Traefik Reverse Proxy: Integrating CrowdSec to Block Attacks Effectively

Table of Contents

1. Introduction to Traefik Reverse Proxy Security
2. Why Your Traefik Reverse Proxy Needs CrowdSec
3. How CrowdSec Protects Your Traefik Reverse Proxy
4. What You Need Before Starting
5. Step 1: Install CrowdSec on Your Server
6. Step 2: Configure CrowdSec for Traefik Reverse Proxy
7. Step 3: Deploy the Traefik Bouncer
8. Step 4: Connect CrowdSec to Your Traefik Reverse Proxy
9. Testing Your Protected Traefik Reverse Proxy
10. Making Your Traefik Reverse Proxy Even Safer
11. Monitoring Your Traefik Reverse Proxy Security
12. Fixing Common Problems
13. Conclusion

Introduction to Traefik Reverse Proxy Security

Your Traefik reverse proxy handles all incoming traffic to your applications. Without proper security, hackers can attack your services through brute force attempts, DDoS attacks, and vulnerability scanning. This guide shows you how to protect your Traefik reverse proxy using CrowdSec.

CrowdSec adds intelligent attack detection to your Traefik reverse proxy. It watches visitor behavior, spots attack patterns, and blocks malicious traffic automatically. When you integrate CrowdSec with your Traefik reverse proxy, you create a powerful defense system that learns and adapts to new threats.

This tutorial provides a complete hands-on lab. You’ll install CrowdSec, connect it to your Traefik reverse proxy, and test your security setup. By the end, your Traefik reverse proxy will automatically block attacks before they reach your applications.

Why Your Traefik Reverse Proxy Needs CrowdSec

A basic Traefik reverse proxy routes traffic efficiently but doesn’t analyze visitor behavior. It can’t tell the difference between legitimate users and attackers trying to break into your systems. This leaves your applications vulnerable to common attacks.

CrowdSec solves this problem by adding behavior analysis to your Traefik reverse proxy. It reads your access logs in real-time and recognizes attack patterns. When someone tries to brute force your login page or scan for vulnerabilities, CrowdSec detects this behavior immediately.

The real power comes from CrowdSec’s community approach. When your Traefik reverse proxy detects an attacker, that information gets shared with other CrowdSec users. Your security benefits from thousands of other protected servers around the world. This means your Traefik reverse proxy knows about threats before they even reach your infrastructure.

Traditional firewalls use static IP blocklists that quickly become outdated. CrowdSec connected to your Traefik reverse proxy creates dynamic protection that evolves with emerging threats. Attackers constantly change tactics, and your Traefik reverse proxy security needs to keep up.

How CrowdSec Protects Your Traefik Reverse Proxy

Understanding how CrowdSec works with your Traefik reverse proxy helps you configure it effectively. The system has three main components working together to protect your infrastructure.

First, the CrowdSec Security Engine analyzes logs from your Traefik reverse proxy. It looks for suspicious patterns like repeated failed login attempts, vulnerability scanning, or unusual traffic spikes. When it spots something dangerous, it creates a security decision.

Second, the CrowdSec Local API stores all security decisions. This acts as the brain of your protection system. When your Traefik reverse proxy receives a request, it checks this API to see if the visitor’s IP address has been flagged as malicious.

Third, the Traefik Bouncer enforces security decisions. It sits between the internet and your Traefik reverse proxy, checking every incoming request. If an IP address is on the blocklist, the bouncer stops the request immediately. Your backend applications never see the attack traffic.

This architecture means your Traefik reverse proxy stays fast and efficient. The security work happens in a separate layer, so your routing performance doesn’t suffer. Your Traefik reverse proxy continues handling legitimate traffic at full speed while malicious requests get blocked automatically.

What You Need Before Starting

Before you begin securing your Traefik reverse proxy with CrowdSec, make sure you have these requirements in place.

You need a Linux server running Ubuntu 20.04 or newer. Other distributions like Debian or CentOS work too. Your server should have at least 2GB of RAM and 20GB of disk space for comfortable operation.

Your Traefik reverse proxy must already be running and handling traffic. If you haven’t set up Traefik yet, deploy a basic configuration first. This tutorial works with Traefik v2.x and v3.x versions.

Install Docker and Docker Compose on your server. Most CrowdSec components run in containers, making deployment easier. Your Traefik reverse proxy might already be running in Docker, which is perfect for this integration.

You need root or sudo access to run installation commands. You’ll also need at least one domain name pointed to your server for testing. Make sure your firewall allows traffic on ports 80 and 443 so your Traefik reverse proxy can receive web traffic.

