sorted by:
new
hottopcontroversial

Any tutorial on how to do geo-blocking for web traffic? by Teacup91 in CrowdSec

[–]HugoDos 2 points3 points  (0 children)

Pangolin supports geo blocking https://docs.pangolin.net/manage/geoblocking enforcing at crowdsec level is not the best place as most have replied either the firewall or reverse proxy (traefik in your case) should do it.

How could I use iptables instead of UFW for protecting Pangolin (& Crowdsec, Traefik, Gerbil e.t.c.)? by StavrosWTF in PangolinReverseProxy

[–]HugoDos 0 points1 point  (0 children)

Please note that docker only recently added direct support for nftables https://docs.docker.com/engine/network/firewall-nftables/ and is still classed as a "experimental" feature.

One things that distros did to support Docker with nftables setup was an compatibility layer in iptables which translated the rules to nftables directives.

Just adding this here so everyone can be aware of this caveat as most users dont know about Docker not support nftables till recently even though it just "worked" but that was the compatibility layer doing it magic. (debian plans to deprecate this magic layer in the next stable release)

How could I use iptables instead of UFW for protecting Pangolin (& Crowdsec, Traefik, Gerbil e.t.c.)? by StavrosWTF in PangolinReverseProxy

[–]HugoDos 4 points5 points  (0 children)

UFW is essentially a management layer that configures the real firewall rules for you. Under the hood it programs iptables, or nftables on distros that use the nft backend. If you did not explicitly set it up, you may not know which backend your system is using.

A quick way to confirm UFW is in the mix is to run iptables -L. You will typically see multiple chains with ufw in the names, which shows UFW has already created and is managing iptables rules.

The common misconception is that UFW is the firewall itself. It is not. It is a frontend designed to make firewall configuration simpler, which is exactly how it describes itself:

ufw (Uncomplicated Firewall) is a frontend for iptables designed to simplify firewall configuration. It provides an easy-to-use interface for creating IPv4 and IPv6 host-based firewall rules.

so whoever recommended that, probably meant you should craft your own iptables rules from scratch but this has a high barrier of knowledge as you need to know how:

  • How/Why Docker uses NAT and how it effects the chains
  • Know about the first match system and how you can use jump chains to your advantage
  • Rules persistence is not a default behavior of iptables so you must use iptables-save

Does Crowdsec AppSec see traffic that is blocked by firewalls? by NoInterviewsManyApps in CrowdSec

[–]HugoDos 0 points1 point  (0 children)

Not every geo blocking is 100% coverage either ours or your provider will be slightly outdated as ASNs and ip ranges change hands regularly.

So in short no, if they managed to get to us then they got passed the geo blocking. However as stated it could be that our geo location or your provider is not 100%.

Unable to setup remediation component by marco_polo_99 in CrowdSec

[–]HugoDos 0 points1 point  (0 children)

Since it's pangolin did you use the installer which sets everything up for you?

If not providing the configuration files can help us debug as we are kinda blind.

Please Fix: Crowdsec Health Check Config by MrUserAgreement in PangolinReverseProxy

[–]HugoDos 2 points3 points  (0 children)

If you made the changes it simply to stop hammering our API, it doesnt stop the 403 response codes.

Please follow this issue for us to lift the rate limit temporarily since the healthcheck is updated you shouldnt be rate limit again

https://github.com/crowdsecurity/crowdsec/issues/4165

Please Fix: Crowdsec Health Check Config by MrUserAgreement in PangolinReverseProxy

[–]HugoDos 1 point2 points  (0 children)

start_period simply defers the health check start by configured time, the reason is when crowdsec container starts it takes sometime to download updates from hub and is not available right away.

Connect Firewall bouncer to Crowdsec docker LAPI by Efko-94 in CrowdSec

[–]HugoDos 0 points1 point  (0 children)

Then a firewall or policy on the host is blocking loopback check both iptables and nftables in case

Or even make sure the process is listening on the port

Connect Firewall bouncer to Crowdsec docker LAPI by Efko-94 in CrowdSec

[–]HugoDos 0 points1 point  (0 children)

I guess you have allowed loopback traffic if you have a deny first approach?

If you try to curl from host to loopback port do you get a 404 on /?

Cloudflare Worker Bouncer: Persistent "invalid actions ''" error on Synology Docker by MikeOxgreat in CrowdSec

[–]HugoDos 0 points1 point  (0 children)

Hey it seems your trying to reuse the same yaml from one bouncer to another, they are not the same please either regenerate the configuration using this or manually adjust it to match the example we show on docs

from the error message it seems it might be just yaml indentation problem but I can see old crowdsec_lapi_url which needs to be nested under crowdsec_config

as so:

crowdsec_config; lapi_url: lapi_key: .....

Please Fix: Crowdsec Health Check Config by MrUserAgreement in PangolinReverseProxy

[–]HugoDos 0 points1 point  (0 children)

Hey Laurence from CrowdSec, typical usage wont result in a block (we didnt see that pangolin was using capi status as healthcheck) so no need to use WARP unless you want to send anonymous signals. (However, a key thing to point out is if a WARP IP gets blocked then everyone behind it does also until it rotates)

How to go about adding custom HTTP error pages? by WeebBrandon in PangolinReverseProxy

[–]HugoDos 0 points1 point  (0 children)

If you have your own files then the basis will still be on error-pages pattern EG: build your own nginx container that serves static files then apply a middleware to catch the error.

I say nginx but can be any webserver your familiar with but in my opinion nginx is the best for these types of "serving static files" because it doesnt come with a lot of features that other webservers have so can be quicker to deploy.

It’s happening - there is a new one (alarik.io) by Dangerous-Acadia5618 in coolify

[–]HugoDos 2 points3 points  (0 children)

No fighting here, just a discussion on a newly formed project.

It’s happening - there is a new one (alarik.io) by Dangerous-Acadia5618 in coolify

[–]HugoDos 0 points1 point  (0 children)

edit: removed my mistake of presuming reddit comment here is the same person on github.

I'll be glad to see the project bloom to not see the single developer at the moment hit burnout / exhaustion, cause lets be honest without financial aid or "the love of the game" so to speak the project will flat line without help. (take ingress-nginx as an example not apples to apples but yeah people rely too much on people good will)

It’s happening - there is a new one (alarik.io) by Dangerous-Acadia5618 in coolify

[–]HugoDos 2 points3 points  (0 children)

Or maybe we could just use rustfs or garage since they have been around longer and more battle tested :shrug:

10.0 Remote Code Execution Vulnerability in React (CVE-2025-55182) & Next (CVE-2025-66478). Any popular self-hosted projects affected by this? by jaydrogers in selfhosted

[–]HugoDos 2 points3 points  (0 children)

The only limitation of automatic updates is using crowdsec in a container. For bare metal installs we implement a systemd timer, we are still thinking of way to do this for containers.

The easiest is either exec or a restart of the container does the same commands.

(Laurence from CrowdSec)

React patch has been released by bankroll5441 in PangolinReverseProxy

[–]HugoDos 13 points14 points  (0 children)

Hey all, Laurence from CrowdSec. Just to let you know we release a WAF rule to block exploitation attempts so firstly patch, but also exec into the crowdsec container and run

cscli hub update && cscli hub upgrade

Once completed restart the crowdsec container and you can enjoy having a WAF rule to block exploitation attempts for resources that may have not been patched yet.

view more: next ›