1. The problem I’m having:
Caddy crashes once I try to run it with new Crowdsec settings.
2. Error messages and/or full log output:
```Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 1: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'crowdsec': provision http.handlers.crowdsec: getting crowdsec app: loading crowdsec app module: crowdsec: invalid configuration: crowdsec API key must not be empty
```
3. Caddy version:
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
4. How I installed and ran Caddy:
Made use of prebuild Docker image of Caddy with Geoipblocking and Crowdsec bouncer modules installed.
Source: caddy-custom-builds/caddy-crowdsec-geoip at main · serfriz/caddy-custom-builds · GitHub
a. System environment:
Host is Ubuntu desk’top
b. Command:
```services:
caddy:
image: serfriz/caddy-crowdsec-geoip:latest
container_name: caddy
cap_add:
- NET_ADMIN
ports:
- 80:80
- 443:443
- 443:443/udp
networks:
- crowdsec_net
volumes:
- /srv/dockerfiles/caddy/data:/data
- /srv/dockerfiles/caddy/config:/config
- /srv/dockerfiles/caddy/site:/usr/share/caddy
- /srv/dockerfiles/caddy/config/Caddyfile:/etc/caddy/Caddyfile
- /var/log/caddy:/logs
- /srv/dockerfiles/caddy/geoip:/usr/share/geoip
restart: unless-stopped
crowdsec:
image: docker.io/crowdsecurity/crowdsec:latest
container_name: crowdsec
security_opt:
- no-new-privileges=true
ports:
- 127.0.0.1:8081:8080
networks:
- crowdsec_net
environment:
- TZ=Europe/Amsterdam
- GID=1000
- COLLECTIONS=crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/wh>
- BOUNCER_KEY_CADDY=DbwkKQVqiwZeu6JqtmshCy0fgnDTiygZ
volumes:
- /srv/dockerfiles/crowdsec/crowdsec-db:/var/lib/crowdsec/data
- /srv/dockerfiles/crowdsec/crowdsec-config:/etc/crowdsec
- /srv/dockerfiles/crowdsec/acquis/acquis.yaml:/etc/crowdsec/acquis.yaml
- /var/log/caddy:/var/log/caddy:ro
restart: unless-stopped
networks:
crowdsec_net:
driver: bridge
```
c. Service/unit/compose file:
d. My complete Caddy config:
```{
email ralph1212@live.nl
admin localhost:2019
debug # makes Caddy logs more detailed (optional)
order crowdsec first # forces the CrowdSec directive to be executed first
crowdsec {
api_url http://crowdsec:8080 # it should point to your CrowdSec API (it can be a remote URL)
api_key DbwkKQVqiwZeu6JqtmshCy0fgnDTiygZ
ticker_interval 15s
#disable_streaming
#enable_hard_fails
}
}
kastroe.dedyn.io {
encode gzip zstd
# Restrictive TLS-settings
tls {
protocols tls1.2 tls1.3
ciphers TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384
}
# Hide server header
header Server ""
# --- GEOIP FILTER ---
# Matcher only Allow NL IPs
@nl_only {
maxmind_geolocation {
db_path "/usr/share/geoip/GeoLite2-Country.mmdb"
allow_countries NL
}
}
# Allow only NL IPs to Jellyfin
handle @nl_only {
reverse_proxy 100.104.224.57:8096 {
# streaming optimalization Jellyfin
flush_interval -1
transport http {
read_timeout 30s
write_timeout 30s
dial_timeout 10s
}
}
}
# --- STEALTH DROP FOR NON-NL IPs ---
handle {
abort
}
# security headers
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "no-referrer"
Permissions-Policy "geolocation=(), microphone=(), camera=()"
}
# log settings
log {
output file /logs/caddy_access.log {
roll_size 50mb
roll_keep 5
roll_keep_for 720h
}
format json
}
}```