Docker-Compose

Start the docker-socket-proxy container
Get your Cloudflare DNS Zone Edit API TOKEN
Start your traefik compose.yaml (see .env and fill in the DNS API Token, skip the bouncer API for now)
Start your CrowdSec container
Generate the Bouncer API Key with: docker exec crowdsec cscli bouncers add traefik-bouncer
NOTE: Make sure there are no special characters. If it contains anything other than [a-z A-Z 0-9], delete and regenerate:
docker exec crowdsec cscli bouncers delete traefik-bouncer
docker exec crowdsec cscli bouncers add traefik-bouncer
Put the output in your .env under CROWDSEC_BOUNCER_API_KEY
Restart traefik container

Confirm CrowdSec Is Parsing Traefik Logs: docker exec crowdsec cscli metrics
Check the plugins for errors: docker logs traefik 2>&1 | grep -i "crowdsec\|plugin\|error" | tail -20
Shows bouncer list: docker exec crowdsec cscli bouncers list
Review all logs: docker logs traefik 2>&1 | tail -30
You should see /v1/decisions/stream hits incrementing: docker exec crowdsec cscli metrics | grep -A8 "Local API Metrics"

Test CrowdSec Is Actually Blocking \

Ban your own IP: docker exec crowdsec cscli decisions add --ip <your-ip> \
Check your list of banned IPs: docker exec crowdsec cscli decisions list \
Go to one of URLs
Note: using crowdsecMode: stream, decisions sync every 60 seconds — so the ban may take up to a minute to take effect \
Unban yourself: docker exec crowdsec cscli decisions delete --ip <your-ip>

Setup CrowdSec Console (cloud)

Go to app.crowdsec.net and create a free account
Once signed in > Click "Engines" in the left sidebar
Click "Enroll a new engine" or "Enroll command"
Copy the key
Back on your server, run: docker exec crowdsec cscli console enroll <enrollment-key>
Restart crowdsec container
If you ever want to remove: docker exec crowdsec cscli console disable --all