Tech Nest

Appearance

Crowdsec

This guide on CrowdSec will demonstrate how the application is set up and how to use it in conjunction with a reverse proxy tool. The examples used are for both a local home server as well as a gateway server, typically by using a VPS.

If you have followed any of the other tutorials, this should already be done; however, you will need to create a custom Docker network. In this example, we will call it "proxy".

bash
docker network create proxy

Once we've done this, we will need to create the appdata folder for the set‑up as well as the log folder for CrowdSec.

bash
mkdir -p /opt/appdata/crowdsec

Docker Compose

Ensure that all containers created in the following steps are on the proxy network; otherwise, they will not be able to talk to one another. This is always defined at the bottom of the Compose file within the networks: section.

Gateway Server

Docker Compose

yaml
version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve LePresidente/authelia"
    volumes:
      - ./files/data:/var/lib/crowdsec/data
      - ./files:/etc/crowdsec
      - ./files/shared:/var/log/auth.log:ro
      - ./files/shared:/var/log/crowdsec:ro
    restart: unless-stopped

  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: crowdsec-traefik-bouncer
    environment:
      CROWDSEC_BOUNCER_API_KEY:
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Once you have saved this into a docker-compose.yml within the CrowdSec appdata, start up the containers with docker compose up -d as we will now need to generate the bouncer API key to update within the Compose file.

Run the following command to obtain the bouncer API key, which we will then need to add within the docker-compose.yml.

This is the only time this API key will be shown; you MUST note it down somewhere or risk having to repeat the whole set‑up from scratch.

bash
docker exec crowdsec cscli bouncers add traefik-bouncer

Now add it into the file where <REPLACEME> is, and then restart the stack with docker compose up -d.

The last step for Crowdsec is to add the logs within the acquis.yaml file. Run the below command then append the text onto the end of the file, retaining format.

bash
sudo nano /opt/appdata/crowdsec/files/acquis.yaml
yaml
---
filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik

Configuring Traefik

Now, we will move on to editing Traefik to be able to interpret CrowdSec. These are the final steps.

bash
sudo nano /opt/appdata/traefik/traefik.yml

Look for the existing middleware securityHeaders@file and add the new line below it.

yaml
      middlewares:
        - securityHeaders@file
        - crowdsec-bouncer@file
bash
sudo nano /opt/appdata/traefik/config.yml

Add this block of code underneath the middlewares section in this file, retaining indentation.

yaml
    crowdsec-bouncer:
      forwardauth:
        address: http://crowdsec-traefik-bouncer:8080/api/v1/forwardAuth
        trustForwardHeader: true
bash
sudo nano /opt/appdata/traefik/docker-compose.yml

Add the CrowdSec logs location to Traefik by adding the last line to your volumes.

yaml
    volumes:
      - ./:/etc/traefik/
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ../crowdsec/files/shared:/var/log/crowdsec

Final Steps

You can now rebuild and restart both CrowdSec and Traefik, and you should have full connectivity. You can test this by looking at the logs of the crowdsec-traefik-bouncer container to see if browser sessions populate with the user's real IP.

A nest of technical knowledge.