Finally, ensure your Traefik reverse proxy writes access logs to a file. CrowdSec needs to read these logs to detect attacks. If you’re using Docker, you’ll need to configure log file output during this tutorial.

Step 1: Install CrowdSec on Your Server

Let’s start by installing CrowdSec on your server. This process takes about five minutes and requires just a few commands.

Connect to your server using SSH. First, update your package manager to ensure you have the latest repository information:

sudo apt update
sudo apt upgrade -y

Now add the official CrowdSec repository to your system:

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

Install CrowdSec with this simple command:

sudo apt install crowdsec

The installation process sets up the CrowdSec Security Engine and installs default detection scenarios. These scenarios recognize common attack patterns right away.

Check that CrowdSec is running properly:

sudo systemctl status crowdsec

You should see “active (running)” in green. This means CrowdSec is ready to start protecting your Traefik reverse proxy.

CrowdSec comes with a command-line tool called cscli. This tool lets you manage all aspects of your CrowdSec installation. Test it by checking the version:

sudo cscli version

Now install the Traefik collection. This collection includes parsers specifically designed to understand your Traefik reverse proxy logs:

sudo cscli collections install crowdsecurity/traefik

The Traefik collection is essential because it teaches CrowdSec how to read your Traefik reverse proxy log format. Without it, CrowdSec can’t properly analyze traffic patterns.

Your CrowdSec installation is complete. The next step connects it to your Traefik reverse proxy logs.

Step 2: Configure CrowdSec for Traefik Reverse Proxy

Now you need to tell CrowdSec where to find your Traefik reverse proxy logs. This configuration step is crucial for the integration to work properly.

First, ensure your Traefik reverse proxy is writing access logs. If you’re running Traefik in Docker, add this to your docker-compose.yml:

services:
  traefik:
    image: traefik:latest
    command:
      - "--accesslog=true"
      - "--accesslog.filepath=/var/log/traefik/access.log"
    volumes:
      - ./traefik-logs:/var/log/traefik

This configuration makes your Traefik reverse proxy write logs to a location that CrowdSec can read.

Open the CrowdSec acquisition configuration file:

sudo nano /etc/crowdsec/acquis.yaml

Add this configuration to tell CrowdSec about your Traefik reverse proxy logs:

filenames:
  - /var/log/traefik/access.log
labels:
  type: traefik

The type: traefik label tells CrowdSec to use the Traefik parser you installed earlier. This parser understands the specific format your Traefik reverse proxy uses for logging.

If your Traefik reverse proxy runs in Docker, you might need a different approach. You can configure CrowdSec to read Docker logs directly:

source: docker
container_name: traefik
labels:
  type: traefik

Save the file and restart CrowdSec to apply your changes:

sudo systemctl restart crowdsec

Verify that CrowdSec is reading your Traefik reverse proxy logs:

sudo cscli metrics

Look for the “traefik” parser in the output. You should see lines being parsed. If the count is zero, double-check your log file path and make sure your Traefik reverse proxy is actually writing logs.

Your CrowdSec installation now monitors your Traefik reverse proxy logs for suspicious activity. Any attack patterns will trigger security decisions automatically.

Step 3: Deploy the Traefik Bouncer

The bouncer is what actually blocks attacks on your Traefik reverse proxy. It queries CrowdSec’s decisions and stops malicious traffic before it reaches your applications.

First, create an API key so the bouncer can communicate with CrowdSec:

sudo cscli bouncers add traefik-bouncer

CrowdSec generates a unique API key. Copy this key and save it somewhere safe. You’ll need it in the next step. This key authenticates your Traefik bouncer when it checks for security decisions.

Create a new directory for your bouncer configuration:

mkdir -p ~/crowdsec-traefik-bouncer
cd ~/crowdsec-traefik-bouncer

Create a docker-compose.yml file for the bouncer:

nano docker-compose.yml

Add this configuration:

version: '3.8'
services:
  bouncer-traefik:
    image: fbonarek/traefik-crowdsec-bouncer:latest
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YOUR_API_KEY_HERE
      CROWDSEC_AGENT_HOST: 172.17.0.1:8080
      GIN_MODE: release
    ports:
      - "8080:8080"
    networks:
      - web
    restart: unless-stopped
networks:
  web:
    external: true

Replace YOUR_API_KEY_HERE with the API key you generated. The CROWDSEC_AGENT_HOST should point to your CrowdSec Local API. If CrowdSec runs on the same host, use 172.17.0.1:8080 which is Docker’s default gateway IP.

