Hi all,
I’m currently integrating Crowdsec with Traefik on Nomad and Consul.
While everything works now, I noticed that all requests are whitelisted due to the traffic in the Traefik log having a 127.0.0.1 IP.
This is an example line in my traefik.log:
{"ClientAddr":"127.0.0.1:53900","ClientHost":"127.0.0.1","ClientPort":"53900","ClientUsername":"-","DownstreamContentSize":13,"DownstreamStatus":200,"Duration":26111788,"OriginContentSize":13,"OriginDuration":24386919,"OriginStatus":200,"Overhead":1724869,"RequestAddr":"bitwarden.domain.tld","RequestContentSize":0,"RequestCount":2,"RequestHost":"bitwarden.domain.tld","RequestMethod":"GET","RequestPath":"/api/accounts/revision-date","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"RouterName":"vaultwarden@consulcatalog","ServiceAddr":"192.168.50.31:29496","ServiceName":"vaultwarden@consulcatalog","ServiceURL":"https://192.168.50.31:29496","SpanId":"0000000000000000","StartLocal":"2024-12-11T16:40:36.897994861+01:00","StartUTC":"2024-12-11T15:40:36.897994861Z","TraceId":"00000000000000000000000000000000","downstream_Cache-Control":"no-cache, no-store, max-age=0","downstream_Content-Length":"13","downstream_Content-Security-Policy":"default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net ;","downstream_Content-Type":"application/json","downstream_Date":"Wed, 11 Dec 2024 15:40:36 GMT","downstream_Permissions-Policy":"accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()","downstream_Referrer-Policy":"same-origin","downstream_Server":"Rocket","downstream_X-Content-Type-Options":"nosniff","downstream_X-Frame-Options":"SAMEORIGIN","downstream_X-Robots-Tag":"noindex, nofollow","downstream_X-Xss-Protection":"0","entryPointName":"cloudflare","level":"info","msg":"","origin_Cache-Control":"no-cache, no-store, max-age=0","origin_Content-Length":"13","origin_Content-Security-Policy":"default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.addy.io/api/ https://api.fastmail.com/ https://api.forwardemail.net ;","origin_Content-Type":"application/json","origin_Date":"Wed, 11 Dec 2024 15:40:36 GMT","origin_Permissions-Policy":"accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()","origin_Referrer-Policy":"same-origin","origin_Server":"Rocket","origin_X-Content-Type-Options":"nosniff","origin_X-Frame-Options":"SAMEORIGIN","origin_X-Robots-Tag":"noindex, nofollow","origin_X-Xss-Protection":"0","request_Accept":"application/json","request_Accept-Encoding":"gzip, br","request_Accept-Language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,es;q=0.6,nl;q=0.5,zh-CN;q=0.4,zh;q=0.3,zh-TW;q=0.2","request_Bitwarden-Client-Name":"browser","request_Bitwarden-Client-Version":"2024.11.2","request_Cache-Control":"no-store","request_Cdn-Loop":"cloudflare; loops=1","request_Cf-Connecting-Ip":"93.104.169.115","request_Cf-Ipcountry":"DE","request_Cf-Ray":"8f0692fa49f3b398-MUC","request_Cf-Visitor":"{\"scheme\":\"https\"}","request_Cf-Warp-Tag-Id":"59836c4e-0631-49ed-a3e4-1bbcdf88ba98","request_Device-Type":"2","request_Pragma":"no-cache","request_Priority":"u=1, i","request_Sec-Fetch-Dest":"empty","request_Sec-Fetch-Mode":"cors","request_Sec-Fetch-Site":"none","request_User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","request_X-Forwarded-For":"93.104.169.115","request_X-Forwarded-Host":"bitwarden.domain.tld","request_X-Forwarded-Port":"80","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"08eb6a74ab79","request_X-Real-Ip":"93.104.169.115","time":"2024-12-11T16:40:36+01:00"}
As you can see, ClientAddr ist 127.0.0.1, the real client IP is provided in the headers “request_X-Real-Ip” and “request_X-Forwarded-For”.
It looks to me like Crowdsec is whitelisting all requests, since the ClientAddr is 127.0.0.1, which defeats the purpose of Crowdsec.
Anyone else encountered a similar issue? What would be the best approach to ignore the ClientAddr and have Crowdsec use another header like “X-Real-Ip”?
Thanks in advance
Matthias