I’m currently trying to integrate CrowdSec with Traefik, which is running behind Cloudflare’s proxy. For context:
- I have two Traefik entrypoints:
web(HTTP) andwebsecure(HTTPS). - All HTTP traffic is redirected to HTTPS using
web → websecureredirection. - I have 4 middlewares -
a) cloudflarewarp (so CrowdSec can see the real IP of visitors)
b) crowdsec
c) rate-limit
d) secure-headers (HSTS, frame protection, referrer policy etc) - Traefik config (static, dynamic)
I’m following various tutorials and community guides, but many have conflicting information, which is making things quite confusing. I have a few questions I’m hoping someone can help clarify:
- Middleware Placement & Order
The only thing I’m certain about is thatcloudflarewarpmiddleware should come beforecrowdsecso that it gets the actual IP and not of cloudflare. So, in my Traefikwebsecureentrypoint, I’ve currently defined the middleware in the following order:
cloudflarewarp, crowdsec, rate-limit, security-headers
I haven’t defined any middleware under the web entrypoint at the moment.
However, after going through several YouTube videos and online guides, I’ve noticed that configurations vary a lot — some define middlewares only under websecure (like I did), while others include cloudflarewarp and/or crowdsec under the web entrypoint as well. Every resource seems to have a different combination and ordering, which is honestly quite confusing.
Could anyone clearly explain the recommended middleware placement and order for both web and websecure entrypoints, especially when using Cloudflare, CrowdSec, and other middlewares like rate limiting and security headers?
- Allowing Internal Traffic
To ensure CrowdSec doesn’t ban internal traffic, I’ve added the following private IP ranges to the Traefik bouncer’sclientTrustedIPsoption:
10.0.0.0/8172.16.0.0/12192.168.0.0/16
Is this the correct approach?
Additionally, many guides also add these same IP ranges toforwardedHeaders.trustedIPsin traefik bouncer. I’m not very familiar with the networking implications, should I do this as well, and what’s the purpose of it?
- Cloudflare IPs in
forwardedHeaders.trustedIPs
Some guides have Cloudflare IP ranges in both traefik entrypoint and in traefik bouncer’sforwardedHeaders.trustedIPsoption.
Since I’m already using thecloudflarewarpplugin and attaching it as middleware to the entrypoint, do I need to manually define Cloudflare IPs underforwardedHeaders.trustedIPsof traefik bouncer ?