Does whitelisting still lead to ban requests?
I have whitelisted the tailscale IP network range (in
/config/parsers/s02-enrich/tailscale.yaml):
But still I get many entries in the crowdsec log such as:
time="2025-07-08T08:11:09Z" level=info msg="192.168.127.26 - [Tue, 08 Jul 2025 08:11:09 UTC] \"GET /v1/decisions?type=ban&ip=100.75.178.31 HTTP/1.1 200 79.007669ms \"Go-http-client/1.1\" \""
So crowdsec is actively checking whether the IP 100.75.178.31 needs to be banned or am I misreading the logs? How do i stop crowdsec parsing these IPs completely, I mean they are supposed to be whitelisted locally? Or is s02-enrich the wrong location?14 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
So that log line is traefik checking if the IP is banned, rather than asking to be banned as outlined in the introduction "remediation component do not make decisions" https://docs.crowdsec.net/u/getting_started/intro#what-is-a-remediation-component
So this is typical that the IP is checked even if whitelisted as the whitelist only stop deicsions / bans being made.
Introduction | CrowdSec
What is CrowdSec Security Engine?
however, its odd that you got
go-http-client as the user agent are you using the old traefik remediation and not the newer plugin? https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-pluginCrowdsec Bouncer Traefik Plugin
Middleware plugin which forwards the request IP to local Crowdsec agent, which can be used to allow/deny the request
Good question, didn't check in a while. Just using the
fbonalair/traefik-crowdsec-bouncer docker image.
Very interesting that even if whitelisted, stuff is still being checked. I should have read up on whitelisting.
Is there any way to NOT send IPs, so to not only influence bans/decisions, but just stop processing altogether? I would love to create less traffic and all those requests are flooding the logs.The new plugin has trusted ips / ranges that bypasses checks AFAIK but it probably best to read the readme to see if it fits your case but yes traefik doesnt know about whitelisted stuff so it has to ask crowdsec at least.
don't see anything about whitelisting in the other plugin and whitelisting I don't want in the bouncers but at an earlier stage since I have multiple bouncers and they all shouldn't care about my private internal IPs.
"traefik doesn't know about whitelisted stuff" < are you saying the request I posted is simply traefik asking crowdsec "is this IP banned?"
Yes the request is traefik just asking if the IP is banned
well traefik is very loud in my environments then... maybe I'll just increase log level to warning then
or switching the mode to stream instead of live
also this is more a "debug" level for me. don't care that traefik is doing the checking
as live checks each ip address but stream does a batch sync
will do that for sure
hower, I would advise to migrate to the plugin over the container one as it hasnt been updated in 3 years
plus the newer one also has the WAF integration
of course. you know how it is with never change a running system, but I will migrate