top of page
  • Youtube
  • X
  • TikTok
  • Facebook
  • Instagram
  • Buy me a coffee
Search

Protect your Coolify websites with CrowdSec Firewall

  • Writer: Mustafa Ramadan
    Mustafa Ramadan
  • Apr 6
  • 3 min read

Updated: Jun 14

ree

Are you self-hosting your apps using Coolify that using Traefik v3? Want to protect your apps from bad bots, abuse, and attacks? In this guide, I’ll show you how to install and configure CrowdSec on Coolify with Traefik v3 using the CrowdSec bouncer plugin — the easy way.

Perfect for people hosting many websites with Docker and Traefik on a Coolify server.

Note: This setup protects your websites only. It does not protect your full server (SSH, other ports, system-level attacks). 👉 If you want to protect your entire Coolify server, check this guide: Secure Your Coolify Server & Websites with CrowdSec and Traefik


What is CrowdSec?

CrowdSec is a free, open-source security engine that protects your servers from malicious traffic. It works like Fail2Ban but smarter — it analyzes logs, blocks bad IPs, and shares threat intelligence with the community.



What You’ll Need

  • Coolify self-hosted on a Linux server

  • Traefik v3 running as your reverse proxy (Already installed by Coolify)

  • Docker + Docker Compose (Already installed by Coolify)

  • Root access (or sudo)



Step 1: Deploy CrowdSec via Docker Compose:

Create a container for CrowdSec and make sure its connected on Coolify network:


version: '3.8'
services:
  crowdsec:
    image: 'crowdsecurity/crowdsec:latest'
    container_name: crowdsec
    expose:
      - "8080"
    environment:
      GID: '${GID-1000}'
      COLLECTIONS: 'crowdsecurity/linux crowdsecurity/traefik'
    volumes:
      - 'crowdsec-db:/var/lib/crowdsec/data'
      - './crowdsec/config:/etc/crowdsec/'
      - './crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml'
      - '/data/coolify/proxy:/traefik'
    networks:
      - coolify
    security_opt:
      - 'no-new-privileges:true'
    restart: unless-stopped

volumes:
  crowdsec-db: null
networks:
  coolify:
    external: true

The /etc/crowdsec/acquis.yaml file should contains: 

filenames:
  - /traefik/access.log
labels:
  type: traefik


Step 2: Configure Traefik:

In your docker-compose.yml file for Traefik, add these under command:


  • Add CrowdSec Traefik Plugin:

- '--experimental.plugins.crowdsec-bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin'   
- '--experimental.plugins.crowdsec-bouncer.version=v1.2.1'

  • Enable access log for Traefik as a file: 

   - '--accesslog=true'
   - '--accesslog.filepath=/traefik/access.log'

  • To watch the Traefik live logs you might need to add this too: 

- '--accesslog=true'

  • Also, apply the CrowdSec middleware globally:

    - '--entrypoints.http.http.middlewares=crowdsec@file'
    - '--entrypoints.https.http.middlewares=crowdsec@file'

This applies protection to all your websites without needing labels per app.



Step 3: Create CrowdSec Middleware

Create a file /data/coolify/proxy/dynamic/crowdsec-plugin.yaml:

http:
  middlewares:
    crowdsec:
 	  plugin:
 		crowdsec-bouncer:
		  crowdsecMode: live
		  crowdsecLapiHost: 'crowdsec:8080'
   		  crowdsecLapiKey: your_lapi_key_here
		  enabled: true

You can generate the LAPI key inside the container using:

docker exec -it crowdsec cscli bouncers add traefik-bouncer

Step 4: Protect All Sites Automatically



Now, CrowdSec is applied globally via middleware. You don’t need to add labels to every website anymore.


Optional: You can still use HostRegexp('.+') router if you want extra filtering or blocking specific paths.


Now block yourself to test:

docker exec -it crowdsec cscli decisions add -i 1.2.3.4 -d 30m

Unblock yourself: 

docker exec -it crowdsec cscli decisions delete -i YOUR.IP.ADDRESS

And that's it all good now ^_^ you are ready to leave your server alone ;)


 What about Fail2Ban? Do I still need it with CrowdSec on Coolify? Fail2Ban is a classic tool to block brute-force SSH and similar attacks. If you’re running CrowdSec with Traefik (like we show here), CrowdSec is already handling web-related attacks. For SSH protection, you can still use Fail2Ban or let CrowdSec handle it with an SSH scenario. We’ll publish a full Coolify + Fail2Ban guide soon — stay tuned.

Final Thoughts

With this setup, your Coolify-hosted websites now have an extra layer of protection powered by CrowdSec.


You are automatically protected from common web attacks such as:


  • WordPress or any website with admin probes

  • Sensitive files scanning

  • CVE-based attacks

  • XSS, SQLi and more


And the beauty is: the protection is applied globally — no need to configure each site manually.


What’s Next?


If you want to protect your entire Coolify server (including SSH and non-HTTP services), Check my full guide on securing Coolify + Traefik with CrowdSec here → Secure Your Coolify Server & Websites with CrowdSec and Traefik



Need Help?

If you need help setting up CrowdSec, installing or securing your Coolify server, or optimizing your infrastructure:


I offer personal consulting and setup services:


  • CrowdSec & Fail2Ban setup

  • Traefik hardening

  • Coolify hosting setup and security

  • Performance tuning & monitoring


Bonus: I can also help review your current setup and suggest improvements — even if you already have CrowdSec installed.


Contact me down below 👇 happy to help you secure your server

 
 
 

Comments

Let’s Work Together

Need an experienced IT Professional to help out? Send me an email to discuss in more detail. Alternatively connect with me elsewhere on the web →

  • X
  • Instagram
  • Facebook
  • LinkedIn
  • YouTube
  • TikTok
Buy me a coffee

Handcrafted by me © twentytwentythree. Powered and secured by Wix

bottom of page