CrowdSec•3mo ago

Caddy Crowdsec no metrics

Hey, I have setup caddy with my lapi server But I get no metrics on my local caddy server. Is there any I can trigger some data on my caddy server? 🙂

root@caddy:/etc/caddy# cscli lapi status
Loaded credentials from /etc/crowdsec/local_api_credentials.yaml
Trying to authenticate with username 05df2289423749b2b886804c4896e19emHuqX7QUukYJH4S2 on http://192.168.1.19:8080/
You can successfully interact with Local API (LAPI)

root@caddy:/etc/caddy# cscli lapi status
Loaded credentials from /etc/crowdsec/local_api_credentials.yaml
Trying to authenticate with username 05df2289423749b2b886804c4896e19emHuqX7QUukYJH4S2 on http://192.168.1.19:8080/
You can successfully interact with Local API (LAPI)

root@crowdsec-lapi:/usr/local/mesh_services/meshagent# cscli bouncer inspect caddy
─────────────────────────────────────────────────────
 Bouncer: caddy                                      
─────────────────────────────────────────────────────
 Created At    2025-06-03 12:21:01.470137 +0200 CEST 
 Last Update   2025-06-04 13:09:51.030755 +0200 CEST 
 Revoked?      false                                 
 IP Address    192.168.1.53                          
 Type          caddy-cs-bouncer                      
 Version       v0.8.1                                
 Last Pull     2025-06-04 13:09:51.030753 +0200 CEST 
 Auth type     api-key                               
 OS            ?                                     
 Auto Created  false

root@crowdsec-lapi:/usr/local/mesh_services/meshagent# cscli bouncer inspect caddy
─────────────────────────────────────────────────────
 Bouncer: caddy                                      
─────────────────────────────────────────────────────
 Created At    2025-06-03 12:21:01.470137 +0200 CEST 
 Last Update   2025-06-04 13:09:51.030755 +0200 CEST 
 Revoked?      false                                 
 IP Address    192.168.1.53                          
 Type          caddy-cs-bouncer                      
 Version       v0.8.1                                
 Last Pull     2025-06-04 13:09:51.030753 +0200 CEST 
 Auth type     api-key                               
 OS            ?                                     
 Auto Created  false

15 Replies

CrowdSec•3mo ago

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

DJKatastrofOP•3mo ago

machine info from the lapi server

╭───────────────────────────────────────────────────────────╮
│ Machine: 05df2289423749b2b886804c4896e19emHuqX7QUukYJH4S2 │
├──────────────────┬────────────────────────────────────────┤
│ IP Address       │ 192.168.1.53                           │
│ Created At       │ 2025-06-03 12:23:30.086882 +0200 CEST  │
│ Last Update      │ 2025-06-04 13:10:14.508281 +0200 CEST  │
│ Last Heartbeat   │ 2025-06-04 13:10:14.50828 +0200 CEST   │
│ Validated?       │ true                                   │
│ CrowdSec version │ v1.6.8-debian-pragmatic-amd64-f209766e │
│ OS               │ Debian GNU/Linux/12                    │
│ Auth type        │ password                               │
│ Datasources      │ journalctl: 1                          │
│ Collections      │ crowdsecurity/base-http-scenarios      │
│                  │ crowdsecurity/caddy                    │
│                  │ crowdsecurity/http-cve                 │
│                  │ crowdsecurity/linux                    │
│                  │ crowdsecurity/sshd                     │
╰──────────────────┴────────────────────────────────────────

╭───────────────────────────────────────────────────────────╮
│ Machine: 05df2289423749b2b886804c4896e19emHuqX7QUukYJH4S2 │
├──────────────────┬────────────────────────────────────────┤
│ IP Address       │ 192.168.1.53                           │
│ Created At       │ 2025-06-03 12:23:30.086882 +0200 CEST  │
│ Last Update      │ 2025-06-04 13:10:14.508281 +0200 CEST  │
│ Last Heartbeat   │ 2025-06-04 13:10:14.50828 +0200 CEST   │
│ Validated?       │ true                                   │
│ CrowdSec version │ v1.6.8-debian-pragmatic-amd64-f209766e │
│ OS               │ Debian GNU/Linux/12                    │
│ Auth type        │ password                               │
│ Datasources      │ journalctl: 1                          │
│ Collections      │ crowdsecurity/base-http-scenarios      │
│                  │ crowdsecurity/caddy                    │
│                  │ crowdsecurity/http-cve                 │
│                  │ crowdsecurity/linux                    │
│                  │ crowdsecurity/sshd                     │
╰──────────────────┴────────────────────────────────────────

iiamloz•3mo ago

At the moment I dont believe Caddy support metrics to LAPI.

DJKatastrofOP•3mo ago

oh, that explains it 😅 is there any way I can trigger a http-cve or somethinh?

iiamloz•3mo ago

You can run a tool call nikto which scans CVE's on the webserver however, just be careful as it will ban your IP

DJKatastrofOP•3mo ago

But based on the connection and all, it seems like I setup everything correctly? thanks!

iiamloz•3mo ago

Yeah if you connected to lapi and your cscli metrics are going up when handling connections (as in log lines unless your using appsec) then yeah lgtm

DJKatastrofOP•3mo ago

Ah cool, this goes up on my lapi server when i access a service externaly on

╭──────────────────────────────────────────────────────────╮
│ Local API Bouncers Decisions                             │
├──────────────────────┬───────────────┬───────────────────┤
│ Bouncer              │ Empty answers │ Non-empty answers │
├──────────────────────┼───────────────┼───────────────────┤
│ caddy                │ 14296         │ 31                │

╭──────────────────────────────────────────────────────────╮
│ Local API Bouncers Decisions                             │
├──────────────────────┬───────────────┬───────────────────┤
│ Bouncer              │ Empty answers │ Non-empty answers │
├──────────────────────┼───────────────┼───────────────────┤
│ caddy                │ 14296         │ 31                │

iiamloz•3mo ago

Yeah so caddy is going to your LAPI server, but the connect crowdsec will push alerts once it notices something on caddy itself. You can run cscli metrics on the connect one as well to see the parsed lines.

