CrowdSec WAF

Web Application Firewall and IP-Reputation Bouncer for Traefik

CrowdSec provides L7 application-layer threat protection via the Traefik Bouncer Plugin. Phase 1 (Detect-Only) went live on 2026-05-11. Phase 2 (Block-Mode + Community Console) followed on 2026-06-01.

Overview

The CrowdSec stack in kup6s consists of:

• CrowdSec Engine (LAPI v1.6.4) — decision backend with CNPG Postgres storage

• AppSec Component — OWASP-CRS-based WAF (Phase 3, currently not attached to routes)

• Traefik Bouncer Plugin (maxlerebourg/crowdsec-bouncer-traefik-plugin v1.6.0) — default middleware on the websecure entrypoint

• ESO cross-namespace bridge — bouncer API key replicated from application-secrets into traefik

Threat intelligence sources:

• CAPI (default, ~2-30k IPs) — free CrowdSec community feed

• Premium Blocklists after Console enrollment — see how-to/enroll-community-console

Sections

Explanation

Plugin flow, defense-in-depth layers, fail-modes

Architecture overview

Reference

Configuration values, plugin keys, secret paths

Configuration reference

How-to: rollout

Block-mode activation and Community Console enrollment

Roll out Phase 2 block-mode

How-to: troubleshooting

Self-rescue on lockout, false-positive handling, outage recovery

Recover from a self-lockout

Quick start

Check bouncer status:

kubectl exec -n crowdsec deploy/crowdsec-lapi -- cscli bouncers list

List active decisions:

kubectl exec -n crowdsec deploy/crowdsec-lapi -- cscli decisions list

Look up decisions for a specific IP:

kubectl exec -n crowdsec deploy/crowdsec-lapi -- cscli decisions list --ip <ip>