#Traefik Access Log Parsing Issues

I have gotten my server to the point that crowdsec is successfully blocking IPs that I ban manually. However, I am having an issue with banning via my access logs. I can see that my real IP and cf connecting ip headers are both being kept in logs, but it doesn't seem like Crowdsec is actually using those IPs to block access. I'm not sure if there is a setting that I'm missing and am looking for help.

I am using CF and CF Tunnel for accessing subdomains. I am using cloudflarewarp Traefik plugin to keep the required headers.

Are you using json logs or CLF?

CLF

in CLF we expect the remote ip to be the first element in the line

%{IPORHOST:remote_addr} - %{NGCUSTOMUSER:remote_user}

I'm using the default format where ClientAddr is first. I'm assuming I need to make a modification to the log format somewhere?

typically most people configure this setting: https://doc.traefik.io/traefik/routing/entrypoints/#forwarded-headers

then in the ips you set the cloudflare ranges (however, it might just be your local cf tunnel if your using them)

I'm already getting the forwarded headers in my logs correctly though.

{"ClientAddr":"192.168.200.3:48028","ClientHost":"192.168.200.3","ClientPort":"48028","ClientUsername":"-","DownstreamContentSize":17,"DownstreamStatus":429,"Duration":24210,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":24210,"RequestAddr":"","RequestContentSize":0,"RequestCount":267,"RequestHost":"","RequestMethod":"GET","RequestPath":"/buttons/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"RouterName":"whoami-rtr@docker","SpanId":"0000000000000000","StartLocal":"2025-02-24T19:36:56.642127547Z","StartUTC":"2025-02-24T19:36:56.642127547Z","TLSCipher":"TLS_CHACHA20_POLY1305_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"https","level":"info","msg":"","request_Cf-Connecting-Ip":"","request_User-Agent":"gobuster/3.6","request_X-Real-Ip":"192.168.200.3","time":"2025-02-24T19:36:56Z"}

Here is an example log with some values removed like my domain and public IP just to give you an idea.

192.168.200.3 is my CF tunnel

So you need to setup forwarded headers and set trusted ips as 192.168.200.3

we dont get ips from any other value than "clientaddr" because if you misconfigure or we mess up then it can open you to spoofing attacks

This is my forwardHeaders config
- --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.0/22

I'm still getting back the CF tunnel IP in my logs. Is this supposed to rewrite the ClientAddr field?

But you have these configured for both http and https?

might help https://blog.lrvt.de/configuring-crowdsec-with-traefik/

my bad

it is ClientHost

evt.Unmarshaled.traefik.ClientHost we get, so clientaddr will always be CF tunnel

This is actually what I followed, I'm thinking my cloudflarewarp setup might not be working the way it's supposed to since the ClientHost and ClientAddr are not being changed. This is all I have though

http: middlewares: cloudflare-real-ip: plugin: cloudflarewarp: disableDefault: false trustip: # Trust IPS not required if disableDefault is false - we will allocate Cloud Flare IPs automatically - 192.168.0.0/16

Hi @pale mica just wanted to let you know I got this working and I didn't need the real ip middleware! Issue was due to the forwarded headers IPs I had set. Since the CF tunnel was on a different IP it wasn't updating the Client Host field in the access logs.

Resolving Traefik Access Log Parsing Issues