Question about Caddy & Caddy Bouncer
I'm trying to use https://github.com/hslatman/caddy-crowdsec-bouncer with my caddyfile in order to block malicious IPs, however when I attempted to block my own IP (for testing purposes) I was still able to access the site. Am I doing something wrong?
I also have the caddy logs parser as well https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/caddy-logs and I also added Cloudflares IPs under trusted_proxies and it does show my IP correctly in the caddy log under
X-Forwarded-For so I'm not sure as to why IPs aren't being blocked.
I also ran tail /var/log/caddy/caddy.log | head -n 20 | cscli explain -f- --type caddy -v and it did indicate it was able to parse the log, I can provide a log file of it in DMs if need be...NGINX Bouncer doesn't resolve domain names with DNSSEC enabled
After enabling DNSSEC in Unbound the NGINX Bouncer stopped resolving my LAPI's domain name. DNS is working perfectly fine.
...
2025/10/03 20:30:48 [error] 148448#148448: *21469 [lua] stream.lua:157: stream_query_api(): request to crowdsec lapi https://lapi.example.com/v1/decisions/stream?startup=true failed: lapi.example.com could not be resolved (110: Operation timed out), context: ngx.timer
2025/10/03 20:30:48 [error] 148448#148448: *21469 [lua] stream.lua:157: stream_query_api(): request to crowdsec lapi https://lapi.example.com/v1/decisions/stream?startup=true failed: lapi.example.com could not be resolved (110: Operation timed out), context: ngx.timer
Traffick being blocked unapropriately
I got the same IP that is being banned repeatedly. By reading the context, I can tell that is watching videos through my self hosted instance of piped.
I have configured OpenVPN on a OpenWRT router I did include tun0 on the FW of the WAN interface.
When I visit IP detection websites, it shows the correct IP which is the OpenVPN's server WAN IP. ...
nginx bouncer: attempt to concatenate local 'ip_type' (a nil value)
I just noticed that my NGINX Bouncer has stopped contacting my LAPI for decisions and has stopped bouncing, I re-created the API token for the bouncer just in case it was a weird bug but that didn't fix it. I haven't changed my config in a while so that shouldn't be the issue.
I can see in NGINX's logs the Bouncer quits on startup and then never runs again.
```
2025/10/02 20:47:47 [info] 68873#68873: 1 [lua] crowdsec_nginx.conf:28):5: Initializing stream mode for worker 0, context: init_worker_by_lua...
State of cs-cloud-firewall-bouncer
Hi !
My company is in need of a cloud firewall bouncer that can sync decisions to clouders firewalls. After digging a bit, I found the crowdsecurity/cs-cloud-firewall-bouncer repo which seems to do exactly that. We're willing to add an implementation for Scaleway LB ACLs but wanted to know if we should fork it or if the project is definitively abandoned.
Cheers...
Huge RAM consumption after upgrade
Hiya!
Our CrowdSec LAPI had been running on 1.6.10 for a while, but our agents got upgraded to 1.7.0.
We've just noticed that there have been errors in the communication between the agents and the LAPI, as mentioned here in a few tickets already.
We upgraded our LAPI to the newest version and immediately the VM ran out of RAM. ...
Not receiving notifications from (not LAPI) machine
As the titel says... I have not been receiving notifications as of recently when an alert originated from my host 'tower'... Distributed setup, mix of containers and native installs, LAPI is a container. Instance not sending notifications is also a container...
I don't see any relevant erros in the docker logs. However I have a feeling some parsing is failing and thus not sending anything?
I have 2 notifications formats, discord & pushover:...
New to crowdsec - conntrack full after installing crowdsec
Uh, hi. I'm pretty new to crowdsec in general, so please pardon me if this is a stupid question. I recently just installed crowdsec replacing fail2ban on my 2 servers, after installing it, I seem to be starting to get some alert from netdata that the conntrack limit is at 100%, which I presume is a bad thing. I'm wondering if there's any config from crowdsec that I can use to help with this? Thanks
nixos
Hey Folks,
Sorry to bother you, but do you know which is the "official" NixOS CrowdSec package and which wiring is suggested?
