#crowdsec-firewall-bouncer-iptables causing 502 Bad Gateway

1 messages · Page 1 of 1 (latest)

feral loom
#

I have some wordpress servers where some of the sites break with a 503 bad gateway error when crowdsec-firewall-bouncer is running even without any blocks in place. attached are the IPtables rules that break when I start crowdsec-firewall-bouncer.

The server is running CentOS Linux 7, DirectAdmin, iptables v1.4.21, and nginx+Apache 1.27.1/2.4.62

📎 message.txt
young timberBOT
#
Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

© Created By WhyAydan for CrowdSec ❤️ ·
small pike
#

that's really weird
Are you sure you have no local decisions ?
The only thing I can think of would be the server somehow banned itself (but then it would impact all the sites on it, not only some of them).

Also, I don't see anything related to crowdsec in your iptables command ?

feral loom
#

I adjusted the central LAPI using profiles to have a sort of whitelist and that seems to have fixed the problem. So it must have been banning itself.

I have noticed it is quite easy for this too happen. Strange it is not built in to not ban itself.

small pike
#

so we thought about trying to automatically detect the IP of the server and automatically allow it
but there are a lot of corner cases, and it would only reliably work only in the simplest case: the public IP is attached directly to the server itself and crowdsec is running on the same server.
As soon as you add a LB, NAT, log centralization or anything like this, we wouldn't have any way to get the public IP easily (we could expose an endpoint on our API to get it, but we still cannot be sure it's the actual IP of the server and not just an IP the server uses to access the internet).