1 of 3

Traefik Bouncer

The aim here is to implement a bouncer for the router to block malicious IP to access your services. For this, it leverages and query CrowdSec with client IP. If the client IP is on ban list, it will get a http code 403 response. Otherwise, request will continue as usual.

Flow of information

What is a parser?

Parsers take log formats and breaks it into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.

What is a bouncer?

Bouncers react to decision made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IP's. It will do this by connecting back to the mothership to get the information required to make the decisions locally.

What is a Scenario?

A scenario is a behaviour, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviours.

Enable the Bouncer

PLEASE NOTE

This is the only time the api will be shown, make sure to note down this API key somewhere safe.

Adding the API and Collection

Now we need to add the Traefik collection to the CrowdSec compose file and also the bouncer install along with the API key.

Mapping the Log Files

Traefik

Enable Logging

Add the CrowdSec Middleware

Add the Log file Volume Mapping

Restart CrowdSec and Traefik

Authelia Collection

Add the Authelia Collection

Add Authelia to the acquis.yml

Enable Logging to file

Add Log File Bind Mount

Restart Containers

Vaultwarden Collection

Add the Vaultwarden Collection

sudo nano /opt/appdata/crowdsec/docker-compose.yml

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve Dominic-Wagner/vaultwarden"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped

  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YourSuperSecureAPIKey
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Add Vaultwarden to the acquis.yml

sudo nano /opt/appdata/crowdsec/acquis.yaml

filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
filenames:
  - /var/log/crowdsec/vaultwarden.log
labels:
  type: vaultwarden

Enable Logging to file

sudo nano /opt/appdata/vaultwarden/docker-compose.yml

    environment:
      LOG_FILE: "/var/log/vaultwarden/vaultwarden.log"
      LOG_LEVEL: "warn" 
      ROCKET_CLI_COLORS: "off" 
      EXTENDED_LOGGING: "true"
      IP_HEADER: "X-Forwarded-For"

    volumes:
      - /opt/appdata/vaultwarden/database:/database
      - /opt/appdata/vaultwarden/data:/data
      - /var/log/crowdsec:/var/log/crowdsec

PLEASE NOTE

To pass through the correct IP, you will need to enable the real-ip plugin for traefik.

Restart Containers

cd /opt/appdata/vaultwarden; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d

Vaultwarden Collection

Add the Vaultwarden Collection

sudo nano /opt/appdata/crowdsec/docker-compose.yml

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve Dominic-Wagner/vaultwarden"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped

  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YourSuperSecureAPIKey
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Add Vaultwarden to the acquis.yml

sudo nano /opt/appdata/crowdsec/acquis.yaml

filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
filenames:
  - /var/log/crowdsec/vaultwarden.log
labels:
  type: vaultwarden

Enable Logging to file

sudo nano /opt/appdata/vaultwarden/docker-compose.yml

    environment:
      LOG_FILE: "/var/log/vaultwarden/vaultwarden.log"
      LOG_LEVEL: "warn" 
      ROCKET_CLI_COLORS: "off" 
      EXTENDED_LOGGING: "true"
      IP_HEADER: "X-Forwarded-For"

    volumes:
      - /opt/appdata/vaultwarden/database:/database
      - /opt/appdata/vaultwarden/data:/data
      - /var/log/crowdsec:/var/log/crowdsec

PLEASE NOTE

To pass through the correct IP, you will need to enable the real-ip plugin for traefik.

Restart Containers

cd /opt/appdata/vaultwarden; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d

Traefik Bouncer

Flow of information

What is a parser?

What is a bouncer?

Check out available bouncers on the

What is a Scenario?

Enable the Bouncer

docker exec crowdsec cscli bouncers add traefik-bouncer

PLEASE NOTE

This is the only time the api will be shown, make sure to note down this API key somewhere safe.

Adding the API and Collection

Now we need to add the Traefik collection to the CrowdSec compose file and also the bouncer install along with the API key.

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped

  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YourSuperSecureAPIKey
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Mapping the Log Files

sudo nano /opt/appdata/crowdsec/acquis.yaml

filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog

Traefik

Enable Logging

sudo nano /opt/appdata/traefik/traefik.yml

accessLog:
  filePath: "/var/log/crowdsec/traefik.log"
  bufferingSize: 50

Add the CrowdSec Middleware

sudo nano /opt/appdata/traefik/traefik.yml

      middlewares:
        - securityHeaders@file
        - crowdsec-bouncer@file

sudo nano /opt/appdata/traefik/fileConfig.yml

    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true

Add the Log file Volume Mapping

sudo nano /opt/appdata/traefik/docker-compose.yml

    volumes:
      - /opt/appdata/traefik/:/etc/traefik/
      - /var/log/crowdsec/:/var/log/crowdsec/

Restart CrowdSec and Traefik

cd /opt/appdata/traefik; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d

Authelia Collection

Add the Authelia Collection

Add Authelia to the acquis.yml

sudo nano /opt/appdata/crowdsec/acquis.yaml

filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
filenames:
  - /var/log/crowdsec/authelia.log
labels:
  type: authelia

Enable Logging to file

sudo nano /opt/appdata/authelia/configuration.yml

log:
  level: info
  format: json
  file_path: "/var/log/crowdsec/authelia.log"
  keep_stdout: true

Add Log File Bind Mount

sudo nano /opt/appdata/authelia/docker-compose.yml

    volumes:
      - /opt/appdata/authelia:/config
      - /var/log/crowdsec:/var/log/crowdsec

Restart Containers

cd /opt/appdata/authelia; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d