Hello,
I am running Wordpress 6.7.2 on an nginx container with php fpm running in a separate container. This is behind a reverse proxy (also using nginx) on my own arch linux server.
I have crowdsec 1.6.5 running with 2 bouncers (the host firewall bouncer and wordpress-bouncer) and followed the instructions on the wordpress bouncer docs but the bouncer doesn’t seem to be doing anything.
I have enabled the prepend auto setting enabled and added my reverse proxy ip to the list of trusted IPs. The curl bouncing request passes the test as well.
I can see in the debug log that the IPs are being “bounced” but the cache result is always “miss”. Here’s sample:
2025-03-26T21:01:21.897960+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/","tls_key_path":"/","tls_verify_peer":false,"tls_ca_cert_path":"/","api_url":"<crowdsec-contianer>:8080","api_timeout":10,"user_agent_suffix":"WordPress","appsec_url":"http://localhost:7422","appsec_timeout_ms":400,"user_agent_version":"v2.9.0","api_connect_timeout":300,"appsec_connect_timeout_ms":150}}
2025-03-26T21:01:21.898325+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"fs_cache_path":"/var/www/html/wp-content/plugins/crowdsec/inc/../../../../wp-content/uploads/crowdsec/cache/","use_cache_tags":false},"adapter":"Symfony\\Component\\Cache\\Adapter\\PhpFilesAdapter"}
2025-03-26T21:01:21.898668+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"appsec_fallback_remediation":"captcha","appsec_max_body_size_kb":1024,"appsec_body_size_exceeded_action":"headers_only","bouncing_level":"normal_bouncing","fallback_remediation":"captcha","stream_mode":true,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\PhpFiles"}
2025-03-26T21:01:21.899118+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"use_appsec":false,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/var/www/html/wp-content/plugins/crowdsec/inc/../../../../wp-content/uploads/crowdsec/logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":false,"trust_ip_forward_array":[["<proxy ip>"]],"cache_system":"phpfs","captcha_cache_duration":86400,"hide_mentions":false,"custom_css":"","excluded_uris":[]}}
2025-03-26T21:01:21.899179+00:00|100|Running in auto_prepend_file mode|{"type":"AUTO_PREPEND_FILE_MODE","message":"Server is configured to auto_prepend this file /var/www/html/wp-content/plugins/crowdsec/inc/standalone-bounce.php"}
2025-03-26T21:01:21.899308+00:00|100|Detected IP is allowed for X-Forwarded-for usage|{"type":"AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"<proxy ip>","x_forwarded_for_ip":"<user ip>"}
2025-03-26T21:01:21.899348+00:00|200|Bouncing current IP|{"ip":"<user ip>"}
2025-03-26T21:01:21.899763+00:00|100|Cache result|{"type":"LAPI_REM_CACHED_DECISIONS","ip":"<user ip>","result":"miss"}
From looking at my nginx access logs, the URIs seem like they should trigger at least one scenario in the wordpress collection and I do have that installed.
The wordpress bouncer also seems like it’s not collecting metrics. The log mentions occasionally that there are no metrics to push, and doing cscli metrics show shows that the wordpress bouncer looks weird.
Bouncer Metrics (HostFirewallBouncer) since 2025-03-19 21:14:02 +0000 UTC │
├────────────────────────────┬──────────────────┬───────────────────┬───────────────────────┤
│ Origin │ active_decisions │ dropped │ processed │
│ │ IPs │ bytes │ packets │ bytes │ packets │
├────────────────────────────┼──────────────────┼─────────┼─────────┼───────────┼───────────┤
│ CAPI (community blocklist) │ 15.14k │ 1.45M │ 24.44k │ - │ - │
│ crowdsec (security engine) │ 1 │ 154.48k │ 2.18k │ - │ - │
├────────────────────────────┼──────────────────┼─────────┼─────────┼───────────┼───────────┤
│ Total │ 15.14k │ 1.60M │ 26.62k │ 1.40G │ 2.92M │
╰────────────────────────────┴──────────────────┴─────────┴─────────┴───────────┴───────────╯
╭────────────────────╮
│ Bouncer Metrics (w │
│ ordpress-bouncer) │
│ since 2025-03-19 2 │
│ 3:11:34 +0000 UTC │
├────────┬───────────┤
│ Origin │ processed │
│ │ request │
├────────┼───────────┤
│ Total │ 819 │
╰────────┴───────────╯
╭────────────────────────────────────────────────────────────╮
│ Local API Bouncers Metrics │
├─────────────────────┬──────────────────────┬────────┬──────┤
│ Bouncer │ Route │ Method │ Hits │
├─────────────────────┼──────────────────────┼────────┼──────┤
│ HostFirewallBouncer │ /v1/decisions/stream │ GET │ 4615 │
╰─────────────────────┴──────────────────────┴────────┴──────╯
One thing to note is that my cron job doesn’t seem to be working (ISP disabled NAT loopback), so that could be affecting the telemetry, but I am not entirely sure if that is the issue because I’m not seeing any decisions being created locally as well.
I’ve been combing through the wordpress plugin docs, but I feel like I must be missing something in my setup.
Any ideas? Thanks!
