Caddy-bouncer on caddy docker trying to connect to external LAPI host

crowdsec
1

I have the api setup. I am trying to connect to the docker external host LAPI on port :8080. I’ve tried using the docker bridge ip 172.17. 0.1 but I am getting connection refused. I know the host is listening to port 127.0.0.1:8080
I’ve also added the docker ip to the list of trusted_ips in the config file, but still can’t connect to the API server, connection refused.
Any ideas? Is it a possibilty?
Thanks
Gord

2

If the CrowdSec is listening on the loopback interface (127.0.0.1) then the docker bridge doesnt know about crowdsec listening on that port since its a different interface.

You can change the configuration of crowdsec to listen on 0.0.0.0:8080 which means all interfaces so it will be accessible to the docker network. However, be careful using 0.0.0.0 as if your system does not have a firewall it will expose CrowdSec to the internet (Which is not too bad however, you should always follow the principle of minimizing your exposed surface)

3

Yes, I thought of that too. What I decided to do is take crowdsec out of bridge mode and into host mode. That works. This is a proxmox build. I was interested in trying to filter all the VM’s through caddy and crowdsec.
One other thing “http.auto_https” enabled crowdsec complains about “localhost” and enables certs for it.
Can that be disabled?
Thanks.
G.

4

Hey, I have a similar problem, I have CrowdSec installed locally and run Caddy in a container. But now caddy can’t access the lapi. It works if I expose port 8080 to the internet as suggested by u/iiAmLoz and then access the lapi from the container via public ip and port. However, I don’t want to do this under certain circumstances because I want to minimise the attack surface.
I can’t put caddy in host mode, otherwise the functionality that caddy can expose / reach other containers via DNS will be lost.
I have set the listener to listen_uri: 0.0.0.0:8080 in the Crowdsec config, and the allowed IPs to :

   trusted_ips: # IP ranges, or IPs which can have admin API access
      - 127.0.0.1
      - ::1
      - 172.18.0.0/16 
      - 172.17.0.0/16

with

extra_hosts:
    - ‘host.docker.internal:host-gateway’

I can ping my local host, but I get a timeout on port 8080.
Now I’m at a bit of a loss as to what the best solution is here, as I don’t want to make the connection to the internet via an open port 8080.

Would be the only solution here, to add a crowdsec container, so having two security engines on one Server?

I would be grateful for any suggestions and advice.