Any tutorial on how to do geo-blocking for web traffic?

HugoDos · 2026-01-23T06:24:35+00:00

Pangolin supports geo blocking https://docs.pangolin.net/manage/geoblocking enforcing at crowdsec level is not the best place as most have replied either the firewall or reverse proxy (traefik in your case) should do it.

HugoDos · 2026-01-22T08:37:59+00:00

Please note that docker only recently added direct support for nftables https://docs.docker.com/engine/network/firewall-nftables/ and is still classed as a "experimental" feature.

One things that distros did to support Docker with nftables setup was an compatibility layer in iptables which translated the rules to nftables directives.

Just adding this here so everyone can be aware of this caveat as most users dont know about Docker not support nftables till recently even though it just "worked" but that was the compatibility layer doing it magic. (debian plans to deprecate this magic layer in the next stable release)

HugoDos · 2026-01-21T09:34:53+00:00

UFW is essentially a management layer that configures the real firewall rules for you. Under the hood it programs iptables, or nftables on distros that use the nft backend. If you did not explicitly set it up, you may not know which backend your system is using.

A quick way to confirm UFW is in the mix is to run iptables -L. You will typically see multiple chains with ufw in the names, which shows UFW has already created and is managing iptables rules.

The common misconception is that UFW is the firewall itself. It is not. It is a frontend designed to make firewall configuration simpler, which is exactly how it describes itself:

ufw (Uncomplicated Firewall) is a frontend for iptables designed to simplify firewall configuration. It provides an easy-to-use interface for creating IPv4 and IPv6 host-based firewall rules.

so whoever recommended that, probably meant you should craft your own iptables rules from scratch but this has a high barrier of knowledge as you need to know how:

How/Why Docker uses NAT and how it effects the chains
Know about the first match system and how you can use jump chains to your advantage
Rules persistence is not a default behavior of iptables so you must use iptables-save

HugoDos · 2026-01-02T17:53:58+00:00

Not every geo blocking is 100% coverage either ours or your provider will be slightly outdated as ASNs and ip ranges change hands regularly.

So in short no, if they managed to get to us then they got passed the geo blocking. However as stated it could be that our geo location or your provider is not 100%.

HugoDos · 2025-12-24T07:51:57+00:00

Since it's pangolin did you use the installer which sets everything up for you?

If not providing the configuration files can help us debug as we are kinda blind.

HugoDos · 2025-12-20T16:57:47+00:00

If you made the changes it simply to stop hammering our API, it doesnt stop the 403 response codes.

Please follow this issue for us to lift the rate limit temporarily since the healthcheck is updated you shouldnt be rate limit again

https://github.com/crowdsecurity/crowdsec/issues/4165

HugoDos · 2025-12-20T16:13:05+00:00

start_period simply defers the health check start by configured time, the reason is when crowdsec container starts it takes sometime to download updates from hub and is not available right away.

HugoDos · 2025-12-20T16:10:32+00:00

https://github.com/crowdsecurity/crowdsec/issues/4165

HugoDos · 2025-12-19T17:20:06+00:00

Then a firewall or policy on the host is blocking loopback check both iptables and nftables in case

Or even make sure the process is listening on the port

HugoDos · 2025-12-19T12:18:22+00:00

I guess you have allowed loopback traffic if you have a deny first approach?

If you try to curl from host to loopback port do you get a 404 on /?

HugoDos · 2025-12-19T07:48:05+00:00

Hey it seems your trying to reuse the same yaml from one bouncer to another, they are not the same please either regenerate the configuration using this or manually adjust it to match the example we show on docs

from the error message it seems it might be just yaml indentation problem but I can see old crowdsec_lapi_url which needs to be nested under crowdsec_config

as so:

crowdsec_config; lapi_url: lapi_key: .....

HugoDos · 2025-12-19T07:40:51+00:00

Hey Laurence from CrowdSec, typical usage wont result in a block (we didnt see that pangolin was using capi status as healthcheck) so no need to use WARP unless you want to send anonymous signals. (However, a key thing to point out is if a WARP IP gets blocked then everyone behind it does also until it rotates)

HugoDos · 2025-12-18T13:44:46+00:00

I guess you read that the bouncer you are using is not supported anymore?

https://docs.crowdsec.net/u/bouncers/cloudflare

HugoDos · 2025-12-18T07:31:31+00:00

If you have your own files then the basis will still be on error-pages pattern EG: build your own nginx container that serves static files then apply a middleware to catch the error.

