Parser failure
Hello !
I am currently trying to use crowdsec on my Apache Guacamole server.
I used the corvese/apache-guacamole-logs collection, and edited the pattern of the parser.
Sadly, i always get a parser failure, but my pattern is supposed to work according to https://grokdebugger.com/
...
Postoverflow Whitelist Ignored
Hi there!
We have a custom postoverflow whitelist solution, but lately a customer has been complaining that their API bot is being banned despite being on our whitelist.
I've been debugging the issue for hours, but can't find why this happens.
We have the same whitelist system running on multiple servers, and it works flawlessly on our SMTP servers for example.
...
nginx: [error] [lua] crowdsec.lua:130: init(): APPSEC is enabled on 'crowdsec:7422'
Is this an error saying it can't connect to my appsec instance? Logs shows that it is running and listening on that port. I am using the nginx bouncer mod for SWAG.
Mikrotik, 2x Caddy (internal only/ internal + public)
Hi all. I have small homelab where I have Proxmox and few services, NetBird, Keycloak, RustDesk, Pihole, 2x Caddy (one as internal proxy for services that I do not want be on public internet and second for publicly available services), ... As main router I have mikrotik cloud switch CRS125.
What is optimal CrowdSec setup in this env? Only router or router + Caddy (external) or router + 2Caddy or only proxy servers? Where to parse logs and where to block ?...
CrowdSec Runtime Error: High CPU Load and Memory Errors Causing Restarts
Hi team,
I’m encountering severe performance and stability issues when running CrowdSec with the AppSec component under high traffic conditions. Here are the details:
⸻...
Correctly block Cloudflare proxies IPs
Hey so my problem currently is that Crowdsec only blocks Ips that are set to DNS only since Cloudflare Orange Cloud will change the visitors IP of course.
I followed this guide to restore the orignal visitors ip addresses:
https://github.com/ergin/nginx-cloudflare-real-ip
...
Which haproxy frontend does the crowdsec use to query decisions?
Hello. I have been running crowdsec's haproxy bouncer on OPNSense for a while using the two backends it requires. Which front end OR one of these backends does the bouncer query every 10 seconds please?
What do I want to do?: The haproxy logs have these queries every 10 seconds and make it difficult to work with haproxy, in the sense that is overpolluted with these log entries.
I am trying and failing so far to mute these log entries. I am setting the "http-request set-log-level silent" on the http front end but I'm not having success. I am doing it wrong because I am going blind.
The muting of logs can only be done on a front end on haproxy, not on a backend. So I'm hoping you tell me that the queries ie. "2025-07-01T22:27:11 Informational haproxy -:- [01/Jul/2025:22:27:11.238] <HTTPCLIENT> -/- 2/0/0/65/65 200 153 - - ---- 0/0/0/0/0 0/0 {} "GET http://192.168.5.1:8081/v1/decisions/stream?startup=false HTTP/1.1"" are going to the front end, so I can keep trying there.
If you said: no the queries are going to the crowdsec backend, then I am snookered....
Whitelist
So I’ve been trying to whitelist the IPs of my provider without any success.
I tried via Parsers, Postoverflow, and Allowlist; nothing worked for me. And I got no clue what the problem is. Sometimes I got a config error fixed, the spacing worked, no problems yet, got banned again.
I got so angry that I removed everything that I tried, so I will gladly appreciate any help towards the right direction....
How much cost implement CrowdSec in Coolify?
I read this guide https://www.crowdsec.net/blog/securing-automated-app-deployment-crowdsec-and-coolify and I want implement CrowdSec. How it guarantee security? For example if my server receive a ddos attack, CrowdSec understand this and protect the server? How much CrowdSec cost?
Cloudflare, Traefik and Crowdsec
As the title implies I am running services like nginx (webservers) behind Crowdsec behind Traefik behind Cloudflare.
I have almost correctly setup the „CTS“ Stack (crowdsec makes decisions parses logs, etc.), but one key thing is not working:
The fact that I am behind the Cloudflare proxy means that traefik receives Requests from Cloudflare IPs, but that isnt the issue (?),
because I have setup a CF-Real-IP plugin with traefik, but Crowdsec is still banning CF IPs which is really devastating.
