Hello everyone,
I am encountering the following error with my GitLab server, which is behind NPMplus by Zoey2936 :
2026/03/10 15:12:09 [alert] 623#623: *3881 [lua] crowdsec.lua:783: Allow(): [Crowdsec] denied '192.168.x.x' with 'ban' (by appsec), client: 192.168.x.x, server: git.mygitlab.com, request: "POST /api/v4/jobs/2823/artifacts?artifact_format=zip&artifact_type=archive HTTP/1.1", host: "git.mygitlab.com"
I tried to whitelist this address by creating a new allowlist:
docker exec -it crowdsec cscli allowlist create my_allowlist
Then I added the IP 192.168.x.x to the list, but I am still getting the same error. When I disable CrowdSec AppSec from the GUI, everything works correctly.
Could someone please show me how to properly whitelist this IP address?
Thank you.
Hello,
By default, private IP addr should be excluded from bans (see the default whitelists installed).
If you put the right ip addr in the allowlist, no reason for it to be banned.
You can use cscli allowlists check | CrowdSec to check if IP is in allowlist.
Can you provide more details so one can try to reproduce the bug ? thanks,
Hello Thibault,
The problem occurs when we execute a CI/CD job from an internal server (192.168.x.x) to the GitLab server.
We tested a job with a 20 MB artifact without any PDF files, and it worked perfectly. However, when we included a PDF file, the job failed with the following message, which can be found in /opt/npmplus/nginx/logs/error.log.
Here are my metrics:
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics │
├─────────────────────────────────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├─────────────────────────────────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ appsec:appsec │ 76 │ 76 │ - │ 43 │ - │
│ file:/opt/npmplus/nginx/logs/access.log │ 69.71k │ 69.71k │ - │ 4.11k │ 61.40k │
│ file:/opt/npmplus/nginx/logs/error.log │ 979 │ 925 │ 54 │ 540 │ 12 │
│ file:/opt/openappsec/logs/cp-nano-http-transaction-handler.log1 │ 6 │ - │ 6 │ - │ - │
│ file:/opt/openappsec/logs/cp-nano-http-transaction-handler.log2 │ 6 │ - │ 6 │ - │ - │
│ file:/opt/openappsec/logs/cp-nano-http-transaction-handler.log3 │ 6 │ - │ 6 │ - │ - │
│ file:/opt/openappsec/logs/cp-nano-http-transaction-handler.log4 │ 6 │ - │ 6 │ - │ - │
╰─────────────────────────────────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯
╭─────────────────────────────────────────────────────────╮
│ Local API Alerts │
├─────────────────────────────────────────────────┬───────┤
│ Reason │ Count │
├─────────────────────────────────────────────────┼───────┤
│ crowdsecurity/http-cve-probing │ 3 │
│ crowdsecurity/vpatch-CVE-2017-9841 │ 17 │
│ crowdsecurity/appsec-vpatch │ 29 │
│ crowdsecurity/generic-wordpress-uploads-listing │ 15 │
│ crowdsecurity/http-cve-2021-42013 │ 1 │
│ crowdsecurity/http-open-proxy │ 9 │
│ crowdsecurity/http-wordpress-scan │ 14 │
│ crowdsecurity/vpatch-CVE-2025-55182 │ 25 │
│ crowdsecurity/vpatch-git-config │ 56 │
│ crowdsecurity/CVE-2017-9841 │ 9 │
│ crowdsecurity/generic-wordpress-uploads-php │ 19 │
│ crowdsecurity/http-bad-user-agent │ 17 │
│ crowdsecurity/http-crawl-non_statics │ 11 │
│ crowdsecurity/http-probing │ 31 │
│ crowdsecurity/http-sensitive-files │ 10 │
│ crowdsecurity/http-wordpress_wpconfig │ 1 │
│ LePresidente/http-generic-403-bf │ 5 │
│ crowdsecurity/http-cve-2021-41773 │ 14 │
│ crowdsecurity/jira_cve-2021-26086 │ 6 │
