From fe90ceed2eb64a7e9b68b2d6ca52f51b27880353 Mon Sep 17 00:00:00 2001 From: Mohmmed Elfateh Sabry <59346303+elfateh4@users.noreply.github.com> Date: Mon, 11 Aug 2025 00:52:32 +0300 Subject: [PATCH] Enhance Traefik configuration to include CrowdSec plugin and update comments for clarity --- docker-compose.yml | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index f1deba2..c424b84 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -29,7 +29,7 @@ volumes: services: ## ───────────────────────────────────────────── - ## Traefik — edge router + ACME (HTTP-01) + ## Traefik — edge router + ACME (HTTP-01) + CrowdSec plugin ## ───────────────────────────────────────────── traefik: image: traefik:v3.1 @@ -55,12 +55,13 @@ services: # Dashboard/API (internal) - --api.dashboard=true - # ACME via HTTP-01 + # ACME via HTTP-01 (no registrar API needed) - --certificatesresolvers.le.acme.email=${ACME_EMAIL} - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json - --certificatesresolvers.le.acme.httpchallenge=true - --certificatesresolvers.le.acme.httpchallenge.entrypoint=web - + # (Alt) Use TLS-ALPN-01 if port 80 is blocked: + # - --certificatesresolvers.le.acme.tlschallenge=true # Metrics (Prometheus) - --metrics.prometheus=true @@ -70,6 +71,10 @@ services: - --accesslog.filepath=/var/log/traefik/access.log - --accesslog.bufferingsize=100 - --log.level=INFO + + # CrowdSec Traefik plugin (recommended vs sidecar) + - --experimental.plugins.crowdsecbouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin + - --experimental.plugins.crowdsecbouncer.version=v1.4.4 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - traefik_letsencrypt:/letsencrypt @@ -91,9 +96,11 @@ services: - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email - # CrowdSec forward-auth (reusable) - - traefik.http.middlewares.crowdsec.forwardauth.address=http://traefik-bouncer:8080/api/v1/forwardAuth - - traefik.http.middlewares.crowdsec.forwardauth.trustForwardHeader=true + # CrowdSec plugin middleware (reusable) + - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.enabled=true + - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapiurl=http://crowdsec:8080/ + - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdseclapikey=${CROWDSEC_BOUNCER_KEY} + - traefik.http.middlewares.crowdsec.plugin.crowdsecbouncer.crowdsecmode=stream # Traefik dashboard (protected) - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`) @@ -167,7 +174,6 @@ services: environment: TZ: "${TZ}" volumes: - # Provide your config at ./authelia/configuration.yml - ./authelia/configuration.yml:/config/configuration.yml:ro - authelia_data:/config networks: [traefik_proxy, internal] @@ -186,7 +192,7 @@ services: networks: [internal] ## ───────────────────────────────────────────── - ## CrowdSec (LAPI) + Traefik bouncer (forwardAuth) + ## CrowdSec (LAPI) — with Traefik plugin ## ───────────────────────────────────────────── crowdsec: image: crowdsecurity/crowdsec:latest @@ -202,7 +208,7 @@ services: - traefik_logs:/var/log/traefik:ro networks: [traefik_proxy] - # Auto-register the bouncer once (uses CROWDSEC_BOUNCER_KEY from .env) + # Auto-register the API key used by the Traefik plugin crowdsec-init: image: crowdsecurity/crowdsec:latest container_name: crowdsec-init @@ -211,17 +217,6 @@ services: networks: [traefik_proxy] restart: "no" - traefik-bouncer: - image: crowdsecurity/traefik-bouncer:latest - container_name: traefik-bouncer - restart: unless-stopped - depends_on: [crowdsec, crowdsec-init] - environment: - CROWDSEC_BOUNCER_API_KEY: "${CROWDSEC_BOUNCER_KEY}" - CROWDSEC_AGENT_HOST: crowdsec:8080 - GIN_MODE: release - networks: [traefik_proxy] - ## ───────────────────────────────────────────── ## Uptime Kuma — status page / checks ## ─────────────────────────────────────────────