#Setup Cloudflare Workers Bouncer with my infrastructure

1 messages Β· Page 1 of 1 (latest)

weak umbra
#

Hello,
I am having trouble understanding how exactly to set up the Cloudflare Worker Bouncer. I have a NAS and a mini server running several self-hosted services. I have an NGINX reverse proxy set up on both devices and I use Cloudflare for DNS. That's why I want to use the Cloudflare Worker Bouncer so that access decisions are not made on my infrastructure but directly at Cloudflare.
I have set up the Crowdsec Security Engine as a Docker container on the NAS and connected it to the Crowdsec Console. Unfortunately, I can't understand from the documentation where exactly this bouncer should be set up, as a Docker container on my NAS or installed directly on the NAS?

dusk arch
#

why I want to use the Cloudflare Worker Bouncer so that access decisions are not made on my infrastructure but directly at Cloudflare.
Remediation Component (bouncer) dont make decisions but enforce decisions, so for cloudflare worker it blocks at cloudflare edge

where exactly this bouncer should be set up, as a Docker container on my NAS or installed directly on the NAS?
It doesnt matter directly where as long as it can contact the LAPI to get the current decisions so it can push to cloudflare KV, the remediation itself sets up the worker and keeps the KV up to date

fossil seal
#

Also, you say I use Cloudflare for DNS: if cloudflare only handles the DNS, the bouncer won't do anything, as cloudflare will never see any actual requests, only the DNS requests for your domain.
Cloudflare needs to be configured in proxy mode if you want to use this bouncer.

weak umbra
weak umbra
dusk arch
weak umbra
dusk arch
#

No we do have an image just not documented

weak umbra
#

Is there any documentation on this container?

weak umbra
#

Ok I got the container running but it seems that the bouncer cant communicate with the lapi:

time="2025-05-19T18:08:07Z" level=error msg="Get \"http://crowdsec:8081/v1/decisions/stream?additional_pull=false&community_pull=false&scopes=ip%2Crange%2Cas%2Ccountry&startup=true\": dial tcp 172.19.0.2:8081: connect: connection refused"
time="2025-05-19T18:08:29Z" level=error msg="Get \"http://crowdsec:8081/v1/decisions/stream?additional_pull=false&community_pull=false&scopes=ip%2Crange%2Cas%2Ccountry&startup=true\": dial tcp 172.19.0.2:8081: connect: connection refused"

the docker Stack looks like that

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    restart: always
    ports:
      - 8081:8080
    volumes:
      - /share/Docker/NginxPM/data/logs:/var/log/nginx
      - /share/Docker/crowdsec/data:/var/lib/crowdsec/data/
      - /share/Docker/crowdsec/config:/etc/crowdsec/
  cloudflare-worker-bouncer:
    image: crowdsecurity/cloudflare-worker-bouncer
    restart: always
    ports:
      - 2112:2112
    environment:
      - CROWDSEC_LAPI_URL=http://crowdsec:8081/
      - API_KEY=**********************************
    volumes:
      - /share/Docker/crowdsec/data:/var/lib/crowdsec/data/
      - /share/Docker/crowdsec/config:/etc/crowdsec/

Im pretty shure the API was copied correctly

cscli bouncers list
───────────────────────────────────────────────────────────────────────────────
 Name               IP Address  Valid  Last API pull  Type  Version  Auth Type 
───────────────────────────────────────────────────────────────────────────────
 CloudflareBouncer              βœ”οΈ                                   api-key   
───────────────────────────────────────────────────────────────────────────────
dusk arch
weak umbra
#

Since i changed the port for the crowdsec container to 8081 it should work or not?

dusk arch
#

You haven't changed it, you just created a port mapping

#

So inside the container network it's still 8080, it's only 8081 on the outside

#

From what I can see from the compose