C
CrowdSec5mo ago
j0nny54l1v3

Have a working Traefik, trying to enable CrowdSec Appsec feature, need help

The CrowdSec Appsec feature is running in the same bouncer that is reading the Traefik logs, it might be neat to have Appsec running in the main LAPI, but it seems this is not how you are best to configure it. There are two Traefik environments: 1 - Natural Port Forwarded from OPNSense Router to DMZ "ep" Traefik container w/its own Redis/Crowdsec 2 - CloudFlare Tunneled to DMZ "cf" Traefik container w/its own Redis/Crowdsec There is a CrowdSec LAPI environment in its own container w/its own Postgres I'm doing MACVLAN and each device has a RFC1918 address on the network When I enable the CrowdSec feature for site XYZ, the XYZ page no longer responds (this one being browseable by way of a CloudFlare Tunnel) but the ABC page on the same tunnel works. XYZ page does load locally for the "ep" Traefik environment, but not externally. Looking for ways to trouble shoot the paths and to make sure I'm 'activating' the Appsec feature in the correctly place, the CrowdSec docker container that is parsing the Traefik logs. My installation is Multi-Server, with a main CrowdSec running LAPI w/Postgres DB, several CrowdSec log parsers, and a few Bouncers. This is my first time exploring the Appsec feature, and while I've read a bit, have a few things yet to fully understand. Thank you for reading, please help!!
23 Replies
CrowdSec
CrowdSec5mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
j0nny54l1v3
j0nny54l1v3OP5mo ago
Here's the example of my Middleware.yml

