viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: CrowdSec enforcement = firewall-bouncer + CF WAF (plugin removed) #11

Merged
viktor merged 1 commit from wizard/crowdsec-docs into master 2026-06-21 13:40:42 +00:00
Conversation 0 Commits 1 Files changed 3 +176 -111
viktor commented 2026-06-21 13:39:37 +00:00
Owner
Copy link

The dead Traefik Yaegi crowdsec-bouncer-traefik-plugin (handler never invoked on Traefik 3.7.5, enforced nothing) was removed. This rewrites the docs to describe the replacement two-surface, out-of-band enforcement model:

  • Direct hosts -> in-kernel nftables drop via the cs-firewall-bouncer DaemonSet (drops in both the input and forward hooks; pulls all decisions incl. the ~31k CAPI blocklist; bouncer key firewall).
  • Proxied hosts -> Cloudflare edge: one crowdsec_ban Rules List + a zone WAF block rule, fed by the crowdsec-cf-sync CronJob (excludes CAPI; bouncer key kvsync).

Both add zero per-request latency and fail open. Whitelist covers RFC1918 + tailnet + internal CIDRs.

Files updated: docs/architecture/security.md (primary: section rewrite + diagram + components + troubleshooting + supersession note), docs/architecture/networking.md (overview, both mermaid diagrams, middleware chain, decision section, troubleshooting), .claude/CLAUDE.md (Networking & Resilience bullet + CrowdSec service-notes row).

Docs-only; no terragrunt/apply. The preserved Aetherinox api-token-middleware (paperless-mcp) is untouched.

🤖 Generated with Claude Code

The dead Traefik Yaegi `crowdsec-bouncer-traefik-plugin` (handler never invoked on Traefik 3.7.5, enforced nothing) was removed. This rewrites the docs to describe the replacement two-surface, out-of-band enforcement model: - **Direct hosts** -> in-kernel nftables drop via the `cs-firewall-bouncer` DaemonSet (drops in both the `input` and `forward` hooks; pulls all decisions incl. the ~31k CAPI blocklist; bouncer key `firewall`). - **Proxied hosts** -> Cloudflare edge: one `crowdsec_ban` Rules List + a zone WAF block rule, fed by the `crowdsec-cf-sync` CronJob (excludes CAPI; bouncer key `kvsync`). Both add zero per-request latency and fail open. Whitelist covers RFC1918 + tailnet + internal CIDRs. Files updated: `docs/architecture/security.md` (primary: section rewrite + diagram + components + troubleshooting + supersession note), `docs/architecture/networking.md` (overview, both mermaid diagrams, middleware chain, decision section, troubleshooting), `.claude/CLAUDE.md` (Networking & Resilience bullet + CrowdSec service-notes row). _Docs-only; no terragrunt/apply. The preserved Aetherinox `api-token-middleware` (paperless-mcp) is untouched._ 🤖 Generated with [Claude Code](https://claude.com/claude-code)
viktor added 1 commit 2026-06-21 13:39:38 +00:00 
The Traefik Yaegi CrowdSec bouncer plugin was dead on Traefik 3.7.5 (handler
never invoked) and has been removed. Document the replacement: in-kernel
nftables drop via cs-firewall-bouncer on direct hosts, and a Cloudflare IP-List
+ zone WAF block rule (fed by a LAPI->CF-list sync CronJob) on proxied hosts.
Both add zero per-request latency and fail open.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
viktor merged commit 6c2c56ab3b into master 2026-06-21 13:40:42 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: viktor/infra#11
No description provided.
Delete branch "wizard/crowdsec-docs"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?