Hi, I have crowdsec engine, cs-nginx-bouncer and nginx installed via apt on Debian 12.
I can see the decisions on the online console and with cscli decisions list, but nginx never “bans” the IPs, as in it never returns a 403 and always serves web pages.
AFAIK the bouncer fetches regularly the LAPI installed on the same host as the output in cscli bouncers list always indicates that it fetched the LAPI in the few last seconds.
This is the bouncer configuration:
ENABLED=true
API_URL=http://127.0.0.1:8080
API_KEY=[redacted]
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=1000
UPDATE_FREQUENCY=10
# live or stream
MODE=stream
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/ban.html
REDIRECT_LOCATION=
RET_CODE=
APPSEC_URL=http://127.0.0.1:7422
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=
# Captcha Secret Key
SECRET_KEY=
# Captcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/captcha.html
CAPTCHA_EXPIRATION=3600
Also, I have set up AppSec with appsec-virtual-patching and when accessing /.env, nginx returns a 403 with the ban template but the next requests are served normally.
I also have noticed that in the online console, the appsec rules bans my load balancer IP (which sends X-Forwarded-For) and I can’t find the bans with cscli decisions list. But the “classic” rules bans the real client IP.
Any help?
Thanks.