CrowdSec•3mo ago

Question about Caddy & Caddy Bouncer

I'm trying to use https://github.com/hslatman/caddy-crowdsec-bouncer with my caddyfile in order to block malicious IPs, however when I attempted to block my own IP (for testing purposes) I was still able to access the site. Am I doing something wrong? I also have the caddy logs parser as well https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/caddy-logs and I also added Cloudflares IPs under trusted_proxies and it does show my IP correctly in the caddy log under X-Forwarded-For so I'm not sure as to why IPs aren't being blocked. I also ran tail /var/log/caddy/caddy.log | head -n 20 | cscli explain -f- --type caddy -v and it did indicate it was able to parse the log, I can provide a log file of it in DMs if need be

(logging) {
    log {
        output file /var/log/caddy/caddy.log {
            roll_size 50mb
            roll_keep 5
            roll_keep_for 720h
        }
        format json
    }
}

{
    debug
    crowdsec {
        api_url http://localhost:8080
        api_key KEY
        ticker_interval 15s
        appsec_url URL
    }
}

cdn.domain.com {
    import logging
    route {
        crowdsec
        appsec
        root * /srv/directory/images
        file_server browse
    }
}

ava.domain.com {
    import logging
    route {
        crowdsec
        appsec
        reverse_proxy 127.0.0.1:3002 {
            trusted_proxies 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 \
                            141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 \
                            197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 \
                            104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
        }
    }
}


pg.domain.com {
    import logging
    route {
        crowdsec
        appsec
        reverse_proxy 127.0.0.1:8085 {
            trusted_proxies 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 \
                            141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 \
                            197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 \
                            104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
        }
    }
}

(logging) {
    log {
        output file /var/log/caddy/caddy.log {
            roll_size 50mb
            roll_keep 5
            roll_keep_for 720h
        }
        format json
    }
}

{
    debug
    crowdsec {
        api_url http://localhost:8080
        api_key KEY
        ticker_interval 15s
        appsec_url URL
    }
}

cdn.domain.com {
    import logging
    route {
        crowdsec
        appsec
        root * /srv/directory/images
        file_server browse
    }
}

ava.domain.com {
    import logging
    route {
        crowdsec
        appsec
        reverse_proxy 127.0.0.1:3002 {
            trusted_proxies 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 \
                            141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 \
                            197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 \
                            104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
        }
    }
}


pg.domain.com {
    import logging
    route {
        crowdsec
        appsec
        reverse_proxy 127.0.0.1:8085 {
            trusted_proxies 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 \
                            141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 \
                            197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 \
                            104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
        }
    }
}

GitHub

GitHub - hslatman/caddy-crowdsec-bouncer: A Caddy module that block...

A Caddy module that blocks malicious traffic based on decisions made by CrowdSec. - hslatman/caddy-crowdsec-bouncer

Collections, AppSec Rules & Configurations | CrowdSec Hub

Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.

4 Replies

CrowdSec•3mo ago

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

Muffin.OP•3mo ago

bump bump as this is still not resolved

Loz•3mo ago

Since you set the trusted proxies within the reverse proxy struct, I guess its not happening at the right time? so crowdsec and appsec trigger before and therefore the IP will be cloudflares. there a global configuration option afaik https://caddyserver.com/docs/caddyfile/options#trusted-proxies but dont use caddy at all, so its guess work from my side.

CrowdSec•3mo ago

Resolving Question about Caddy & Caddy Bouncer This has now been resolved. If you think this is a mistake please run /unresolve

Gaming

Programming

Question about Caddy & Caddy Bouncer

Did you find this page helpful?