Crowdsec in docker with traefik v3 problem
Hello, I've got crowdsec in docker setup with traefik using the bouncer, but I don't think it's working, everything in the logs seems ok but to test it I added my local IP to the decsions list and tried to access my nginx-test container I have running, but it still lets me get through to nginx test page and doesn't block my local ip, I would like someone to help me it would be greatly appereciated thanks
157 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
can someone help me with this
@jhmc93 feel free to post your configs here so doesnt get lost, redact any PII you dont want to share.
traefik-crowdsec docker compose file
traefik config and yaml files
so you have
traefik-secure (from labels) and secured in yaml in middlewares but I dont see how these overlap each other? so doesnt seem you are applying the middlewares to your https entrypoint
probably best to spin up the traefik dashboard to see if they are applied
edit: also you only want to use, WAF I dontt know if the plugin allows you to do waf only mode unless you change the mode configurationI do have it spun up, I can take a screenshot of the middlewares section if that helps?
you need to set
mode to appsec for waf to work standaloneHow do I set the mode to waf
You provide
crowdsecMode in the yaml configuration
but this means no IP based blocking will be enabled just the WAF
https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/50beb4294fbd72ef6b6c3720fcc571e1e86ab38e/pkg/configuration/configuration.go#L48also I don't see where you're applying the middleware
I see where you defined it, but not where it's applied
In what yaml?
Here's the screenshot of my middlewares
Here
yeah that registered, but if you click on http router do you see it applied?
it will tell you which middlewares are applied to the http routers
Also I see the http middleware definition, but not the plugin integration in the traefik.yaml ?
or am I misreading this?
example
this nginx i span up should have the crowdsec middleware but it doesnt
yeah that because you registered the plugin but didnt apply it
since your using a mixture of labels and yaml file it going to get complex
you can define it at each router level or directly on the entrypoint
this is about coolify but read the labels section
https://www.crowdsec.net/blog/securing-automated-app-deployment-crowdsec-and-coolify
this is the labels ive setup for nginx
yeah you created the plugin config
but you didn't apply the middleware
but your naming that middleware to be the same name as the global one
traefik.http.routers.nginx.middlewares=crowdsecapplying the labels just creates the plugins
it doesnt apply by default
the simplist is following the guide I linked and applying to your entrypoint
so if i place this "traefik.http.routers.nginx.middlewares=crowdsec" in my labels it should work?
it might yes, or at least we should see it appear in the middlewares section
and see what the error looks like
as u said an error
how do I solve this then?, also is there a way to simplify it so I don't have to keep using the labels for the bouncer constantly
@Wobak
@Loz
so let me recap : you have 4 elements :
1/ crowdsec installation and listening on 7422 (seems OK in your case)
2/ you need the traefik.yml config to include the definition of the bouncer plugin : (https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin, see "Install plugin button" there are 2 parts to this)
3/ Then you define the middleware (in a yml file or as labels)
4/ then you apply the middleware (either on labels in a router like you're doing, or directly to your entrypoint if you want it setup everywhere)
I think your issue is in point 2
in the link I'm giving to setup the plugin, you'll see they name it "crowdsec-bouncer-traefik-plugin", and then you define the middleware with a name that refers to this to send it configuration values
in my case to use "bouncer" I did this in my traefik.yaml :
so i do the same in my traefik.yaml?
you can try, that might fix your error
you'll need to restart traefik
sorry i'm still newbie when it comes to traefik
it fixed the error
is that working now? or do I like u said to make more changes to my configuration? @Wobak
so you can try to access your nginx and add a .env to the URL
see if you get a 403 and if cscli metrics reports it
if so it means it works for the bouncing, and if you don't have another website you need to protect you can leave it as is. If you want things to be a bit more clean, moving the middleware config & definition to yaml is probably better
I have two more websites i wanna publish
can you help me simplify it? just so I don't have to keep using the labels constantly, also what do u mean by add a .env?, sorry like I said I'm still very new to this and need the step by step guides to help with this, if u can guide me a bit more that would be appreciated thanks @Wobak
no worries. your website url that you're hosting with nginx. Try to access https://mynginxwebsiteURL/.env
see if you get blocked
what am I looking for in the metrics?
