Source: https://traefik.io/
https://github.com/traefik/traefik
Prerequisites:
To use this docker compose yaml file you will need:
Cloudflare DNS API TOKEN
Running container of docker-socket-proxy
Running container of crowdsec
Guide:
- Start the docker-socket-proxy container
- Get your Cloudflare DNS Zone Edit API TOKEN
- Start your traefik compose.yaml (see .env and fill in the DNS API Token, skip the bouncer API for now)
- Start your CrowdSec container
- Generate the Bouncer API Key with:
docker exec crowdsec cscli bouncers add traefik-bouncer
NOTE: Make sure there are no special characters. If it contains anything other than [a-z A-Z 0-9], delete and regenerate:
docker exec crowdsec cscli bouncers delete traefik-bouncer
docker exec crowdsec cscli bouncers add traefik-bouncer - Put the output in your .env under CROWDSEC_BOUNCER_API_KEY
- Restart traefik container
Verifying:
- Confirm CrowdSec Is Parsing Traefik Logs:
docker exec crowdsec cscli metrics
Testing:
Test CrowdSec Is Actually Blocking Ban your own IP docker exec crowdsec cscli decisions add --ip Unban yourself docker exec crowdsec cscli decisions delete --ip docker logs traefik 2>&1 | grep -i "crowdsec|plugin|error" | tail -20
docker exec crowdsec cscli bouncers list docker logs traefik 2>&1 | tail -30 docker exec crowdsec cscli bouncers delete traefik-bouncer
docker exec crowdsec cscli metrics | grep -A8 "Local API Metrics" You should see /v1/decisions/stream hits incrementing. If that's clean, the stack is fully operational.
One Thing to Note Since you're using crowdsecMode: stream, decisions sync every 60 seconds — so the ban may take up to a minute to take effect after step 2. If you want instant testing, temporarily switch to crowdsecMode: live in config.yaml, test, then switch back to stream.