-   **Rules**: [How to read, write and debug rules](/appsec/rules_syntax.md)
+-   **Scenarios**: [How to create scenarios that leverage the AppSec Component events](#TODO)
+-   **Hooks**: [For advanced use let's talk about possible Hooks](/appsec/hooks.md)
+-   **Troubleshoot**: [How to troubleshoot the behavior of the AppSec Component](/appsec/troubleshooting.md)
+-   **AppSec Protocol**: [if you're maintaining or creating a remedation component and want to add the AppSec capabilities](/appsec/protocol.md)
diff --git a/crowdsec-docs/docs/intro.mdx b/crowdsec-docs/docs/intro.mdx
@@ -3,51 +3,81 @@ title: Introduction
 id: intro
 ---
 
+import useBaseUrl from "@docusaurus/useBaseUrl"
+import AcademyPromo from "@site/src/components/AcademyPromo"
 
-import useBaseUrl from '@docusaurus/useBaseUrl';
-import AcademyPromo from '@site/src/components/AcademyPromo';
+# Security Engine Overview
 
-<div style={{display: 'flex'}}>
-    <div style={{textAlign: 'center', flex: '1'}}>
-    <img width="800" height="auto" src={useBaseUrl('/img/crowdsec_ecosystem.png')} />
-    </div>
-</div>
-&nbsp;
-&nbsp;
+The [CrowdSec Security Engine](https://github.com/crowdsecurity/crowdsec) is an open-source, lightweight software that detects and blocks malicious actors from accessing your systems at various levels, using log and HTTP Requests analysis with threat patterns called scenarios.
 
-The [CrowdSec Security Engine](https://github.com/crowdsecurity/crowdsec) is an open-source, lightweight software that detects and blocks malicious actors from accessing your systems at various levels, using log analysis and threat patterns called scenarios. 
+CrowdSec is a modular security tool offering [behavior-based detection](https://app.crowdsec.net/hub/collections), including [AppSec rules](https://app.crowdsec.net/hub/appsec-rules), and optional components to block threats called [Remediation Components](https://app.crowdsec.net/hub/bouncers)
 
-CrowdSec is a modular framework, offering a variety of [popular scenarios](https://app.crowdsec.net/hub/collections). Users can choose their protection scenarios and deploy [Remediation Components](https://app.crowdsec.net/hub/bouncers) to block malicious access.
+<div style={{ display: "flex" }}>
+    <div style={{ textAlign: "center", flex: "1" }}>
+        <img
+            width="auto"
+            height="auto"
+            src={useBaseUrl("/img/simplified_SE_overview.svg")}
+        />
+    </div>
+</div>
+&nbsp; &nbsp;
 
-The crowd-sourced aspect allows sharing attack information among users, enhancing real-time attack detection and preemptive blocking of known bad actors from your system.
+The crowd-sourced aspect allows the sharing of attacks they detected and blocked. Participants of this crowd-sourced threat intel receive, automatically via the security engine, a curated list of validated attackers (community blocklist) enhancing their real-time protection capabilities by taking preemptive actions against known threats.
 
 ## Main Features
 
 In addition to the core "detect and react" mechanism, CrowdSec is committed to several other key aspects:
 
-- **Easy Installation**: Effortless out-of-the-box installation on all [supported platforms](/getting_started/versions_matrix.md).
-- **Simplified Daily Operations**: Use [cscli](/cscli/cscli.md) and the [hub](http://hub.crowdsec.net) for effortless maintenance and keeping your detection mechanisms up-to-date.
-- **Reproducibility**: The Security Engine can analyze not only live logs but also [cold logs](/u/user_guides/replay_mode), making it easier to detect potential false triggers, conduct forensic analysis, or generate reports.
-- **Observability**: Providing valuable insights into the system's activity:
-    - Users can view/manage alerts from the ([Console](https://app.crowdsec.net/signup)).
-    - Operations personnel have access to detailed Prometheus metrics ([Prometheus](/observability/prometheus.md)).
-    - Administrators can utilize a user-friendly command-line interface tool ([cscli](/observability/cscli.md)).
-- **API-Centric**: All components communicate via an [HTTP API](/local_api/intro.md), facilitating multi-machine setups.
-
+-   **Easy Installation**: Effortless out-of-the-box installation on all [supported platforms](/getting_started/versions_matrix.md).
+-   **Simplified Daily Operations**: You have access to our Web UI administration via [CrowdSec's console](http://app.crowdsec.net) or the powerful [Command line tool cscli](/cscli/cscli.md) for effortless maintenance and keeping your detection mechanisms up-to-date.
+-   **Reproducibility**: The Security Engine can analyze not only live logs but also [cold logs](/u/user_guides/replay_mode), making it easier to detect potential false triggers, conduct forensic analysis, or generate reports.
+-   **Versatile**: The Security Engine can analyze [system logs](/docs/data_sources/intro) and [HTTP Requests](/docs/next/appsec/intro) to exhaustively protect your perimeter.
+-   **Observability**: Providing valuable insights into the system's activity:
+    -   Users can view/manage alerts from the ([Console](https://app.crowdsec.net/signup)).
+    -   Operations personnel have access to detailed Prometheus metrics ([Prometheus](/observability/prometheus.md)).
+    -   Administrators can utilize a user-friendly command-line interface tool ([cscli](/observability/cscli.md)).
+-   **API-Centric**: All components communicate via an [HTTP API](/local_api/intro.md), facilitating multi-machine setups.
 
