I am using traefik with crowdsec bouncer plugin which has the ability to send request to AppSec. By default this plugin is set to block traffic on AppSec unreachable and failure. And there lies the problem because about every 3 week AppSec will stop responding and essentially block all traffic. I can restart crowdsec docker container and everything is back to normal. This problem correlates with following log entries:
time="2025-05-31T18:56:13Z" level=error msg="Error performing request: Head \"http://0.0.0.0:8080/v1/decisions/stream\": dial tcp 0.0.0.0:8080: connect: cannot assign requested address" type=appsec
time="2025-05-31T18:56:13Z" level=error msg="Unauthorized request from '172.18.0.28:33508' (real IP = 10.0.0.30)" type=appsec
I had to restart to get my things back, so there is not much I can do to test right now until it happens again.
Can you confirm the value of CrowdsecMode in the bouncer config ?
If set to appsec, then the bouncer will never contact the decision endpoint of LAPI, which will make Crowdsec think the bouncer is dead (for technical reasons, forwarded requests to the appsec are not taken into account when deciding if a bouncer is still alive or not).
If you have also bouncer auto-delete configured (db_config.flush.bouncers_autodelete in the crowdsec config), then the bouncer will be automatically deleted after some time (based on what you said, I’d guess you have a 3 weeks configuration).
In your case, the restart fixes it thanks to a side effect: you probably have set the bouncer API key in the env of the container, so it will be automatically recreated when the container starts.
For now, the “proper” workaround is to update the configuration of the bouncer:
Set CrowdsecMode to stream
Set CrowdsecAppsecEnabled to true
With this configuration, the bouncer will contact crowdsec to get the list of IPs to block, which will properly update its last query timestamp in the database, keeping it alive.