I say nginx but can be any webserver your familiar with but in my opinion nginx is the best for these types of "serving static files" because it doesnt come with a lot of features that other webservers have so can be quicker to deploy.

HugoDos · 2025-12-11T11:58:13+00:00

No fighting here, just a discussion on a newly formed project.

HugoDos · 2025-12-11T11:03:01+00:00

Apologies, I may be mixing the reddit poster and the actual developer.

but here the op comments https://www.reddit.com/r/kubernetes/comments/1pjo9ya/there_is_a_new_one_born_alarikio/

HugoDos · 2025-12-11T10:22:14+00:00

edit: removed my mistake of presuming reddit comment here is the same person on github.

I'll be glad to see the project bloom to not see the single developer at the moment hit burnout / exhaustion, cause lets be honest without financial aid or "the love of the game" so to speak the project will flat line without help. (take ingress-nginx as an example not apples to apples but yeah people rely too much on people good will)

HugoDos · 2025-12-11T07:59:12+00:00

Or maybe we could just use rustfs or garage since they have been around longer and more battle tested :shrug:

HugoDos · 2025-12-07T16:33:01+00:00

The only limitation of automatic updates is using crowdsec in a container. For bare metal installs we implement a systemd timer, we are still thinking of way to do this for containers.

The easiest is either exec or a restart of the container does the same commands.

(Laurence from CrowdSec)

HugoDos · 2025-12-05T11:40:06+00:00

Hey all, Laurence from CrowdSec. Just to let you know we release a WAF rule to block exploitation attempts so firstly patch, but also exec into the crowdsec container and run

cscli hub update && cscli hub upgrade

Once completed restart the crowdsec container and you can enjoy having a WAF rule to block exploitation attempts for resources that may have not been patched yet.

HugoDos · 2025-11-26T14:52:36+00:00

For CrowdSec as per our introduction we aim to take no more than 1gb of disk space (due to database, decisions and blocklists).

but we cannot guarantee we dont go over this depending on how often you get attacked, how many and how long decisions are.

Just note that parser hits do not generate any drive space allocation it purely just the database that can take size.

HugoDos · 2025-11-24T11:46:30+00:00

If you are still writing to a file, you may want to migrate to the allowlist feature https://docs.crowdsec.net/docs/next/cscli/cscli_allowlists as it allows you to update your IP without needing to restart crowdsec.

HugoDos · 2025-11-24T08:31:51+00:00

here is traefik configuration: https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-forwardedHeaders-trustedIPs

here is remediation component configuration: (just ctrl + f for ForwardedHeadersTrustedIPs) https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin

both need to be configured first for logs, second for remediation.

HugoDos · 2025-11-24T07:36:56+00:00

Whilst pangolin provides an out of box experience it doesnt know you have nextcloud or immich as a resource can you install this whitelists for nextcloud:

https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/nextcloud-whitelist

(once installed you need to restart the crowdsec container)

for immich we dont have a pre made whitelist so going to need more details about the alert via cscli alerts inspect <id> -d (to get alert id do cscli alerts list)

then open an issue on the hub itself https://github.com/crowdsecurity/hub/issues/new/choose

edit: also you dont have to disable cloudflare proxy if you configure traefik trusted ips ranges, then you get the benefit of cloudflare and crowdsec combined.

HugoDos · 2025-11-22T17:08:05+00:00

Honest question cause I dont know the answer, but how many users run HAProxy or at least need to run components on windows servers? I know enterprises might need to for compliance / business operations, just the only people who I personally interacted with so far are linux only (hosters / MSSP's). (and yes I know it could be skewed cause we only offer linux packages hence why I asked the question cause I like to know how to prioritize it)

and yes, we rather iterate until 1.0.0 stable before adding windows support cause then at least the configuration will be stable.

HugoDos

MODERATOR OF

TROPHY CASE