Each time some malicious actor starts http-probing etc. a CF IP gets banned, the longer this goes on the more CF IPs get banned and the more I am locked out of my network....
Help Connecting Unraid Docker Agent to OPNsense plugin?
I have the Crowdsec plugin installed on OPNSense (primary LAPI host) and I'm trying to setup the docker on Unraid as an agent so it can scan the logs of my internet-facing services and coordinate with a SWAG bouncer.
I've tried this 2 different ways:
(On OPNsense)...
Need Help Whitelisting Specific URL Paths
Hi everyone,
I am facing a temporary issue with our application, where the following URLs are getting hit frequently (mostly via POST requests), causing CrowdSec scenarios like http-probing and http-open-proxy to trigger.
I’ve identified these URL patterns that are safe and need to be whitelisted until we fix the app...
Are there currently still problems with pfsense 2.8.0?
Hi everyone,
I just did a fresh install of pfSense 2.8 and restored my config backup from version 2.7.2. After that, I installed CrowdSec 1.6.9 using the GitHub script as usual — but unfortunately, the services won’t start.
Are there any known issues with this setup, or did I mess something up?
...
Help Request: CrowdSec CAPI Connection Blocked – Proxy Support?
Hi everyone! 👋
I'm currently running CrowdSec on my server, but it's unable to connect to https://api.crowdsec.net/ due to heavy network censorship and governmental blocks (a lot of CDNs and websites are affected in my region).
Because of this, the CAPI communication fails, and CrowdSec can't function as intended....
countries are not listed
I attempted to install the dashboard today and succeded, but i noticed that there is no countries listed for banned ip or in the decision table.
they have been there.
I am a bit unsure of what to post since logs dont mention anything.
I'm rinning crowdsec on unraid ...
Whitelisting Google Maps and reCAPTCHA
The installation of CrowdSec and crowdsec-firewall-bouncer-iptables on an Ubuntu 24.04 server running Nginx has successfully enabled the blocking of malicious attacks. However, this security measure is also inadvertently preventing access to Google Maps and Google reCAPTCHA services on the hosted websites. Assistance is required to configure whitelisting rules that will allow these specific Google services to function properly while maintaining the overall security provided by CrowdSec. Please h...
Got 502 from bouncer to LAPI when enabling trusted_ips and use_forwarded_for_headers
Hello
i'm running crowdsec on rootless podman, the LAPI is behind a caddy reverse proxy (also running in a container).
All is working fine, but one thing is not very clean, when i enroll a bouncer, i got the IP of caddy and not the ip of the host where is installed the bouncer. So that's why i try to change the config.yaml by enabling the two settings: use_forwarded_for_headers to true and trusted_ips.
...
Parser failures with NPMplus logs
Using the collection here: https://app.crowdsec.net/hub/author/ZoeyVid/collections/npmplus
The npmplus-logs parser fails to parse log lines and I wanted to reach you before I waste too much time by learning to fix it if the issue is somewhere else. I force upgraded the parser to restore the original state before reporting about the issue. Explain parameter was used with log and file options. The setup itself consists of the npmplus container installed with proxmox helper scripts.
If I'm not mistaken, parser success is achieved only when it's whitelisted or matches a scenario. It could explain the test results in cscli_explain_pt2.txt. Basically lines with local IP work well or at least they are handled because of the whitelist. I cannot make safe or attack attempts to work when public IP is used. There are many scenarios installed, such as http-sensitive-files.
...
Let's Encrypt IPs Blocked by CAPI – Need Whitelisting Guidance
It looks like some Let's Encrypt IPs are being blocked at the CAPI level I am using the CrowdSec NGINX bouncer. As a result, certificate issuance/renewal is failing. Could you please advise on a proper workaround or whitelist method to allow these?
Below are the IPs that were recently banned:
`23.178.112.219 ...
Enroll command bug ?
enroll command failed with Fatal error : cscli console enroll -e context cljg0p3bt0000mh081lyrcu9d
FATA[0000] unknown shorthand flag: 'e' in -e...