Immich parsing / ban not working?

I have a Crowdsec agent deployed in docker parsing Immich logs using the gauth-fr/immich Collection. I expose Immich via Caddy reverse proxy and a subdomain and I’m also using crowdsecurity/caddy.

I’ve just tried logging into Immich via the subdomain and a VPN to force a ban and can see the following in Immich logs (repeated 5-6 times):

WARN [Api:AuthService~mh0wh988] Failed login attempt for user test@google.com from ip address 2a00:23c8:1bc7:<redacted>

But in Crowdsec I get the following and no ban:

(I can’t see anything in Caddy log other than scheduled cert management)

level=warning msg="failed to run RunTimeValue : cannot fetch client_ip from <nil> (1:31)\n | evt.Unmarshaled.caddy.request.client_ip\n | ..............................^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=warning msg="failed to run RunTimeValue : cannot fetch proto from <nil> (1:31)\n | evt.Unmarshaled.caddy.request.proto != nil ? Split(evt.Unmarshaled.caddy.request.proto, '/')[1] : nil\n | ..............................^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=warning msg="failed to run RunTimeValue : cannot fetch remote_addr from <nil> (1:31)\n | evt.Unmarshaled.caddy.request.remote_addr != nil ? Split(evt.Unmarshaled.caddy.request.remote_addr, ':')[0] : nil\n | ..............................^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=warning msg="failed to run RunTimeValue : invalid operation: int(<nil>) (1:1)\n | int(evt.Unmarshaled.caddy.status)\n | ^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=warning msg="failed to run RunTimeValue : cannot fetch uri from <nil> (1:31)\n | evt.Unmarshaled.caddy.request.uri\n | ..............................^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=warning msg="failed to run RunTimeValue : cannot fetch method from <nil> (1:31)\n | evt.Unmarshaled.caddy.request.method\n | ..............................^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=warning msg="failed to run RunTimeValue : cannot fetch headers from <nil> (1:35)\n | get(evt.Unmarshaled.caddy.request.headers, 'User-Agent') != nil ? evt.Unmarshaled.caddy.request.headers['User-Agent'][0] : nil\n | ..................................^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=warning msg="failed to run RunTimeValue : cannot fetch host from <nil> (1:31)\n | evt.Unmarshaled.caddy.request.host\n | ..............................^" id=spring-hill name=crowdsecurity/caddy-logs stage=s01-parse
level=info msg="Ip 2a00:23c8:1bc7:e100:<redacted> performed 'gauth-fr/immich-bf' (6 events over 12.165237746s) at 2024-06-18 12:22:28.818085527 +0000 UTC"
level=info msg="Bucket overflow" bucket_id=wild-smoke cfg=cool-feather name=crowdsecurity/CVE-2017-9841 partition=fd971bdc790ac13bf2ac45f7b256d6b8425e3d86
level=info msg="Ip 83.97.73.245 performed 'crowdsecurity/CVE-2017-9841' (1 events over 61ns) at 2024-06-18 12:32:14.789901866 +0000 UTC"
level=info msg="capi metrics: sending"

Any ideas what’s going wrong?

Just tried again via a public IP on my phone and still doesn’t work:

In Crowdsec logs I can see:

level=info msg="Ip [92.40.168.206](http://92.40.168.206/) performed 'gauth-fr/immich-bf' (7 events over 1m6.373608385s) at 2024-06-18 12:45:57.863370537 +0000 UTC"

In Immich logs:

[Nest] 17 - 06/18/2024, 1:45:58 PM WARN [Api:AuthService~t3i200dm] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:44:41 PM WARN [Api:AuthService~6l00gs9u] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:44:43 PM WARN [Api:AuthService~8m4glo5h] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:44:44 PM WARN [Api:AuthService~1byv5so8] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:44:48 PM WARN [Api:AuthService~wpx35dc9] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:45:57 PM WARN [Api:AuthService~l94oclzh] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:45:56 PM WARN [Api:AuthService~kgzfq8bq] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:45:54 PM WARN [Api:AuthService~fmmdy54c] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:44:46 PM WARN [Api:AuthService~r20cznln] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:44:50 PM WARN [Api:AuthService~r9r2sc72] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:44:51 PM WARN [Api:AuthService~wvoqcrel] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:45:51 PM WARN [Api:AuthService~3g7vwwza] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:45:52 PM WARN [Api:AuthService~yv4qte8f] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

[Nest] 17 - 06/18/2024, 1:45:55 PM WARN [Api:AuthService~itcehwjv] Failed login attempt for user test2@gmail.com from ip address 92.40.168.206

Nothing I can see for that 92.x.x.x IP address in Caddy log and no ban was implemented.

Although Opnsense where my LAPI sits does register the bans:

image1034×352 20.1 KB

So maybe it’s a firewall rule issue…

OK got this worked out, I missed the final step to get an API code to allow the blacklists to update in opnsense and now it’s working