Make sure the network name matches your Traefik reverse proxy network. If your Traefik uses a different network name, change web to match.

Start the bouncer container:

docker-compose up -d

Check that the bouncer started successfully:

docker logs bouncer-traefik

You should see messages indicating the bouncer connected to CrowdSec successfully. Verify the connection from CrowdSec’s side:

sudo cscli bouncers list

Your Traefik bouncer should appear in the list with a status of “active”. If it shows as offline, check the API key and network connectivity.

The bouncer is now running and ready to protect your Traefik reverse proxy. The next step connects your Traefik reverse proxy to use this bouncer.

Step 4: Connect CrowdSec to Your Traefik Reverse Proxy

Now comes the critical step: configuring your Traefik reverse proxy to check with CrowdSec before allowing requests through. This happens using Traefik’s middleware system.

Traefik middlewares process requests before they reach your backend services. You’ll create a middleware that forwards authentication checks to your CrowdSec bouncer.

If you use Traefik with file-based configuration, create or edit your dynamic configuration file:

nano ~/traefik/dynamic-config.yml

Add this middleware configuration:

http:
  middlewares:
    crowdsec-bouncer:
      forwardAuth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true

This tells your Traefik reverse proxy to check every request with CrowdSec before proceeding. The bouncer returns either approval or a block decision.

Now apply this middleware to your routers. Here’s an example:

http:
  routers:
    my-app:
      rule: "Host(`example.com`)"
      middlewares:
        - crowdsec-bouncer
      service: my-app-service
      entryPoints:
        - websecure
      tls:
        certResolver: letsencrypt
  services:
    my-app-service:
      loadBalancer:
        servers:
          - url: "http://my-app:80"

The key line is middlewares: - crowdsec-bouncer. This applies CrowdSec protection to this specific route on your Traefik reverse proxy.

If you’re using Docker labels instead of file configuration, add these labels to your services:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.my-app.rule=Host(`example.com`)"
  - "traefik.http.routers.my-app.middlewares=crowdsec@file"
  - "traefik.http.routers.my-app.entrypoints=websecure"

Restart your Traefik reverse proxy to apply the changes:

docker restart traefik

Check the Traefik logs to confirm the middleware loaded correctly:

docker logs traefik | grep crowdsec

You should see messages about the crowdsec middleware being registered. Your Traefik reverse proxy now checks every request against CrowdSec’s security decisions.

Testing Your Protected Traefik Reverse Proxy

Testing confirms that CrowdSec is actually protecting your Traefik reverse proxy. Let’s simulate an attack and verify blocking works correctly.

We’ll trigger a simple detection scenario by making rapid requests to your Traefik reverse proxy. This simulates a brute force attack:

for i in {1..30}; do
  curl https://your-domain.com
  sleep 0.2
done

Replace your-domain.com with a domain your Traefik reverse proxy handles. This creates 30 requests in quick succession, which looks suspicious to CrowdSec.

Now check if CrowdSec detected this pattern:

sudo cscli decisions list

You should see your IP address listed with a ban decision. This means CrowdSec recognized the suspicious behavior and created a block rule.

Try accessing your site from the same IP:

curl https://your-domain.com

You should receive a 403 Forbidden error. This confirms your Traefik reverse proxy bouncer is blocking the request. The attack never reaches your backend application.

Check the bouncer logs to see the blocking in action:

docker logs bouncer-traefik | tail -20

You’ll see entries showing requests being checked and blocked based on CrowdSec decisions.

To remove your IP from the ban list (since this was just a test):

sudo cscli decisions delete --ip YOUR_IP_ADDRESS

Replace YOUR_IP_ADDRESS with your actual IP. After deletion, you should be able to access your Traefik reverse proxy normally again.

View detailed information about detected attacks:

sudo cscli alerts list

This shows which scenarios triggered, how many events occurred, and what decision was made. It’s valuable for understanding what attacks your Traefik reverse proxy is facing.

Your testing confirms that CrowdSec successfully protects your Traefik reverse proxy from attacks. The system detects suspicious behavior and blocks it automatically.

Making Your Traefik Reverse Proxy Even Safer

Basic CrowdSec integration protects your Traefik reverse proxy effectively, but advanced configurations provide even stronger security. These techniques help you customize protection for your specific needs.

