#Crowdsec traefik decisions not getting through.

Hi everyone,

I used to get messages of decisions about every half an hour. Currently not getting any. I've moved from nginx to traefik, and I don't know if it is even functioning correctly at this point.

Part of my acquis.yaml:

filenames:
  - /var/log/nginx/*.log
  - ./tests/nginx/nginx.log
  - /var/log/swag/*.log
  - /var/log/traefik/*
#this is not a syslog log, indicate which kind of logs it is
labels:
#  type: nginx
  type: traefik

I still have parts of the old logs in here, but only traefik is getting updated.

My dynamic file is as follows:

http:
  middlewares:
    crowdsec-bouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          enabled: true
          crowdsecMode: live
          crowdseclapikey: "api key generated by doing"

docker exec crowdsec cscli bouncers add TraefikBouncer, please see: https://share.golfwithus.nl/u/zBLusE.png

I don't know why my decisions are not getting through, am I missing something?
I am running both traefik and crowdsec in docker.

My profiles.yaml is as follows:

name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 24h
duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 24)"
notifications:
  - discord  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break

There are no errors in the logs, everything seems to operate just fine. It's just that no decisions are seen, which I think is odd!

Fyi, within the crowdsec logs I can see decisions popping up!

time="2025-12-30T22:35:29+01:00" level=info msg="172.18.0.11 - [Tue, 30 Dec 2025 22:35:29 CET] \"GET /v1/decisions?ip=IP_HERE_OF_SOMEONE HTTP/1.1 200 106.976866ms \"Crowdsec-Bouncer-Traefik-Plugin/1.X.X\" \"" module=lapi

Within traefik I have added:

      # Crowdsec settings
      - "--experimental.plugins.crowdsec-bouncer-traefik-plugin.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      - "--experimental.plugins.crowdsec-bouncer-traefik-plugin.version=v1.5.0-beta1"

Did you make sure to install the traefik collection? Also check cscli metrics as it will inform which files it sees and the parsed status

BTW bouncers / remediation don't make decisions they simply enforce them. (The logs you showed is traefik checking the IP)

Decisions are only made through log files or WAF rules.

Uhm... now that you say it..

I feel so stupid, I didn't...

https://share.golfwithus.nl/u/0vxlAc.png

I am not quite sure if it works yet.

root@Hypnos:~# docker exec -it crowdsec cscli metrics
╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                        │
├──────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                           │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ docker:authentik-server          │ 151        │ -            │ 151            │ -                      │ -                 │
│ file:/var/log/traefik/access.log │ 3.66k      │ 3.66k        │ -              │ 62                     │ 876               │
╰──────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯

It def did something

I just tested it by banning a friend, and that did register.

I don’t understand, I still don’t have any decisions as of yesterday whilst they all parse… with nginx it blocked many different requests all the time.. it does say as you can see above that it parses the logs. It isn’t a problem that the app sec things are only nginx? Confused and I want to know if my stuff is working alright 😅

These are the collections I have installed: crowdsecurity/traefik crowdsecurity/nginx crowdsecurity/base-http-scenarios firix/authentik crowdsecurity/discord-crawler-whitelist

Access to docker sock at read only

I don’t know where to search anymore, all seems logical 😅

@muted mason I did put the traefik logging on json, I know it should be supported but does that work out of the box? It has a ton and I mean a ton more info to work with

The only warning I was able to find after startup is:

{"time":"2025-12-31T16:59:50+01:00","level":"warning","msg":"grok 'NGCUSTOMUSER' already registred","id":"shy-wave","module":"parser","name":"crowdsecurity/traefik-logs","stage":"s01-parse"}

I think it is my appsec component in my container that is not functioning, when I disable that in the traefik plugin it works!

I am trying to follow it:https://docs.crowdsec.net/docs/next/appsec/quickstart/traefik, but on unRAID.

But when enabled I keep getting:

DEBUG: CrowdsecBouncerTraefikPlugin: 2025/12/31 19:18:09 handleNextServeHTTP ip:IP_HERE isWaf:true appsecQuery:unreachable Get "http://crowdsec:7422/": dial tcp 172.18.0.98:7422: connect: connection refused

I tried to make an appsec.yaml in my /mnt/user/appdata/crowdsec dir:
appsec_config: crowdsecurity/appsec-default labels: type: appsec listen_addr: 0.0.0.0:7422 source: appsec

I'm pretty sure appsec on 7442 just isn't working, but I have absolutely no idea how to enable it... :/

I'll just keep appsec disabled for the time being.

