CrowdSec•9mo ago

Appsec + Traefik = 403

Hey, I'm running crowdsec bare metal with tls authentication and wanted to use appsec with traefik. I configured the traefik bouncer according to the docs but when I enable Appsec the site only responds with 403 error messeges. With appsec disabled all works fine. The bouncer is registered in the remote lapi. I'm running ubuntu 24.04 and the latest traefik docker version. I tried to disable any single option from the appsec dyamic config without success and also tried with api-key authentication. I don't see any errors in the logs from either crowdsec or traefik. It just doesnt work when I enable appsec. I attached some logs and config files and would appreciate any help or hints what could be wrong. Thanks and best regards, 79

9 Replies

CrowdSec•9mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

se7entynineOP•9mo ago

Crowdsec_logs.md

se7entynineOP•9mo ago

Version:

version: v1.6.4-debian-pragmatic-amd64-fb733ee4
Codename: alphaga
BuildDate: 2024-11-20_13:32:55
GoVersion: 1.23.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.4-debian-pragmatic-amd64-fb733ee4-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_wineventlog

version: v1.6.4-debian-pragmatic-amd64-fb733ee4
Codename: alphaga
BuildDate: 2024-11-20_13:32:55
GoVersion: 1.23.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.4-debian-pragmatic-amd64-fb733ee4-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_wineventlog

Unknown User•9mo ago

Message Not Public

iiamloz•9mo ago

Currently appsec does not support TLS level authentication, it only support api key at the moment

se7entynineOP•9mo ago

Unfortunatly even switching to api-key doesnt solve the problem as it's the same behaviour. Not sure what changed, but after changing to api-key I only get blank sites with error 403 (even when switching back to TLS). That pops up in the crowdsec log on the traefik machine:

time="2025-01-11T02:25:21+01:00" level=error msg="heartbeat error: Get \"https://security.localdomain:8080/v1/heartbeat\": performing jwt auth: read tcp 192.168.10.21:59716->192.168.10.20:8080: read: connection reset by peer"

time="2025-01-11T02:25:21+01:00" level=error msg="heartbeat error: Get \"https://security.localdomain:8080/v1/heartbeat\": performing jwt auth: read tcp 192.168.10.21:59716->192.168.10.20:8080: read: connection reset by peer"

Cant find any anomalies on the crowdsec machine logs. Any idea what I can test to find the cause? Yes this was intentional as the bouncer worked without Appsec and TLS authentication. Tried both options without different behaviour - usually in the entrypoint config. I can ping from my traefik containerr and machine the crowdsec instance on both port 7422 and 8080 and the host crowdsec instance is running fine. No clue what could be wrong..

se7entynineOP•9mo ago

message.txt

Unknown User•9mo ago

Message Not Public

se7entynineOP•9mo ago

Version:

version: v1.6.4-debian-pragmatic-amd64-fb733ee4
Codename: alphaga
BuildDate: 2024-11-20_13:32:55
GoVersion: 1.23.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.4-debian-pragmatic-amd64-fb733ee4-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_wineventlog

version: v1.6.4-debian-pragmatic-amd64-fb733ee4
Codename: alphaga
BuildDate: 2024-11-20_13:32:55
GoVersion: 1.23.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.4-debian-pragmatic-amd64-fb733ee4-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_wineventlog

This is my version of the remote LAPI server. And the other machines are 1.6.4 also. All bouncers on 0.0.31 except the traefik-plugin with 1.x.x

Gaming

Programming

Appsec + Traefik = 403

Did you find this page helpful?