I’ve been using @einschmidt caddy homeassistant addon and its great. I also just learned there is a homeassistant crowdsec addon which can be integrated for enhanced security. “CrowdSec offers a crowd-based cybersecurity suite to protect your online services, visualize & act upon threats, and a TIP (Threat Intel Platform) to block malicious IPs.” I hope people will find this useful as I didn’t find any information on integrating crowdsec with caddy running on homeassistant. The crowdsec homeassistant addon is meant to directly parse homeassistant logs, but it can be integrated with einschmidt’s caddy addon. I just started using this, so not 100% sure everything is working correctly.
-
Update caddy binary in homeassistant to include the crowdsec bouncer
- Go to: Download Caddy
- Select your architecture in the top left selector (linux amd64, etc)
- Type crowdsec in the filterbox
- Click in the white space in the crowdsec box that shows up to select it. It should have a bluebox around it and the “Extra features:” banner at the top of the webpage should read “1”.
- Click the blue download button
- rename the downloaded file to “caddy”, copy the file to your homeassistant /share/caddy/ directory, this will load our custom binary over the default version of caddy included in the addon
-
Get the crowdsec homeassistant addon. It is made by crowdsec, but right now it is a version behind
- Add a custom addon repository:
https://github.com/crowdsecurity/home-assistant-addons
- Install and run the Crowdsec addon (not the Crowdsec Firewall Bouncer). Don’t change anything in the configuration
- Open the webui, which is really just a terminal
- type:
cscli bouncers add MyBouncerName
and copy the API key somewhere safe
- Add a custom addon repository:
-
Add the config to your caddyfile in /share/caddy/Caddyfile
- To the top block make it look like:
{
email [email protected]
debug
order crowdsec first # this ensures that the CrowdSec module is executed before any other HTTP handlers
crowdsec {
api_url http://424ccef4-crowdsec:8080/ # This is the URL of the homeassistant addon, leave it like this
api_key APIKEY # the secret API key for the bouncer to authenticate against LAPI
ticker_interval 15s
}
}
- For any of your reverse proxy blocks:
homeassistant.yourdomain.com {
import header #if you use a headerblock
encode gzip
crowdsec # this will fail and prevent the proxy from running if IP is banned
reverse_proxy 192.168.1.XX:8123
}
-
Restart caddy and hopefully it just works. If it works, you can remove the debug line in the top caddyfile block
- You can get some idea if things are working by going to crowdec addon WebUI terminal
- type:
cscli metrics
-
Optional: Create a crowdsec account to more easily see what is going on
- go to https://www.crowdsec.net/
- Create an account and login
- Click add instance in top right
- Go to the bottom and there will be a command to “Enroll your CrowdSec instance!”
- copy the line without the sudo:
cscli console enroll XXXXXXX
- Go to homeassistant crowdsec addon, open webui terminal, paste above command
- Go back to crowdsec and there should be an alert to accept enrollment
- The webui only updates every 30 minutes
The above only uses the API to check againt crowdsources issues. However, you may want to have crowdsec parse your caddy logs to find a direct attack on you. This requires more work because it seems the caddy crowdsec parser does not work, but we can make caddy output apache2 style logs.
Redownload and replace caddy binary with caddyserver/transform-encoder in addition to the caddy-crowdsec-bouncer.
In your cadyfile, tell each reverse proxy instance to output a log:
homeassistant.yourdomain.com {
log {
format transform "{common_log}"
}
import header #if you use a headerblock
encode gzip
crowdsec # this will fail and prevent the proxy from running if IP is banned
reverse_proxy 192.168.1.XX:8123
}
Also add the log line to your top block, to catch attackers who are pinging you IP but not your hostname
{
email [email protected]
debug
order crowdsec first # this ensures that the CrowdSec module is executed before any other HTTP handlers
crowdsec {
api_url http://424ccef4-crowdsec:8080/ # This is the URL of the homeassistant addon, leave it like this
api_key APIKEY # the secret API key for the bouncer to authenticate against LAPI
ticker_interval 15s
}
log {
format transform "{common_log}"
}
}
restart caddy
login into crowdsec webui and install the apache2 parser:
cscli collections install crowdsecurity/apache2
restart crowdsec
edit “\HOMEASSISTANT\config.storage\crowdsec\config\parsers\s01-parse\apache2-logs.yaml”
make the filter line look like this, so it finds the log written by the caddy addon:
filter: "evt.Parsed.program startsWith 'addon_c80c7555_caddy-2'"
restart crowdsec again.
if you run cscli metrics
you should see it is parsing apache2 logs
Good luck