│ crowdsecurity/vpatch-env-access │ 76 │
│ crowdsecurity/vpatch-symfony-profiler │ 4 │
│ crowdsecurity/http-admin-interface-probing │ 12 │
│ crowdsecurity/http-backdoors-attempts │ 2 │
╰─────────────────────────────────────────────────┴───────╯
╭─────────────────────────────────────╮
│ Appsec Metrics │
├───────────────┬───────────┬─────────┤
│ Appsec Engine │ Processed │ Blocked │
├───────────────┼───────────┼─────────┤
│ appsec │ 31.08k │ 73 │
╰───────────────┴───────────┴─────────╯
╭─────────────────────────────────────────────────────────────╮
│ Appsec 'appsec' Rules Metrics │
├─────────────────────────────────────────────────┬───────────┤
│ Rule ID │ Triggered │
├─────────────────────────────────────────────────┼───────────┤
│ crowdsecurity/experimental-no-user-agent │ 3 │
│ crowdsecurity/generic-wordpress-uploads-listing │ 4 │
│ crowdsecurity/generic-wordpress-uploads-php │ 4 │
│ crowdsecurity/vpatch-CVE-2017-9841 │ 9 │
│ crowdsecurity/vpatch-CVE-2025-55182 │ 15 │
│ crowdsecurity/vpatch-env-access │ 20 │
│ crowdsecurity/vpatch-git-config │ 21 │
╰─────────────────────────────────────────────────┴───────────╯
╭───────────────────────────────────────────────────────────────╮
│ Local API Decisions │
├───────────────────────────────────┬──────────┬────────┬───────┤
│ Reason │ Origin │ Action │ Count │
├───────────────────────────────────┼──────────┼────────┼───────┤
│ http:crawl │ CAPI │ ban │ 74 │
│ http:exploit │ CAPI │ ban │ 17220 │
│ http:scan │ CAPI │ ban │ 6116 │
│ crowdsecurity/appsec-vpatch │ crowdsec │ ban │ 1 │
│ crowdsecurity/http-bad-user-agent │ crowdsec │ ban │ 1 │
│ crowdsecurity/http-cve-probing │ crowdsec │ ban │ 1 │
│ http:bruteforce │ CAPI │ ban │ 1776 │
╰───────────────────────────────────┴──────────┴────────┴───────╯
╭────────────────────────────────────────────────────╮
│ Local API Metrics │
├───────────────────────────────────┬────────┬───────┤
│ Route │ Method │ Hits │
├───────────────────────────────────┼────────┼───────┤
│ /v1/alerts │ GET │ 2 │
│ /v1/alerts │ POST │ 71 │
│ /v1/allowlists │ GET │ 2654 │
│ /v1/allowlists/check/:ip_or_range │ GET │ 2 │
│ /v1/decisions │ GET │ 65169 │
│ /v1/decisions/stream │ HEAD │ 2646 │
│ /v1/heartbeat │ GET │ 2653 │
│ /v1/usage-metrics │ POST │ 257 │
│ /v1/watchers/login │ POST │ 49 │
╰───────────────────────────────────┴────────┴───────╯
╭─────────────────────────────────────────────────╮
│ Local API Bouncers Metrics │
├─────────┬──────────────────────┬────────┬───────┤
│ Bouncer │ Route │ Method │ Hits │
├─────────┼──────────────────────┼────────┼───────┤
│ npmplus │ /v1/decisions │ GET │ 65169 │
│ npmplus │ /v1/decisions/stream │ HEAD │ 2646 │
╰─────────┴──────────────────────┴────────┴───────╯
╭─────────────────────────────────────────────╮
│ Local API Bouncers Decisions │
├─────────┬───────────────┬───────────────────┤
│ Bouncer │ Empty answers │ Non-empty answers │
├─────────┼───────────────┼───────────────────┤
│ npmplus │ 64958 │ 211 │
╰─────────┴───────────────┴───────────────────╯
╭───────────────────────────────────────────────────────────────╮
│ Local API Machines Metrics │
├───────────┬───────────────────────────────────┬────────┬──────┤
│ Machine │ Route │ Method │ Hits │
├───────────┼───────────────────────────────────┼────────┼──────┤
│ localhost │ /v1/alerts │ GET │ 2 │
│ localhost │ /v1/alerts │ POST │ 71 │
│ localhost │ /v1/allowlists │ GET │ 2654 │
