Cloudflare, Traefik and Crowdsec
As the title implies I am running services like nginx (webservers) behind Crowdsec behind Traefik behind Cloudflare.
I have almost correctly setup the „CTS“ Stack (crowdsec makes decisions parses logs, etc.), but one key thing is not working:
The fact that I am behind the Cloudflare proxy means that traefik receives Requests from Cloudflare IPs, but that isnt the issue (?),
because I have setup a CF-Real-IP plugin with traefik, but Crowdsec is still banning CF IPs which is really devastating.
Each time some malicious actor starts http-probing etc. a CF IP gets banned, the longer this goes on the more CF IPs get banned and the more I am locked out of my network.
So after sooo many tries I am trying my luck here, does (/did) anyone have (/had) the same issue (, how did you fix it) and have any Ideas on a solution?
Thanks in advance!
7 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Ah also in the docker logs of the crowdsec container I see the correct IPs (not from CF), so it must be a parsing issue?
You just need to configure forwarded headers
https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers
This will then allow treafik to inherit the x-forwarded headers
Traefik EntryPoints Documentation - Traefik
For routing and load balancing in Traefik Proxy, EntryPoints define which port will receive packets and whether in UDP or TCP. Read the technical documentation.
Just make sure if it's a tunnel from cloudflare you add the local range as well
In the traefik.yaml file I already added forwardHeaders (see above attachment)
Okay so in your traefik logs, you see
ClientHost as the cloudflare ip? cause if the headers configuration is working this should be the remote IP but I dont know if your plugins are messing with it cause you dont need them anymore since traefik added those options.
or if your using CLF logs, this might be the issueI am seeing the correct IPs in access.log (there are no IPs in the „normal“ logs, atleast not for me)
Thats good to know I‘ll remove the plugin and I‘ll try it out right now.
What are you referring to with „CLF“? I am using standard logs (?)
Finally: It is working.
I am really not sure why it now suddenly works, but maybe it just had to catch up a day or two?
Anyway, thank you for your help!