The point is to run crowdsec against the traffic entering your “main entrance”, ie the internet-facing proxy. Which seems to be your traefik . You can eventually also run the agent on the main router/firewall of your infrastructure if it supports it.
But every other webserver coming after your traefik doesn’t need it at all, unless you define a set of completely different rules that would block additional things that the first one would not have blocked… and all this would indeed be totally overkill