│ localhost │ /v1/allowlists/check/:ip_or_range │ GET │ 2 │
│ localhost │ /v1/heartbeat │ GET │ 2653 │
╰───────────┴───────────────────────────────────┴────────┴──────╯
╭───────────────────────────────────────────────────────────────────╮
│ Parser Metrics │
├────────────────────────────────────┬─────────┬─────────┬──────────┤
│ Parsers │ Hits │ Parsed │ Unparsed │
├────────────────────────────────────┼─────────┼─────────┼──────────┤
│ ZoeyVid/npmplus-logs │ 70.69k │ 70.64k │ 54 │
│ child-ZoeyVid/npmplus-logs │ 71.78k │ 70.64k │ 1.15k │
│ child-crowdsecurity/http-logs │ 211.91k │ 143.96k │ 67.95k │
│ crowdsecurity/appsec-logs │ 76 │ 76 │ - │
│ crowdsecurity/cdn-whitelist │ 31 │ 31 │ - │
│ crowdsecurity/dateparse-enrich │ 70.64k │ 70.64k │ - │
│ crowdsecurity/geoip-enrich │ 9.30k │ 9.30k │ - │
│ crowdsecurity/http-logs │ 70.64k │ 70.61k │ 28 │
│ crowdsecurity/non-syslog │ 70.79k │ 70.79k │ - │
│ crowdsecurity/public-dns-allowlist │ 70.71k │ 70.71k │ - │
│ crowdsecurity/rdns │ 31 │ 31 │ - │
│ crowdsecurity/seo-bots-whitelist │ 31 │ 31 │ - │
│ crowdsecurity/whitelists │ 70.71k │ 70.71k │ - │
╰────────────────────────────────────┴─────────┴─────────┴──────────╯
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scenario Metrics │
├────────────────────────────────────────────┬───────────────┬───────────┬──────────────┬────────┬─────────┤
│ Scenario │ Current Count │ Overflows │ Instantiated │ Poured │ Expired │
├────────────────────────────────────────────┼───────────────┼───────────┼──────────────┼────────┼─────────┤
│ LePresidente/http-generic-401-bf │ - │ - │ 6 │ 18 │ 6 │
│ LePresidente/http-generic-403-bf │ - │ - │ 7 │ 23 │ 7 │
│ crowdsecurity/CVE-2017-9841 │ - │ 141 │ 141 │ - │ - │
│ crowdsecurity/appsec-vpatch │ - │ 7 │ 36 │ 43 │ 29 │
│ crowdsecurity/http-admin-interface-probing │ - │ - │ 11 │ 19 │ 11 │
│ crowdsecurity/http-backdoors-attempts │ - │ - │ 2 │ 2 │ 2 │
│ crowdsecurity/http-bad-user-agent │ - │ 7 │ 12 │ 19 │ 5 │
│ crowdsecurity/http-crawl-non_statics │ 1 │ 5 │ 2.07k │ 3.13k │ 2.07k │
│ crowdsecurity/http-cve-2021-41773 │ - │ 5 │ 5 │ - │ - │
│ crowdsecurity/http-cve-probing │ - │ 1 │ 1 │ - │ - │
│ crowdsecurity/http-probing │ 2 │ 50 │ 727 │ 1.33k │ 675 │
│ crowdsecurity/http-sensitive-files │ - │ 7 │ 46 │ 88 │ 39 │
│ crowdsecurity/http-wordpress-scan │ - │ - │ 7 │ 8 │ 7 │
│ crowdsecurity/http-wordpress_user-enum │ - │ - │ 2 │ 10 │ 2 │
│ crowdsecurity/http-wordpress_wpconfig │ - │ - │ 1 │ 1 │ 1 │
│ crowdsecurity/jira_cve-2021-26086 │ - │ 5 │ 5 │ - │ - │
╰────────────────────────────────────────────┴───────────────┴───────────┴──────────────┴────────┴─────────╯
╭───────────────────────────────────────────────────────────────────────────────────────────────╮
│ Whitelist Metrics │
├────────────────────────────────────┬────────────────────────────────────┬───────┬─────────────┤
│ Whitelist │ Reason │ Hits │ Whitelisted │
├────────────────────────────────────┼────────────────────────────────────┼───────┼─────────────┤
│ crowdsecurity/cdn-whitelist │ CDN provider │ 31 │ - │
│ crowdsecurity/public-dns-allowlist │ public DNS server │ 70712 │ - │
│ crowdsecurity/seo-bots-whitelist │ good bots (search engine crawlers) │ 31 │ - │
│ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 70712 │ 61415 │
╰────────────────────────────────────┴────────────────────────────────────┴───────┴─────────────╯