Refactor CrowdSec configuration: remove deprecated config.yaml, add local_api_server.yaml, and update docker-compose for new user database

2025-08-11 02:10:34 +03:00
parent 9a39b12b11
commit 395a970304
4 changed files with 34 additions and 10 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,3 @@
-# docker-compose.yml
-version: "3.9"
-
 ########################
 # Networks & Volumes
 ########################
@@ -51,6 +48,8 @@ services:
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
+      - --entrypoints.web.forwardedheaders.insecure=true
+      - --entrypoints.websecure.forwardedheaders.insecure=true

      # Dashboard/API (internal)
      - --api.dashboard=true
@@ -101,6 +100,9 @@ services:
      - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapiurl=http://crowdsec:8080/
      - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapikey=${CROWDSEC_BOUNCER_KEY}
      - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdsecmode=stream
+      - traefik.http.middlewares.crowdsec.forwardauth.address=http://traefik-bouncer:8080/api/v1/forwardAuth
+      - traefik.http.middlewares.crowdsec.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.crowdsec.forwardauth.authRequestHeaders=X-Real-Ip,X-Forwarded-For

      # Traefik dashboard (protected)
      - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
@@ -182,8 +184,9 @@ services:
      - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
      - traefik.http.routers.authelia.entrypoints=websecure
      - traefik.http.routers.authelia.tls.certresolver=le
-      - traefik.http.routers.authelia.middlewares=crowdsec,security-headers
-      - traefik.http.services.authelia.loadbalancer.server.port=9091
+      - traefik.http.routers.authelia.middlewares=security-headers
+      - traefik.http.routers.authelia.service=authelia-svc
+      - traefik.http.services.authelia-svc.loadbalancer.server.port=9091

  redis:
    image: redis:7-alpine
@@ -204,7 +207,7 @@ services:
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/linux"
    volumes:
      - crowdsec_data:/var/lib/crowdsec/data
-      - ./crowdsec/config.yaml:/etc/crowdsec/config.yaml:ro
+      - ./crowdsec/local_api_server.yaml:/etc/crowdsec/local_api_server.yaml:ro
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
      - traefik_logs:/var/log/traefik:ro
    networks: [traefik_proxy]