1.9 KiB
1.9 KiB
Source: https://traefik.io/
https://github.com/traefik/traefik
Prerequisites:
To use this docker compose yaml file you will need:
Cloudflare DNS API TOKEN
Running container of docker-socket-proxy
Running container of crowdsec
Guide:
- Start the docker-socket-proxy container
- Get your Cloudflare DNS Zone Edit API TOKEN
- Start your traefik compose.yaml (see .env and fill in the DNS API Token, skip the bouncer API for now)
- Start your CrowdSec container
- Generate the Bouncer API Key with:
docker exec crowdsec cscli bouncers add traefik-bouncer
NOTE: Make sure there are no special characters. If it contains anything other than [a-z A-Z 0-9], delete and regenerate:
docker exec crowdsec cscli bouncers delete traefik-bouncer
docker exec crowdsec cscli bouncers add traefik-bouncer - Put the output in your .env under CROWDSEC_BOUNCER_API_KEY
- Restart traefik container
Verifying:
- Confirm CrowdSec Is Parsing Traefik Logs:
docker exec crowdsec cscli metrics - docker logs traefik 2>&1 | grep -i "crowdsec|plugin|error" | tail -20
- docker exec crowdsec cscli bouncers list
- docker logs traefik 2>&1 | tail -30
- docker exec crowdsec cscli metrics | grep -A8 "Local API Metrics" You should see /v1/decisions/stream hits incrementing. If that's clean, the stack is fully operational.
Testing:
Test CrowdSec Is Actually Blocking
Ban your own IP: docker exec crowdsec cscli decisions add --ip <your-ip>
Go to one of URLs
Note: using crowdsecMode: stream, decisions sync every 60 seconds — so the ban may take up to a minute to take effect
Unban yourself: docker exec crowdsec cscli decisions delete --ip <your-ip>