Correctly block Cloudflare proxies IPs
Hey so my problem currently is that Crowdsec only blocks Ips that are set to DNS only since Cloudflare Orange Cloud will change the visitors IP of course.
I followed this guide to restore the orignal visitors ip addresses:
https://github.com/ergin/nginx-cloudflare-real-ip
...
Which haproxy frontend does the crowdsec use to query decisions?
Hello. I have been running crowdsec's haproxy bouncer on OPNSense for a while using the two backends it requires. Which front end OR one of these backends does the bouncer query every 10 seconds please?
What do I want to do?: The haproxy logs have these queries every 10 seconds and make it difficult to work with haproxy, in the sense that is overpolluted with these log entries.
I am trying and failing so far to mute these log entries. I am setting the "http-request set-log-level silent" on the http front end but I'm not having success. I am doing it wrong because I am going blind.
The muting of logs can only be done on a front end on haproxy, not on a backend. So I'm hoping you tell me that the queries ie. "2025-07-01T22:27:11 Informational haproxy -:- [01/Jul/2025:22:27:11.238] <HTTPCLIENT> -/- 2/0/0/65/65 200 153 - - ---- 0/0/0/0/0 0/0 {} "GET http://192.168.5.1:8081/v1/decisions/stream?startup=false HTTP/1.1"" are going to the front end, so I can keep trying there.
If you said: no the queries are going to the crowdsec backend, then I am snookered....
Whitelist
So I’ve been trying to whitelist the IPs of my provider without any success.
I tried via Parsers, Postoverflow, and Allowlist; nothing worked for me. And I got no clue what the problem is. Sometimes I got a config error fixed, the spacing worked, no problems yet, got banned again.
I got so angry that I removed everything that I tried, so I will gladly appreciate any help towards the right direction....
How much cost implement CrowdSec in Coolify?
I read this guide https://www.crowdsec.net/blog/securing-automated-app-deployment-crowdsec-and-coolify and I want implement CrowdSec. How it guarantee security? For example if my server receive a ddos attack, CrowdSec understand this and protect the server? How much CrowdSec cost?
Cloudflare, Traefik and Crowdsec
As the title implies I am running services like nginx (webservers) behind Crowdsec behind Traefik behind Cloudflare.
I have almost correctly setup the „CTS“ Stack (crowdsec makes decisions parses logs, etc.), but one key thing is not working:
The fact that I am behind the Cloudflare proxy means that traefik receives Requests from Cloudflare IPs, but that isnt the issue (?),
because I have setup a CF-Real-IP plugin with traefik, but Crowdsec is still banning CF IPs which is really devastating.
Each time some malicious actor starts http-probing etc. a CF IP gets banned, the longer this goes on the more CF IPs get banned and the more I am locked out of my network....
Help Connecting Unraid Docker Agent to OPNsense plugin?
I have the Crowdsec plugin installed on OPNSense (primary LAPI host) and I'm trying to setup the docker on Unraid as an agent so it can scan the logs of my internet-facing services and coordinate with a SWAG bouncer.
I've tried this 2 different ways:
(On OPNsense)...
Need Help Whitelisting Specific URL Paths
Hi everyone,
I am facing a temporary issue with our application, where the following URLs are getting hit frequently (mostly via POST requests), causing CrowdSec scenarios like http-probing and http-open-proxy to trigger.
I’ve identified these URL patterns that are safe and need to be whitelisted until we fix the app...
Are there currently still problems with pfsense 2.8.0?
Hi everyone,
I just did a fresh install of pfSense 2.8 and restored my config backup from version 2.7.2. After that, I installed CrowdSec 1.6.9 using the GitHub script as usual — but unfortunately, the services won’t start.
Are there any known issues with this setup, or did I mess something up?
...
Help Request: CrowdSec CAPI Connection Blocked – Proxy Support?
Hi everyone! 👋
I'm currently running CrowdSec on my server, but it's unable to connect to https://api.crowdsec.net/ due to heavy network censorship and governmental blocks (a lot of CDNs and websites are affected in my region).
Because of this, the CAPI communication fails, and CrowdSec can't function as intended....
countries are not listed
I attempted to install the dashboard today and succeded, but i noticed that there is no countries listed for banned ip or in the decision table.
they have been there.