Oh I think I made it work out! I understood it incorrectly, I needed to put it in the acquis.yaml file.

appsec_config: crowdsecurity/appsec-default
labels:
type: appsec
listen_addr: 0.0.0.0:7422
source: appsec

Which works!

Haven’t seen any decisions yet, but I set the logging to debug in traefik and I can see appsec works now. Just need to wait I think

What? Still no decisions being made, everything seems to work… I must be missing something. Got an idea @muted mason ?

I just tested an authentic BF which seems to have triggered!! That is good, however I am very surprised these are not showing up anymore. https://share.golfwithus.nl/u/iO09rF.png

Interesting, I am very much confused lol

I have a feeling traefik is doing more then swag was or something

Or am I missing access logging for traefik or something?

I'm still not nearly getting enough decisions. Do you guys have any idea? I am completely lost here. Maybe I have configured it all correctly, but I'm just worried and I cannot find anything on this.

╭─────────────────────────────────────╮
│ Appsec Metrics                      │
├───────────────┬───────────┬─────────┤
│ Appsec Engine │ Processed │ Blocked │
├───────────────┼───────────┼─────────┤
│ 0.0.0.0:7422/ │ 406       │ -       │
╰───────────────┴───────────┴─────────╯

╭────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                                        │
├──────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                           │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├──────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ docker:authentik-server          │ 42         │ -            │ 42             │ -                      │ -                 │
│ file:/var/log/traefik/access.log │ 649        │ 649          │ -              │ 98                     │ 295               │
╰──────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭────────────────────────────────────────────────────╮
│ Local API Alerts                                   │
├────────────────────────────────────────────┬───────┤
│ Reason                                     │ Count │
├────────────────────────────────────────────┼───────┤
│ crowdsecurity/http-admin-interface-probing │ 5     │
│ crowdsecurity/http-bad-user-agent          │ 3     │
│ crowdsecurity/http-open-proxy              │ 14    │
│ crowdsecurity/http-probing                 │ 7     │
│ manual 'ban' from 'localhost'              │ 1     │
│ crowdsecurity/http-crawl-non_statics       │ 4     │
│ crowdsecurity/http-cve-2021-41773          │ 2     │
│ crowdsecurity/http-sensitive-files         │ 7     │
│ crowdsecurity/jira_cve-2021-26086          │ 1     │
│ firix/authentik-bf                         │ 1     │
╰────────────────────────────────────────────┴───────╯

╭────────────────────────────────────────────────────────────────╮
│ Parser Metrics                                                 │
├────────────────────────────────────┬───────┬────────┬──────────┤
│ Parsers                            │ Hits  │ Parsed │ Unparsed │
├────────────────────────────────────┼───────┼────────┼──────────┤
│ child-crowdsecurity/http-logs      │ 2.14k │ 2.00k  │ 140      │
│ child-crowdsecurity/traefik-logs   │ 1.43k │ 713    │ 713      │
│ crowdsecurity/dateparse-enrich     │ 713   │ 713    │ -        │
│ crowdsecurity/geoip-enrich         │ 447   │ 447    │ -        │
│ crowdsecurity/http-logs            │ 713   │ 713    │ -        │
│ crowdsecurity/non-syslog           │ 784   │ 784    │ -        │
│ crowdsecurity/public-dns-allowlist │ 713   │ 713    │ -        │
│ crowdsecurity/traefik-logs         │ 713   │ 713    │ -        │
│ crowdsecurity/whitelists           │ 713   │ 713    │ -        │
│ firix/authentik-logs               │ 71    │ -      │ 71       │
│ quafley/Immich_whitelist           │ 713   │ 713    │ -        │
│ quafley/Overseerr_whitelist        │ 713   │ 713    │ -        │
╰────────────────────────────────────┴───────┴────────┴──────────╯

I am noticing this, is this indicatin git doesn't work correctly?

@muted mason I also made sure to do the crowsec-generic-test for appsec:

root@Hypnos:~# docker exec -it crowdsec cscli alerts list | grep crowdsecurity/appsec-generic-test
│ 44001 │ Ip:    │ crowdsecurity/appsec-generic-test          │ NL      │ 206238 Freedom Internet BV            │           │ 2026-01-01T21:36:48Z │
│ 43999 │ Ip:   │ crowdsecurity/appsec-generic-test          │ NL      │ 199218 Proton AG                      │           │ 2026-01-01T21:35:58Z │
│ 43997 │ Ip:    │ crowdsecurity/appsec-generic-test          │ US      │ 396982 GOOGLE-CLOUD-PLATFORM          │           │ 2026-01-01T21:35:55Z │
``` All indicating it works fine. Can you confirm if it is working as it should? I just am really confused by the fact that the decisions have gone down like A LOT since switching to traefik. 

I am seeing the tests in the hub as well, not geting a message on it though on discord:
```yaml `profiles.yaml`
name: default_ip_remediation
#debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 24h
duration_expr: "Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 24)"
notifications:
  - discord  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
on_success: break