 ## Architecture
 
+<div style={{ display: "flex" }}>
+    <div style={{ textAlign: "center", flex: "1" }}>
+        <img src={useBaseUrl("/img/simplified_SE_underthehood.svg")}></img>
+    </div>
+</div>
+
+Under the hood, the Security Engine has various components:
+
+-   The Log Processor is in charge of detection: it analyzes logs from [various data sources](/docs/data_sources/intro) or [HTTP requests](/appsec/intro.md) from web servers.
+-   The [Appsec](/appsec/intro.md) feature is part of the Log Processor and filters HTTP Requests from the compatible web servers.
+-   The [Local API](/local_api/intro.md) acts as a middle man:
+    -   Between the [Log Processors](/docs/data_sources/intro) and the [Remediation Components](/u/bouncers/intro) which are in charge of enforcing decisions.
+    -   And with the [Central API](/central_api/intro.md) to share alerts and receive blocklists.
+-   The [Remediation Components](/u/bouncers/intro) - also known as bouncers - block malicious IPs at your chosen level—whether via IpTables, firewalls, web servers, or reverse proxies. [See the full list on our CrowdSec Hub.](https://app.crowdsec.net/hub/remediation-components)
+
+## Deployment options
+
+This architecture allows for both simple/standalone setups, or more distributed ones including as illustrated below:
+
+-   One or more machines? Run crowdsec on each (alongside with a remediation component)
+-   Already have a log pit (such as rsyslog or loki)? Run crowdsec next to it, not on the production workloads
+-   Running Kubernetes? Have a look at [our helm chart](/u/getting_started/installation/kubernetes)
+-   Running containers? The [docker data source](/docs/data_sources/docker) might be what you need
+-   Just looking for a WAF? Look at [our quickstart](/appsec/intro.md)
+
+Distributed architecture example:
 
-<div style={{display: 'flex'}}>
-    <div style={{textAlign: 'center', flex: '1'}}>
-    <img src={useBaseUrl('/img/crowdsec_architecture.png')}></img>
+<div style={{ display: "flex" }}>
+    <div style={{ textAlign: "center", flex: "1" }}>
+        <img src={useBaseUrl("/img/distributed_SE_setup.svg")}></img>
     </div>
 </div>
 
 <AcademyPromo
-  image="crowdsec_fundamentals.svg"
-  description="Watch a short series of videos on how to install CrowdSec and protect your infrastructure"
-  title="More ways to learn"
-  course="crowdsec-fundamentals"
-  utm="?utm_source=docs&utm_medium=banner&utm_campaign=intro-page&utm_id=academydocs"
-/>
+    image="crowdsec_fundamentals.svg"
+    description="Watch a short series of videos on how to install CrowdSec and protect your infrastructure"
+    title="More ways to learn"
+    course="crowdsec-fundamentals"
+    utm="?utm_source=docs&utm_medium=banner&utm_campaign=intro-page&utm_id=academydocs"
+/>
diff --git a/crowdsec-docs/docusaurus.config.js b/crowdsec-docs/docusaurus.config.js
@@ -5,6 +5,7 @@ const {
     ctiApiSidebar,
     guidesSideBar,
 } = require("./sidebarsUnversioned.js")
+const tailwindConfig = require("./tailwind.config.js")
 
 const generateCurrentAndNextRedirects = (s) => [
     {
@@ -72,7 +73,7 @@ module.exports = {
         announcementBar: {
             id: "banner_docs",
             content:
-                '<a target="_blank" href="https://doc.crowdsec.net/u/user_guides/alert_context">Learn how to improve alert visualisation and threat hunting with alert context</a>',
+                '<a target="_blank" href="https://doc.crowdsec.net/docs/next/appsec/intro">Learn how to guard your webserver in real-time with the CrowdSec WAF</a>',
             backgroundColor: "#F8AB13",
             textColor: "#131132",
             isCloseable: true,
@@ -83,6 +84,14 @@ module.exports = {
             indexName: "crowdsec",
             contextualSearch: true,
         },
+        zooming: {
+	    selector: '.markdown :not(a) > img',
+            delay: 500,
+            background: {
+            	light: 'rgba(101,108,133,0.8)',
+            	dark: 'rgba(9,10,17,0.8)'
+            },
+        },
         navbar: {
             items: [],
         },
@@ -264,6 +273,7 @@ module.exports = {
         ],
     ],
     plugins: [
+        "docusaurus-plugin-zooming",
         [
             "@docusaurus/plugin-content-docs",
             {
@@ -303,16 +313,6 @@ module.exports = {
                 ],
             },
         ],
-        async function myPlugin(context, options) {
-            return {
-                name: "docusaurus-tailwindcss",
-                configurePostCss(postcssOptions) {
-                    // Appends TailwindCSS and AutoPrefixer.
-                    postcssOptions.plugins.push(require("tailwindcss"))
-                    postcssOptions.plugins.push(require("autoprefixer"))
-                    return postcssOptions
-                },
-            }
-        },
+        "./plugins/tailwind-config.js",
     ],
 }