C
CrowdSec4mo ago
80085Y

Got 502 from bouncer to LAPI when enabling trusted_ips and use_forwarded_for_headers

Hello i'm running crowdsec on rootless podman, the LAPI is behind a caddy reverse proxy (also running in a container). All is working fine, but one thing is not very clean, when i enroll a bouncer, i got the IP of caddy and not the ip of the host where is installed the bouncer. So that's why i try to change the config.yaml by enabling the two settings: use_forwarded_for_headers to true and trusted_ips. But with this 2 new settings now i get a 502 and the bouncer can't contact the LAPI. config.yaml look like this : 
  server:
    log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    console_path: /etc/crowdsec/console.yaml
    use_forwarded_for_headers: true
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
      - 10.89.0.0/24
  server:
    log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    console_path: /etc/crowdsec/console.yaml
    use_forwarded_for_headers: true
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
      - 10.89.0.0/24
the Caddyfile look like this : 
crowdsec-lapi.one4all.icu {
        log
        reverse_proxy crowdsec:8080 {
        header_up X-Real-IP {remote_host}
        }
}
crowdsec-lapi.one4all.icu {
        log
        reverse_proxy crowdsec:8080 {
        header_up X-Real-IP {remote_host}
        }
}
the error log in caddy : 
{"level":"error","ts":1750970505.034962,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.1.13","remote_port":"54132","client_ip":"192.168.1.13","proto":"HTTP/1.1","method":"GET","host":"crowdsec-lapi.one4all.icu:37492","uri":"/v1/decisions/stream?additional_pull=false&community_pull=false&startup=true","headers":{"X-Api-Key":["****************************"],"Accept-Encoding":["gzip"],"User-Agent":["crowdsec-firewall-bouncer/v0.0.32-910a36b2e302fd832505fef23f6df094272dd2fe"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"crowdsec-lapi.one4all.icu"}},"bytes_read":0,"user_id":"","duration":0.001294736,"size":0,"status":502,"resp_headers":{"Server":["Caddy"]}}
{"level":"error","ts":1750970505.034962,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.1.13","remote_port":"54132","client_ip":"192.168.1.13","proto":"HTTP/1.1","method":"GET","host":"crowdsec-lapi.one4all.icu:37492","uri":"/v1/decisions/stream?additional_pull=false&community_pull=false&startup=true","headers":{"X-Api-Key":["****************************"],"Accept-Encoding":["gzip"],"User-Agent":["crowdsec-firewall-bouncer/v0.0.32-910a36b2e302fd832505fef23f6df094272dd2fe"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"crowdsec-lapi.one4all.icu"}},"bytes_read":0,"user_id":"","duration":0.001294736,"size":0,"status":502,"resp_headers":{"Server":["Caddy"]}}
How can i have the real IP of the bouncer and not getting the 502 ?
4 Replies
CrowdSec
CrowdSec4mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz4mo ago
so use_forwarded_for_headers: true enables the use of X-Forwarded-For headers so you need to send that header. Do you have any logs inside crowdsec itself?
80085Y
80085YOP4mo ago
I activate the debug level for logging but I didn’t find something on crowdsec.log or crowdsec_api.log i found the error, when mounting the config file, by default LAPI listen on 127.0..0.1, thats why caddy couldn't redirect the http request from the bouncer
CrowdSec
CrowdSec4mo ago
Resolving Got 502 from bouncer to LAPI when enabling trusted_ips and use_forwarded_for_headers This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?