DJKatastrofOP•3mo ago

connected one? my caddy server? What's the recommended config for the caddy crowdsec plugin? right now mine is,

        crowdsec {
                api_url http://192.168.1.19:8080
                api_key redacted
                ticker_interval 60s
                disable_streaming
        }

        crowdsec {
                api_url http://192.168.1.19:8080
                api_key redacted
                ticker_interval 60s
                disable_streaming
        }

iiamloz•3mo ago

That is fine, but what I meant was you configured your caddy to log to a file then the local crowdsec is monitoring those logs?

DJKatastrofOP•3mo ago

Hmm, no. I have not configured anything like that, maybe I missed that? I installed the plugin on caddy, created the bouncer on LAPI , took the api key, inserted into my caddy config, and then validated my machine on lapi. Is there any more step?

iiamloz•3mo ago

Yes you would need to configure logging on Caddy, then setup an acquisition

mkdir -p /var/log/caddy/

Then, add the following global options to your Caddyfile:

{
  crowdsec {
    api_url http://127.0.0.1:8080
    api_key <api_key>
    ticker_interval 15s
  }
  log {
    output file /var/log/caddy/access.log {
      roll_size 30MiB
      roll_keep 5
    }
  }
}

Add the log keyword to the directive of the domain or server

:80 {
        # Set this path to your site's directory.
        log
        root * /usr/share/caddy
        route {
                crowdsec
                file_server
# reverse_proxy localhost:8080
# php_fastcgi localhost:9000
        }    
}


Now, when a request hits the website, it will be logged to the file—along with Caddy’s startup logs—based on the configuration we set.

Next, we need to configure CrowdSec to monitor the log file and parse Caddy’s default JSON logs. Create a `caddy.yaml` file inside `/etc/crowdsec/acquis.d/` with the following content:

filename: /var/log/caddy/access.log
labels:
  type: caddy

mkdir -p /var/log/caddy/

Then, add the following global options to your Caddyfile:

{
  crowdsec {
    api_url http://127.0.0.1:8080
    api_key <api_key>
    ticker_interval 15s
  }
  log {
    output file /var/log/caddy/access.log {
      roll_size 30MiB
      roll_keep 5
    }
  }
}

Add the log keyword to the directive of the domain or server

:80 {
        # Set this path to your site's directory.
        log
        root * /usr/share/caddy
        route {
                crowdsec
                file_server
# reverse_proxy localhost:8080
# php_fastcgi localhost:9000
        }    
}


Now, when a request hits the website, it will be logged to the file—along with Caddy’s startup logs—based on the configuration we set.

Next, we need to configure CrowdSec to monitor the log file and parse Caddy’s default JSON logs. Create a `caddy.yaml` file inside `/etc/crowdsec/acquis.d/` with the following content:

filename: /var/log/caddy/access.log
labels:
  type: caddy

here a snippet from my upcoming blog post

DJKatastrofOP•3mo ago

damn, i knew i missed something That seem to have done it, I knew I had forgot somthing This is my log in my global configuration

        # Production logging - INFO level
        log {
                output file /var/log/caddy/access.log {
                        roll_size 10mb
                        roll_keep 5
                        roll_keep_for 168h # 1 week
                }
                format json {
                        time_format "2006-01-02T15:04:05Z07:00"
                        message_key "msg"
                        level_key "level"
                        time_key "timestamp"
                }
                level INFO
        }

        # Separate error log for important issues
        log errors {
                output file /var/log/caddy/error.log {
                        roll_size 5mb
                        roll_keep 3
                        roll_keep_for 72h # 3 days
                }
                format json
                level WARN # Only warnings and errors
                exclude http.log.access # Don't duplicate access logs
        }

        # Production logging - INFO level
        log {
                output file /var/log/caddy/access.log {
                        roll_size 10mb
                        roll_keep 5
                        roll_keep_for 168h # 1 week
                }
                format json {
                        time_format "2006-01-02T15:04:05Z07:00"
                        message_key "msg"
                        level_key "level"
                        time_key "timestamp"
                }
                level INFO
        }

        # Separate error log for important issues
        log errors {
                output file /var/log/caddy/error.log {
                        roll_size 5mb
                        roll_keep 3
                        roll_keep_for 72h # 3 days
                }
                format json
                level WARN # Only warnings and errors
                exclude http.log.access # Don't duplicate access logs
        }

I just put "log" in my wildcard configuration so all my subdomains get logged and crowdsec Like this

*.domain.com {
        # Apply Log to all subdomains
        log
        # Apply CrowdSec protection to all subdomains
        import crowdsec
}

*.domain.com {
        # Apply Log to all subdomains
        log
        # Apply CrowdSec protection to all subdomains
        import crowdsec
}

Another thing, im just trying this from my work computer curl -I https://authelia.domain.com/admin It shows whitelisted on cscli metrics But it seems to be working now, thank you 🙂

hslatman•3mo ago

Hey, I have some very early support for metrics in the Caddy bouncer, but I disabled the updates from being sent, as there was some issue hitting the metrics endpoint on the CrowdSec instance. It might've been an issue just for this specific user, as I had it working fine in my environment, but since it was early I decided to just skip updating the metrics for now. It's still on my mind to get that working again, though 🙂 Also some goodies on the way to test the interaction between Caddy and CrowdSec

Gaming

Programming

Caddy Crowdsec no metrics

Did you find this page helpful?