as i did get blocked
this is part of the output of cscli metrics
also note that you need to set mode to
appsec if not, I think it bypasses all checkshere you go @Wobak dont know if that's showing anything similar @Loz oz how do I go about doing that, can you walk me through it?
unsure
You just update your plugin definition to add
in the traefik yaml
or well, where ever you defined the plugin
oh, it did 403 error though
check the crowdsec logs also
this right?
no
where you defined the plugin configuration
like the api key
is it equivalent to
crowdsecAppsecEnabled: true or does is it need to be set as well @Loz ?Ooh
honestly dont know @Wobak dont use it, so just purely looking at code 😄
😄
but I know the plugin has a fail safe if lapi is down
fair enough
and i believe if the mode set to a lapi option it will skip appsec if lapi is down
If I remember rightly I put it docker compose
example
Oh ok
So question if I use the label traefik.http.routers.nginx.middlewares=crowdsec, will it use the middlware from the configuration file?
So I don't have to keep putting the API key in the labels
think you can do
crowdsec@fileAh
exactly how I did it in the article 😄
Also new error
Sorry it on my phone
hmmm maybe they have a bug that doesnt take the mode into effect
as long as I guess you set the mode
I'm not exposing 8080 on crowdsec in the compose file if u check my compose?
well
8080 within the docker network is exposed by default anyways on crowdsec cause it binds to 0.0.0.0Is it coz I have 8080 one of my traefik port then?
yes
no cause your going to
crowdsec:8080
not traefik:8080yeah but crowdsec cannot bind to 8080
it can from within the docker namespace
ah but there is no attempt to do so
my bad I stand corrected
all because your not exposing it, doesnt mean it cannot bind
crowdsec would hard crash if it cannot bind lapi
well depends on what you mean by bind
bind to its own interface in the docker network, you're right
bind to the host's port, it'll fail
Then I wonder why it not connection
docker blip
Connecting
Both crowdsec and traefik are on my proxy network on docker
Still does the error if I recreate the container
Another problem
I can't access nginx anymore
What's going on I can't access nginx anymore just says access denied
it cause by default if the plugin cannot access lapi it blocks all traffic
so did you set the mode as said?
okay and you remove all crowdsec labels and replaced simply with
crowdsec@file?It been set like that since
And ye
can you show the nginx compose labels,
also might be useful to turn on debug mode for the plugin
add
logLevel: DEBUG to the crowdsec@fileIn the labels?
Ok
did you up -d the nginx after the config change (stupid question but still asking :))
--force recreate the nginx and trraefik-crowdsec compose files
Like this?
capital L
logLevel:Done I'm guessing I check the logs with docker logs crowdsec?
no traefik logs
there should be extra debug statements
try a request?
then logs
ahhh
401
your api key is not correct
or well not working
if you run docker exec crowdsec cscli bouncers list
Don't know why two are there but it should be the bottom one @Loz
but it thinks the key is wrong either a copy mistake or something anyway you can try a curl request?
What should I curl @Loz
within the crowdsec one you need to
Ok I'll do that now thanks for helping me
I got to go as end of day and got responsibilites but if that returns 401, then the key is wrong. Regenerate it by doing
cscli bouncers add then try that, if works add it to the configuration.
but keep reading the logs of both crowdsec and traefik, you should iron it out till I can aid again@Loz do I need <>? In the command
Getting the following
And ok, can you give me a hand tomorrow @Loz? If not don't worry
No it just what I use to show a placeholder
Remove the
<>@Loz same reply on the CMD line
Can you exec it from within the crowdsec container
So this is the command: docker exec crowdsec curl -XHEAD -h "X-Api-Key: hBR7Q9sUaeF/ljkKVVewexmJvjzIGqg3eUTMYrwsI" http://127.0.0.1:8080/v1/decisions/stream, is that right?