I have configured everything to ban, but I will implement captcha's as well soon.

filenames:
  - /var/log/traefik/*.log
#this is not a syslog log, indicate which kind of logs it is
labels:
  type: traefik

Most up to date config is as follows:
For traefik:

accessLog:
  filePath: /var/log/traefik/access.log
  format: json
  filters:
    statusCodes:
      - "100-199" # log informational http requests
      - "200-299" # log successful http requests
      - "300-399" # log redirects
      - "400-499" # log failed http requests
      - "500-599" # log server errors
    #retryAttempts: true # where at least one retry was attempted
    minDuration: 0ms # log all requests
  # collect logs as in-memory buffer before writing into log file
  bufferingSize: 0
  fields:
    defaultMode: keep # keep all fields per default
    headers:
      defaultMode: keep

For the crowdsec plugin:

crowdsec-bouncer:
      plugin:
        crowdsec-bouncer-traefik-plugin:
          enabled: true
          logLevel: ERROR
          LogFilePath: "/var/log/traefik/crowdsec-bouncer.log"
          updateIntervalSeconds: 60
          updateMaxFailure: 0
          defaultDecisionSeconds: 60
          remediationStatusCode: 403
          httpTimeoutSeconds: 10
          crowdsecMode: live
          crowdsecAppsecEnabled: true
          crowdsecAppsecScheme: "http"
          crowdsecAppsecHost: crowdsec:7422
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecUnreachableBlock: true
          crowdsecLapiKey: 
          crowdsecLapiScheme: http
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiTLSInsecureVerify: false

          forwardedHeadersTrustedIPs: # In front of traefik, i.e., cloudflare.
            - 172.16.0.0/12 # Includes my custom docker networks.
          clientTrustedIPs:
            - 10.0.0.0/8
            - 192.168.0.0/16 # Trust all local subnets.
            - 172.16.0.0/12 
          forwardedHeadersCustomName: X-Forwarded-For
          captchaProvider: hcaptcha
          captchaSiteKey: 
          captchaSecretKey: 
          captchaGracePeriodSeconds: 1800
          captchaHTMLFilePath: /captcha.html
          banHTMLFilePath: /ban.html
          metricsUpdateIntervalSeconds: 600     

Decisions added for ban and captcha, both work when manually triggered.

I'm not ignoring you, I'm on annual leave will be back Monday.

Everything so far looks okay, can you upload the full output of cscli metrics

Thanks Loz, I was not aware, apologies.

Here is the full metrics

What is interesting is that I had 282 dropped and today 374 Perhaps this indicates an issue? https://share.golfwithus.nl/u/AS68OV.png

Interesting, I changed the logging as I explained here, and now I am getting all the bans etc. Loz, what are generally recommended standard mitigations? I’m currently banning everything for 24h, but I’m not really familiar with when to do a captcha, when to ban etc

I think I resolved my first issue loz, I tweaked more things and it seems to process correctly now. Only thing is the increasing dropped traffic requests. And the question regarding the captcha and bans :)

Realistically, considering I asked this in lounge and it turned more into support. What is my best bet at dealing with that banned IP? That IP is used by discord to scrape images of my image server. So I will need to allow it regardless. My guess is that the allowlist is the easiest way forward

Or dont apply the middleware to your entrypoint and apply it to each router you create for your application.

its a PITA but that is the level your asking for.

I already apply crowdsec to every router, but I need to have it enabled as I deal with shareable links. I’ll just allowlist it

I could perhaps make a rule to bypass crowdsec from within traefik, but that will be a lot of testing

Wait I think I misread this, what is the difference?

So if you apply the middleware at entrypoint then it blocks everywhere.

If you apply at the router level then you can apply the remediation blocking at different levels

So router a can not have it but router b can apply.

Ah like that okay. Yeah I’m going to look into if I can exclude certain parts of that app from crowdsec. Or I’m allowlisting the ip

What’s one IP right with that many that are already blocked. I am a bit surprised though, why would a legitimate IP used by crowdsec be marked as malicious? Surely they aren’t actually malicious?

Discord*

Probably not, but also discord probably hasnt setup the rDNS

we whitelist using combination of ranges and rDNS to prevent spoofing

Yeah okay, best bet is to just whitelist that IP, not big deal.