I am a bit unsure of what to post since logs dont mention anything.
I'm rinning crowdsec on unraid ...
Whitelisting Google Maps and reCAPTCHA
The installation of CrowdSec and crowdsec-firewall-bouncer-iptables on an Ubuntu 24.04 server running Nginx has successfully enabled the blocking of malicious attacks. However, this security measure is also inadvertently preventing access to Google Maps and Google reCAPTCHA services on the hosted websites. Assistance is required to configure whitelisting rules that will allow these specific Google services to function properly while maintaining the overall security provided by CrowdSec. Please h...
Got 502 from bouncer to LAPI when enabling trusted_ips and use_forwarded_for_headers
Hello
i'm running crowdsec on rootless podman, the LAPI is behind a caddy reverse proxy (also running in a container).
All is working fine, but one thing is not very clean, when i enroll a bouncer, i got the IP of caddy and not the ip of the host where is installed the bouncer. So that's why i try to change the config.yaml by enabling the two settings: use_forwarded_for_headers to true and trusted_ips.
...
Parser failures with NPMplus logs
Using the collection here: https://app.crowdsec.net/hub/author/ZoeyVid/collections/npmplus
The npmplus-logs parser fails to parse log lines and I wanted to reach you before I waste too much time by learning to fix it if the issue is somewhere else. I force upgraded the parser to restore the original state before reporting about the issue. Explain parameter was used with log and file options. The setup itself consists of the npmplus container installed with proxmox helper scripts.
If I'm not mistaken, parser success is achieved only when it's whitelisted or matches a scenario. It could explain the test results in cscli_explain_pt2.txt. Basically lines with local IP work well or at least they are handled because of the whitelist. I cannot make safe or attack attempts to work when public IP is used. There are many scenarios installed, such as http-sensitive-files.
...
Let's Encrypt IPs Blocked by CAPI – Need Whitelisting Guidance
It looks like some Let's Encrypt IPs are being blocked at the CAPI level I am using the CrowdSec NGINX bouncer. As a result, certificate issuance/renewal is failing. Could you please advise on a proper workaround or whitelist method to allow these?
Below are the IPs that were recently banned:
`23.178.112.219 ...
Enroll command bug ?
enroll command failed with Fatal error : cscli console enroll -e context cljg0p3bt0000mh081lyrcu9d
FATA[0000] unknown shorthand flag: 'e' in -e...
Decisions not displaying on browser page.
Good day all 🙂
I am new to Crowdsec and need some help, please. For some reason, the decisions page no longer displays anything. It used to work, but suddenly stopped working correctly. I do not recall doing anything weird that might have caused this. I tried re-enrolling the engine and added the nginx bouncer again, but this did not work. The console status shows everything as activated with a checkmark. I am not really sure where to look, so I would really appreciate some guidance. Also, worth mentioning, I am running the latest version of Ubuntu Server.
Thanks in advance 🙂 Edit: I should mention that in my crowdsec.log it appears that bans do work "time="2025-06-25T20:14:54+09:00" level=info msg="(MACHINE_ID/crowdsec) crowdsecurity/http-admin-interface-probing by ip 185.177.72.201 (GB/0) : 87600h ban on Ip 185.177.72.201"...
does installed Crowdsec packages smoothly transition to the PfSense upgrade to 2.8.0 release?
i guess title says it all.
just hoping to know before upgrading to the pfSense 2.8.0 release with my current crowsdec package installed, has anyone experienced any transition issues?
pfSense has mixed recommendations on whether to remove all packages before upgrading....
Error 500 connecting to app.crowdsec.net
Error 500 occurs when trying to connect to https://app.crowdsec.net
I tried it from my home network, my mobile network, and from work (which is using a different ISP to my home/mobile and was never associated with any of crowdsec services) and all are showing error 500.
Earlier yesterday, the page would just hang while loading. Now it's a more civilized error 500....
opnsense bombarded with blocks coming OUT of the LAN
https://discord.com/channels/921520481163673640/922593826986672178/1386765255996342317
how to approach it? i see also an ip from an unknown subnet trying to connect to outside...
docs about running tests are incorrect
https://doc.crowdsec.net/docs/contributing/contributing_test_env/
apparenlty anything after
../cscli -c ../dev.yaml hubtest run --all is not working as expected...