Hi,
First of all I am a newby to Crowdsec, so please forgive me if I ask some obvious questions.
My setup is, 1 docker image running the Crowdsec LAPI (I will setup the CloudFlare bouncer later)
I am planning to install the ‘agent’ on several Windows Servers with IIS which are exposed to the internet behind a CloudFlare Proxy.
Currently I have installed the agent on 1 server to test the setup.
I have configured IIS to log the original client ip from CloudFlare (CF-Connecting-IP), I see that those ip addresses show up in the IIS logs.
Now I have done some ‘attacks’ to get some alerts/decisions.
I see that there are alerts created (on both the agent and the LAPI), but they have the ip addresses of CloudFlare’s proxies, not the original ip address.
As far as I understand the documentation it is the agent that creates the alert and sends it to the LAPI. And the LAPI will decide what to do with it.
So that means I think I have to ‘tell’ the agent to look at the CF-Connecting-IP instead of the c-ip.
Question is how do I do that?
Kind regards,
André Drent