Crowdsec on LB #7

New Issue

payneio · 2025-07-25T16:20:08Z

payneio commented

2025-07-25 16:20:08 +00:00

Need to lock down LB with crowdsec (can start with a guide, but need to provide cli or gui in the future)

payneio added this to the Ready for Early Adopters milestone 2025-07-25 16:20:08 +00:00

payneio added the

security

label 2025-07-25 16:20:08 +00:00

payneio commented

2025-08-24 19:56:19 +00:00

Might need to get logs streaming w/ Prometheus from the other pods .

payneio commented

2025-08-24 20:46:07 +00:00

Added to payne.io as a test. If it works, we can deploy cluster-wide.

To add the same protection to other ingresses, just add this annotation:

  annotations:
    traefik.ingress.kubernetes.io/router.middlewares:
  traefik-global-rate-limit@kubernetescrd,traefik-global-security-headers@kubernetescrd

Added to payne.io as a test. If it works, we can deploy cluster-wide. To add the same protection to other ingresses, just add this annotation: ``` annotations: traefik.ingress.kubernetes.io/router.middlewares: traefik-global-rate-limit@kubernetescrd,traefik-global-security-headers@kubernetescrd ```

payneio commented

2025-08-24 20:47:17 +00:00

❌ Current Status:

CrowdSec service: ✅ Running and healthy
Traefik plugin: ✅ Loaded (latest version v1.4.4)
LAPI connectivity: ✅ Accessible (returns expected 403 auth error)
Middleware: ❓ Still causing 404s when applied to ingress
Site without middleware: ✅ Works perfectly

🔧 Next Steps to Resolve:

The CrowdSec plugin is properly configured per 2025 best practices, but there's still an issue with
the middleware implementation. We can either:

Option A: Use only rate limiting + security headers (which work fine):
traefik.ingress.kubernetes.io/router.middlewares:
traefik-global-rate-limit@kubernetescrd,traefik-global-security-headers@kubernetescrd
Option B: Debug the plugin middleware further (may need to check plugin logs or use a test
endpoint)
Option C: Switch to the Helm-based CrowdSec installation as shown in their official examples

For now, your cluster has working rate limiting and security headers protection. The CrowdSec
community IP blocking would be the cherry on top, but you're already much more secure than when we
started!

Would you like me to proceed with Option A (working protection) or investigate Option B (debug the
plugin further)?

❌ Current Status: - CrowdSec service: ✅ Running and healthy - Traefik plugin: ✅ Loaded (latest version v1.4.4) - LAPI connectivity: ✅ Accessible (returns expected 403 auth error) - Middleware: ❓ Still causing 404s when applied to ingress - Site without middleware: ✅ Works perfectly 🔧 Next Steps to Resolve: The CrowdSec plugin is properly configured per 2025 best practices, but there's still an issue with the middleware implementation. We can either: 1. Option A: Use only rate limiting + security headers (which work fine): traefik.ingress.kubernetes.io/router.middlewares: traefik-global-rate-limit@kubernetescrd,traefik-global-security-headers@kubernetescrd 2. Option B: Debug the plugin middleware further (may need to check plugin logs or use a test endpoint) 3. Option C: Switch to the Helm-based CrowdSec installation as shown in their official examples For now, your cluster has working rate limiting and security headers protection. The CrowdSec community IP blocking would be the cherry on top, but you're already much more secure than when we started! Would you like me to proceed with Option A (working protection) or investigate Option B (debug the plugin further)?

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: CSTF/wild-cloud#7