Whitelist Trusted IPs

Prevent legitimate monitoring services or admin IPs from ever being blocked by your Traefik reverse proxy:

sudo nano /etc/crowdsec/parsers/s02-enrich/mywhitelist.yaml

Add this configuration:

name: crowdsecurity/whitelists
description: "Whitelist for my Traefik reverse proxy"
whitelist:
  reason: "Trusted services"
  ip:
    - "10.0.0.5"
    - "192.168.1.100"
  cidr:
    - "10.0.0.0/24"

Restart CrowdSec to apply the whitelist to your Traefik reverse proxy protection.

Use Captcha Instead of Blocking

Sometimes you want to challenge suspicious traffic rather than outright blocking it. Configure your Traefik reverse proxy to show captchas:

sudo cscli decisions add --ip 1.2.3.4 --type captcha --duration 2h

This gives questionable visitors a chance to prove they’re human before accessing your Traefik reverse proxy.

Subscribe to Community Blocklist

Enhance your Traefik reverse proxy security with global threat intelligence:

sudo cscli console enroll YOUR_ENROLLMENT_KEY

Get your enrollment key from the CrowdSec console website. This shares threat data between your Traefik reverse proxy and thousands of other protected servers.

Create Custom Detection Scenarios

If your Traefik reverse proxy handles specific applications, create custom scenarios. For example, protect a WordPress site:

sudo nano /etc/crowdsec/scenarios/wordpress-protection.yaml

type: leaky
name: mycompany/wordpress-xmlrpc-protection
description: "Protect WordPress xmlrpc on Traefik reverse proxy"
filter: "evt.Parsed.request contains '/xmlrpc.php'"
leakspeed: "10s"
capacity: 5
groupby: "evt.Meta.source_ip"
blackhole: 1h
labels:
  service: wordpress
  type: bruteforce
  remediation: true

This scenario specifically protects your Traefik reverse proxy from WordPress xmlrpc abuse attempts.

Progressive Penalties

Configure your Traefik reverse proxy to escalate responses based on threat severity:

decisions:
  - type: captcha
    duration: 1h
    scope: "ip"
    value: "Offending IP"
  - type: ban
    duration: 4h
    scope: "ip"
    value: "Offending IP"

First-time offenders get captchas. Repeat offenders get banned from your Traefik reverse proxy entirely.

These advanced configurations make your Traefik reverse proxy security more flexible and powerful. Customize them based on your specific traffic patterns and security requirements.

Monitoring Your Traefik Reverse Proxy Security

Regular monitoring ensures your Traefik reverse proxy protection stays effective. These commands help you track security events and maintain your system.

Check current metrics for your Traefik reverse proxy:

sudo cscli metrics

This shows how many log lines CrowdSec processed, which scenarios triggered, and how many IPs are currently banned. High numbers mean your Traefik reverse proxy is facing active attacks.

View recent security alerts:

sudo cscli alerts list

Each alert shows which scenario detected the threat, the attacking IP, and how many events triggered the alert. This helps you understand what attacks target your Traefik reverse proxy.

See all active decisions protecting your Traefik reverse proxy:

sudo cscli decisions list

This displays currently blocked IPs and the reason for blocking. You can see which threats your Traefik reverse proxy is actively defending against.

Set up a visual dashboard for your Traefik reverse proxy security:

sudo cscli dashboard setup

This creates a Metabase dashboard where you can see charts and graphs of attacks, trends over time, and security statistics for your Traefik reverse proxy.

Keep CrowdSec updated for your Traefik reverse proxy:

sudo apt update
sudo apt upgrade crowdsec

Update detection scenarios regularly:

sudo cscli hub update
sudo cscli hub upgrade

New scenarios help your Traefik reverse proxy recognize emerging attack patterns.

Check bouncer health:

docker logs bouncer-traefik --tail 50
sudo cscli bouncers list

Ensure your Traefik bouncer shows as “active”. If it’s offline, your Traefik reverse proxy isn’t protected.

Set up log rotation to prevent disk space issues:

sudo nano /etc/logrotate.d/crowdsec

Add appropriate rotation for your Traefik reverse proxy logs:

/var/log/traefik/*.log {
    daily
    rotate 14
    compress
    delaycompress
    notifempty
    create 0640 root root
    sharedscripts
}

Regular monitoring keeps your Traefik reverse proxy security strong and helps you spot problems before they become serious.

Fixing Common Problems

Sometimes issues arise when integrating CrowdSec with your Traefik reverse proxy. Here’s how to solve the most common problems quickly.

