Crowdsec with Caddy - setup

Does anyone setup Crowdsec with Caddy and can share step by step guide?

Hi - I am head of community at CrowdSec.
I haven’t tried Caddy with CrowdSec myself but the guy who did the Caddy browser hangs out in our friendly Discord community. So I would advise you to join. In general it’s pretty active and by far the fastest way to get help. Here’s the invite.

2 Likes

I don’t/won’t use Discord, but I am a new Caddy user as well as a new CrowdSec user (on about 20 servers), so I would appreciate knowing how to integrate the two.

1 Like

I would also like to know.
I built caddy with the crowdsec caddy bounccer but as I run caddy in docker I have the feeling that the incoming client IPs are not the correct real ones. At least that’s what upstream services show in their logs.
In any cases, if it’s working correctly I don’t even know how to know for sure.

1 Like

Hi there

Sorry to hear you’re not on Discord @jpbaril. As I said that’s where we have the strongest community.

That being said I can only advise you to check out the guide on the author of the caddy bouncer’s github: GitHub - hslatman/caddy-crowdsec-bouncer: A Caddy module that blocks malicious traffic based on decisions made by CrowdSec. and the instructions on a post in our subreddit: https://www.reddit.com/r/CrowdSec/comments/rmu1wf/bouncer_for_caddy_crowdsec/

I hope any of these are of any help. If not, please write again and I’ll be happy to try to help.

/klaus

Hi @KlausAgnoletti and thank you for your reply.

Yes I had installed that bouncer and read that thread. Though someone recently added a comment that how to manually block an IP. So I tried to block for 2 minutes my own phone lan IP and it worked. So at least I now know my setup works. Thanks for that!
EDIT: Thinking twice about it I realize that it only means the Caddy Crowdsec bouncer works, but not necessarily that Crowdsec correctly reads Caddy access logs.

And thus it seems that Caddy really recognizes my real IP, it’s just that the reverse proxied upstream service I tested Caddy with showed my caddy container IP instead of the client IP. I’ll need to figure that out.

One question: do I need to call crowdec in every routes of a domain/host or can I simply call it one time at top of that host/domain ?

P.S. Honestly, that Discord thing is a bit overwhelming. I joined but there are so many things all over the place, that’s a bit much for my taste.

1 Like

I found the answer to the last part of my questionings on Crowdsec installation with Caddy. When trying to determine if Crowdsec could read Caddy’s logs I used Nikto as shown in Crowdsec’s blog to simulate an attack/agressive scanning. But logs remained empty and obviously Crowdsec was not banning anyhing. It’s because Caddy by default redirects normal browser requests from http to https but it was not for Nikto requests. So I had to manually point Nikto directly to Caddy server https port. From there logs did create and Nikto banned the source IP.

1 Like

@KlausAgnoletti
Simple Caddy integration setup with Crowdsec is desireable.

Thanks for your comment. Could you elaborate what you mean to someone with no experience with Caddy? :slight_smile:

I mean Crowdsec should have some default integration with Caddy, Nginx etc., so setup with them is simpler that today. I think it could increase user base of Crowdsec.

Thanks but can you maybe be a bit more specific about what you mean and tell me if I misuderstood something here:

When talking about integration with a reverse proxy in reality we talk about two different things:

  1. Reading proxy log, identifying attacks using CrowdSec agent
  2. Mitigating attacks using bouncer

Both things should be possible for everything to make sense but the mitigating part can be one of more; blocking in firewall level, blocking a user in the proxy (caddy or nginx and even traefik has this. How advanced they are, varies; for instance the new release of the nginx bouncer can also ‘flex bounce’ meaning the user is forced through a captcha). The latter is more advanced and in case of Caddy is pretty cumbersome. Actually I would say that setting up CrowdSec to detect attacks and block traffic on firewall level is pretty easy now (given that you know what to do. It’s literally a matter of installing a log parser (easy with cscli) pointing to the log file in a CrowdSec config file and restarting the agent.
So that leaves us with the Caddy or NGINX bouncer part. Those are cumbersome and to be honest I really don’t know what we can do to make it easier.

This topic was automatically closed after 30 days. New replies are no longer allowed.