Skip to content

CrowdSec CloudFlare Worker Bouncer.

Having CrowdSec installed on your local reverse proxy is vital for security. But if you have just having repeated attempts after repeated attempts through a tunnel such as CloudFlare tunnel, you're still going to get all of that traffic to your reverse proxy and see all of the 403 forbiddens in your logs. We can fix that with a CloudFlare Worker Bouncer.

Docker Compose

We're going to start with a compose file for the CrowdSec bouncer. Note that this container does need to be able to communicate with your CrowdSec Agent.

docker-compose.yml
  crowdsec-cloudflare-bouncer:
    image: crowdsecurity/cloudflare-worker-bouncer
    restart: unless-stopped
    volumes:
      - ./crowdsec-cloudflare-worker-bouncer.yaml:/etc/crowdsec/bouncers/crowdsec-cloudflare-worker-bouncer.yaml
    ports:
      - 2113:2113
    logging:
      options:
        max-size: "10m"
        max-file: "3"

We're going to get our yaml file from the CrowdSec docs: https://docs.crowdsec.net/u/bouncers/cloudflare-workers/#configuration

Here are the files you need to fill out

  • ${API_KEY}: This is generated with docker exec -it crowdsec cscli bouncers add cloudflare
  • ${CROWDSEC_LAPI_URL}: This is the URL that the CrowdSec Agent is running on.
  • only_include_decisions_from: []: Change this to only_include_decisions_from: ["cscli", "crowdsec"] for the CloudFlare free tier
  • <ACCOUNT_ID> and <ZONE_ID>: These are the UUIDs found when you navigate to your zone in the bottom right side of the page.
  • routes_to_protect: []: You must actually specify the routes you want to protect and you can use wildcards. i.e. for all subdomains, use *.thomaswildetech.com/*
  • <CLOUDFLARE_ACCOUNT_TOKEN>: This is a scoped token that you will generated from the same documentation
  • account_name: Switch it to your email address

To generate the CLOUDFLARE_ACCOUNT_TOKEN token, follow the instructions here: https://docs.crowdsec.net/u/bouncers/cloudflare-workers/#cloudflare-configuration

Follow the instructions to set the failover mode to Fail Open mode: https://docs.crowdsec.net/u/bouncers/cloudflare-workers/#setting-up-the-worker-route-fail-mode

Congratulations! You are now banning IPs at the CloudFlare proxy layer. To see information about the worker, click on the Worker from the Workers Routes page. To see the KV bans, Go to your Account, then Storage & Databases -> KV. Then click on KV Pairs and you will see any active decisions made by your CrowdSec agent.

Comments