Bouncer Shows Offline

If your Traefik bouncer appears offline in CrowdSec, it can’t protect your Traefik reverse proxy. Check the bouncer logs first:

docker logs bouncer-traefik

Look for connection errors. Usually this means the API key is wrong or the bouncer can’t reach CrowdSec. Verify the API key matches:

sudo cscli bouncers list

Test network connectivity from the bouncer to CrowdSec:

docker exec bouncer-traefik ping 172.17.0.1

If ping fails, your Docker network configuration needs adjustment for your Traefik reverse proxy setup.

Legitimate Users Getting Blocked

If real users can’t access your Traefik reverse proxy, scenarios might be too aggressive. Review recent decisions:

sudo cscli decisions list
sudo cscli alerts list

Find which scenario caused the block. You can delete the decision:

sudo cscli decisions delete --ip USER_IP

Add legitimate IPs to your Traefik reverse proxy whitelist to prevent future blocks.

Traefik Not Using the Middleware

If attacks aren’t being blocked, your Traefik reverse proxy might not be applying the middleware. Check Traefik logs:

docker logs traefik | grep crowdsec

Verify the middleware configuration syntax. Common mistakes include:

• Wrong middleware name in router definition
• Bouncer address incorrect in middleware config
• Network connectivity between Traefik and bouncer

Test the bouncer endpoint directly:

curl http://localhost:8080/api/v1/forwardAuth

This should return a response. If it doesn’t, your Traefik reverse proxy can’t communicate with the bouncer.

CrowdSec Not Parsing Logs

If CrowdSec metrics show zero lines parsed, it can’t protect your Traefik reverse proxy. Verify the log file path:

sudo cscli metrics

Check that your Traefik reverse proxy is actually writing logs:

ls -la /var/log/traefik/
tail -f /var/log/traefik/access.log

If the file doesn’t exist or isn’t growing, configure your Traefik reverse proxy to enable access logging.

Verify the acquisition configuration:

sudo cat /etc/crowdsec/acquis.yaml

Make sure the path matches where your Traefik reverse proxy writes logs.

High False Positive Rate

If CrowdSec blocks too much legitimate traffic on your Traefik reverse proxy, adjust scenario sensitivity. Find which scenarios trigger most often:

sudo cscli metrics

Lower the capacity or increase the leakspeed for specific scenarios:

sudo nano /etc/crowdsec/scenarios/crowdsecurity/http-sensitive-paths.yaml

Change capacity: 5 to capacity: 10 to make it less sensitive on your Traefik reverse proxy.

Consider using captcha decisions instead of immediate bans for your Traefik reverse proxy. This reduces disruption while maintaining security.

Most problems have simple solutions. Check logs first, verify configuration matches your Traefik reverse proxy setup, and adjust scenarios based on your actual traffic patterns.

Conclusion

Integrating CrowdSec with your Traefik reverse proxy creates powerful, automated security that protects your applications from evolving threats. Your Traefik reverse proxy now analyzes visitor behavior, detects attack patterns, and blocks malicious traffic before it reaches your backend services.

This hands-on guide walked you through every step: installing CrowdSec, configuring it to read your Traefik reverse proxy logs, deploying the bouncer, connecting everything together, and testing your security. Your Traefik reverse proxy now benefits from community threat intelligence shared by thousands of users worldwide.

Remember that security is ongoing work. Monitor your Traefik reverse proxy metrics regularly, update CrowdSec scenarios when new ones become available, and adjust configurations based on your actual traffic patterns. The advanced configurations discussed help you customize protection for your specific needs.

Your Traefik reverse proxy security will improve over time as CrowdSec learns from attack patterns. The system becomes smarter with every blocked threat, creating an adaptive defense that grows stronger each day.

Start with the basic integration from this tutorial, then gradually implement advanced features as you become comfortable with the system. Your Traefik reverse proxy is now protected by one of the most effective open-source security solutions available.

Helpful Resources

Expand your knowledge about securing your Traefik reverse proxy with these official resources:

Official Documentation:

• CrowdSec Documentation – Complete guide for CrowdSec features and configuration
• Traefik Documentation – Official Traefik reverse proxy documentation
• CrowdSec Hub – Browse scenarios and parsers for your Traefik reverse proxy

Community Support:

• Traefik Community Forum – Get help with Traefik reverse proxy questions
• CrowdSec Discord – Real-time support from CrowdSec community
• Docker Security Guide – Secure your containerized Traefik reverse proxy

Security Resources:

• OWASP Top 10 – Understand common web vulnerabilities
• CrowdSec Blog – Latest security insights and Traefik integration tips

These resources help you maintain and improve your Traefik reverse proxy security over time. Bookmark them for quick reference when you need help or want to learn advanced techniques.