Middleware.yml

j0nny54l1v3
j0nny54l1v3OP5mo ago
Here's the Middleware of CrowdSec showing up in Traefik
No description
GNU Plus Windows User
GNU Plus Windows User5mo ago
If you type .env in your browser then you should see CrowdSec's blocked page
j0nny54l1v3
j0nny54l1v3OP5mo ago
That's one of my block commands... lol, if I see that requested in plain text it is added to the block list Why is it there, and what does that mean?
GNU Plus Windows User
GNU Plus Windows User5mo ago
It's a really common file used to store secrets, and way too many sysadmins have that file in webroot. It's meant to protect against that misconfiguration.
j0nny54l1v3
j0nny54l1v3OP5mo ago
You are saying that if CrowdSec blocks a page, it puts something in .env that you can still browse to? My issue is I get an eternal load, it never processes the request, or responds to the requestor
GNU Plus Windows User
GNU Plus Windows User5mo ago
No, I'm saying if it finds .env within the URL then it blocks the request from reaching the backend since it looks like it's trying to access an environment variable file.
j0nny54l1v3
j0nny54l1v3OP5mo ago
What I do not know yet, is how far the integration has processed it.. it would seem I don't see my Bouncer api-ed in, but I do see my log parser...
GNU Plus Windows User
GNU Plus Windows User5mo ago
j0nny54l1v3
j0nny54l1v3OP5mo ago
I'm testing it from outside on a 5G ip, it shouldn't (and as far as I know, doesn't the other sites without the CrowdSec Middlewares enable work) already be filtering me
GNU Plus Windows User
GNU Plus Windows User5mo ago
if you get a CrowdSec block page when you visit .env then that means AppSec is working
j0nny54l1v3
j0nny54l1v3OP5mo ago
Ahh, now I see, "how to trigger a block" I missed that, thank you, I'd like to be able to trigger a CrowdSec block, as of yet, if I enable it on a Route, that route only routes inside
GNU Plus Windows User
GNU Plus Windows User5mo ago
The Traefik bouncer should be forwarding all requests to the Security Engine for inspection, if you want to whitelist a specific route then you'll have to write an AppSec rule to do that.
j0nny54l1v3
j0nny54l1v3OP5mo ago
I only have Appsec-Default set
GNU Plus Windows User
GNU Plus Windows User5mo ago
You don't have any of the vpatch rules installed, or the base config?
j0nny54l1v3
j0nny54l1v3OP5mo ago
poll_without_inotify: false
filenames:
  - /var/log/traefik/*.log
labels:
  type: traefik
---
appsec_config: crowdsecurity/appsec-default
labels:
    type: appsec
listen_addr: <REDACTED>:7422
source: appsec
poll_without_inotify: false
filenames:
  - /var/log/traefik/*.log
labels:
  type: traefik
---
appsec_config: crowdsecurity/appsec-default
labels:
    type: appsec
listen_addr: <REDACTED>:7422
source: appsec
Is in the CrowdSec container for that Traefik docker-compose.yml has this around that... 
    environment:
      COLLECTIONS: "crowdsecurity/appsec-crs crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/traefik crowdsecurity/whitelist-good-actors crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/nginx crowdsecurity/wordpress timokoessler/gitlab"
      PARSERS: crowdsecurity/whitelists crowdsecurity/pam-logs crowdsecurity/docker-logs
      SCENARIOS: crowdsecurity/http-cve-probing crowdsecurity/http-generic-bf crowdsecurity/http-dos-invalid-http-versions crowdsecurity/http-admin-interface-probing crowdsecurity/http-wordpress_wpconfig ltsich/http-w00tw00t crowdsecurity/http-probing crowdsecurity/http-bf-wordpress_bf_xmlrpc crowdsecurity/http-backdoors-attempts crowdsecurity/http-bf-wordpress_bf crowdsecurity/http-crawl-non_statics crowdsecurity/http-open-proxy crowdsecurity/http-sensitive-files crowdsecurity/http-sqli-probing crowdsecurity/http-wordpress-scan crowdsecurity/http-wordpress_user-enum crowdsecurity/http-xss-probing crowdsecurity/http-bad-user-agent crowdsecurity/http-cve-2021-41773 crowdsecurity/http-cve-2021-42013 crowdsecurity/http-path-traversal-probing aidalinfo/tcpudp-flood-traefik
    environment:
      COLLECTIONS: "crowdsecurity/appsec-crs crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/traefik crowdsecurity/whitelist-good-actors crowdsecurity/linux crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/nginx crowdsecurity/wordpress timokoessler/gitlab"
      PARSERS: crowdsecurity/whitelists crowdsecurity/pam-logs crowdsecurity/docker-logs
      SCENARIOS: crowdsecurity/http-cve-probing crowdsecurity/http-generic-bf crowdsecurity/http-dos-invalid-http-versions crowdsecurity/http-admin-interface-probing crowdsecurity/http-wordpress_wpconfig ltsich/http-w00tw00t crowdsecurity/http-probing crowdsecurity/http-bf-wordpress_bf_xmlrpc crowdsecurity/http-backdoors-attempts crowdsecurity/http-bf-wordpress_bf crowdsecurity/http-crawl-non_statics crowdsecurity/http-open-proxy crowdsecurity/http-sensitive-files crowdsecurity/http-sqli-probing crowdsecurity/http-wordpress-scan crowdsecurity/http-wordpress_user-enum crowdsecurity/http-xss-probing crowdsecurity/http-bad-user-agent crowdsecurity/http-cve-2021-41773 crowdsecurity/http-cve-2021-42013 crowdsecurity/http-path-traversal-probing aidalinfo/tcpudp-flood-traefik
i also wrote a thing to cause it to hub update and hub upgrade as it seems to otherwise error on some files getting that maxmind db, pretty cool i also disable its server on the Traefik CrowdSec and have it configured to talk to the LAPI CrowdSec which is a different container in a different zone the log parser signs in, but the bouncer never does not sure, this is totally new space for me
GNU Plus Windows User
GNU Plus Windows User5mo ago
I don't see https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/base-config which isn't strictly necessary if you don't want to inspect the request body (If your using AppSec you'll want this anyway). Again, if you just visit your site protected by AppSec and visit /.env then you should see a block page. or you can just run this curl command: curl https://yourdomain.com/.env --head you should see 403 in the first line Output should look something like this: 
HTTP/2 403
date: Tue, 01 Apr 2025 06:28:49 GMT
content-type: text/html
content-length: 146
HTTP/2 403
date: Tue, 01 Apr 2025 06:28:49 GMT
content-type: text/html
content-length: 146
j0nny54l1v3
j0nny54l1v3OP5mo ago
Adding to multiple docker-compose.yml - thank you
GNU Plus Windows User
GNU Plus Windows User5mo ago
You just need to add it to the one docker container that has AppSec
j0nny54l1v3
j0nny54l1v3OP5mo ago
Oh, I just checked out the https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-generic-rules and it includes that already
GNU Plus Windows User
GNU Plus Windows User5mo ago
in that case everything should work fine, just run the curl command I gave earlier and see if you get blocked.
j0nny54l1v3
j0nny54l1v3OP5mo ago
for some reason, i cannot seem to use the redis cache, not sure why, but when i disabled the redis cache it has started working @GNU Plus Windows User also, thank you for the ".env" test, that worked quiet well

Did you find this page helpful?