(currently using: crowdsec = nixpkgs-unstable.legacyPackages.${system}.crowdsec;)
Thanks!...
New to CrowdSec, 5 servers, 3 not sending data to console
I am new to crowdsec, and have 5 servers that I have set up for crowdsec and enrolled in the console. 2 of them are working well, but the other three aren’t sending data. They appear to be working locally just not sending data to console. For example, see the attached screen shot.
What I’ve noticed, in comparing the working ones with the non-working ones, is that the working ones show “crowdsec (security engine)” below the CAPI line, and the ones that don’t, don’t. Which totally makes sense. But how to fix?...
Authentik (docker) with remote crowdsec component on network
Trying to determine how to configure the Crowdsec components for Authentik log ingestion and point it to my existing Crowdsec server that already has logs feeding into it.
Also curious on how to validate nginx logs are being ingested by the Crowdsec server i already have established....
Allowlisted IP still triggers LePresidente/http-generic-403-bf scenario
Environment:
• CrowdSec v1.7.0-c3036e21-docker
• Docker deployment with Traefik
• Ubuntu Linux
...
Nextcloud client for Linux causes a ban by 'securityEngineIconhttp-crawl-non_statics'
I use the Nextcloud client to sync my local files with my Nextcloud server. This worked very well as long as I were in the same local network as the Nextcloud server. I recently moved to a new location and noticed, that crowdsec bans my IP as soon as I boot up my computer. I tracked it down to the Nextcloud Client. I reset the client and set everything up again. A few minutes, after the client began to sync all the files to this PC, the internet IP was banned again. I am looking forward to your...
Failed sending alert to LAPI, Invalid character.
Hi, I do get this error when looking at the docer logs:
time="2025-09-21T15:00:00+02:00" level=error msg="while pushing to api : failed sending alert to LAPI: API error: invalid character '\x1f' looking for beginning of value"
My Setup has a OPNsense which acts a the LAPI and a Debian Server with Crowdsec and Nginx Proxy Manager Container. The setup was functional before and when I check the OPNSense I can see alerts from a day before. I'm not really sure if I did something that broke it or if onlye some alerts get pushed to the opnsense... I added a new service to my nginx proxy manager today and thats why I looked into crowdsec to check if everything is working. ...
nftables IP ban based on appsec?
I've tried to search for support threads here on discord, but can't really find anything. I've also tried to read the docs and asked chatgpt (increadiably useless, but was worth a try) but I feel like I'm missing something fundamental here.
What I want:
- AppSec triggered from traefik to add an IP block on nftables.
...
Notification for already banned ip from cscli-import blocklist
I use a script for import ip in abuseipdb with confidence minimum score to 75
Ban duration is 24H
the script use cscli-import for that.
It's the firt day I use this script, the script import +100k ip.
Since then, I haven't seen any alerts in CrowdSec....
friewall-bouncer fail to add rules
I just installed the official firewall bouncer in nftables mod but get this error :
unable to commit add decisions nftables: failed to flush conn: conn.Receive: netlink receive: no such file or directory
I am using the image docker image ghcr.io/shgew/cs-firewall-bouncer-docker...Postoverflow is not retrieving my link.
Hello, I tried to set up a list of IPs and use it via a Postoverflow scenario, but it didn't work. Do you know why ?
```yaml
name: aukfood/aukfood-whitelist
description: "Whitelist Aukfood monitoring IPs"...
cscli machines inspect not showing all machine detail in distributed setup
Hey, I am currently trialling a distributed setup. i have a centralised security engine running on a dedicated VM (lets call it server1), then 3 apache webservers with the engine installed doing log parsing and reporting back to the LAPI on Server1.
The first webserver we setup is working perfectly, were seeing tons of alerts and decisions, if i run cscli machines inspect against this machine (server5) i see a ton of acquisition and parser metrics as you would expect for a busy server.
However we then set log parsing up on servers 2 and 6 and are not having the same results. If i run machines inspect against server2 i see the machine overview box with the datasource and collection information (this all looks good), but i have no parser or acquisition boxes. If i check logs and metrics on server2 itself it seems to be working as expected, i can see lots of acquisition and parser detail. Its as if its not making it back to server1 for some reason.
...