Or is it wrong @Loz
Anyway can u help tmrw if not don't worry
From the output of that command above after exec ive obviously put the wrong command @Loz
Add
-it after execOk will run it later on, bit busy at the moment but thanks @Wobak also thanks to you as well @Loz Will let you know how I get on
Hi @Wobak or @Loz , me again got a slight problem, here's the screenshot:
just need to prefix with
apk add curl && curl...<rest of curl command here>
I think I messed up it should be
-H
not smallit just hangs with that warning
change
-XHEAD to -I then
I'm guessing the key doesn't work
yep, so just do
cscli bouncers add traefik-prod or whatever name
then copy and try that key
if that works put that in your configuration@Loz how do i delete the other 2 on my list
cscli bouncers delete <name> minus <> for placeholderall good?
yep key is good
so put that in your configuration and it should come alive
compose
traefik config
anything in the crowdsec config files where the key needs to be changed
before i recreate the container
got any idea?
because don't wanna start the container and to find out that im missing th api key somewhere @Loz
You need to update it where you defined the config for the remediation
https://discord.com/channels/921520481163673640/1444412137761013962/1445086613943222446
the "crowdsecLapiKey"
done that
then thats it
what does this mean that's appeared in my traefik logs
"DEBUG: CrowdsecBouncerTraefikPlugin: 2025/12/03 15:10:57 getTLSConfigCrowdsec:CrowdsecLapiScheme https:no"
also tried testing it with docker exec crowdsec cscli decisions add --ip <my laptop ip> but it didn't block it, is that meant to happen because it's https? @Loz
that because you didnt define the LAPI configuration, you only defined WAF configuration
hence
mode: appsecah
so is there another way i can test it also what does my traefik logs above mean
yes send a request to
.env
curl http://yourdomain.tld/.envit has blocked it
sweet
so my traefik logs are normal then?
that because we defined log level DEBUG
just remove that from configuration as we debugged the issue
does it mean anything though?
it just a debug log to say that TLS is not going to be used between traefik and crowdsec
this is fine for internal / docker network
as it not being sent "over the wire" for MITM attacks
so if someone attacks my traffic publicly it will block it using crowdsec
if they send a request that trigger a WAF rule, yes
but only for this application
as you didnt apply the middleware at the entrypoint level
oh?, I'm wanting to use crowdsec to be my security agent becaue right now I'm exposing my domain via cloudflare tunnel, yes I know cloudflare is secure itself but I wanna add that added layer of protection, hence the main reason I'm trying to use crowdsec
yeah so just move the middleware to your entrypoint, if you want IP blocking there a handful more modifications you need to make (since your traffic is coming from CF tunnels you need to get the real IP)
can you walk me through it?, as I haven't got a clue on where to start... Sorry I sound thick, but still very new to this
Sorry I cant just give up lots of time to hand walk you through it, there a plently of guides online to achieve this and also gpt can help.
unless somebody else stumbles across this thread that can spare the time.
ok no problem, just wouldn't know where to start, I've tried to find guides but all I got was the appsec stufff
chat gpt just done what u have helped me through on when I asked, do I need to ask it over traefik or cloudflare tunnels as i asked over traefik and it returned with what I've just set up
also will I need to use the cloudflare bouncer?? @Loz
Are you around @Loz
Hey @Loz or @Wobak for cloud flare tunnels and ip blocking do I need the cloud flare bouncer
Or do I need something else??
Well up to you, you can do cloudflare or use traefik but you have to configure traefik to trust the cf tunnel IP as it needs to get the real IP.
There is configuration for this within the remediation component but as stated, I dont use traefik or this component so have very little I can input for this.
Oh ok, I just wanna block bad ips on my traefik server but I thought I had set up with what we got working the other day
Don't worry though, chat gpt just mentions using cloud flare bouncer and traefik bouncer