[GH-ISSUE #3054] Crowdsec false ban #17284

New Issue

Closed

opened 2026-05-18 17:46:35 -05:00 by GiteaMirror · 11 comments

GiteaMirror commented 2026-05-18 17:46:35 -05:00

Owner

Copy Link

Originally created by @DKT69 on GitHub (May 11, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/3054

Describe the Bug

after upgrade from 1.17.1 to 1.18.3 crowdsec false ban with http-crawl-non-statics.

root@pangolin:/opt/pangolin# docker exec -it crowdsec cscli explain --file /var/log/traefik/test.log --type traefik-logs -v
line: {"ClientAddr":":60806","ClientHost":"","DownstreamContentSize":205,"DownstreamStatus":200,"Duration":66416113,"OriginStatus":200,"RequestAddr":"","RequestHost":"","RequestMethod":"GET","RequestPath":"/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"next-router@file","ServiceAddr":"pangolin:3002","ServiceName":"next-service@file","ServiceURL":"http://pangolin:3002","StartLocal":"2026-05-10T01:30:37.039936871+08:00","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","downstream_Content-Encoding":"gzip","downstream_Content-Security-Policy":"upgrade-insecure-requests","downstream_Content-Type":"text/x-component","downstream_Date":"Sat, 09 May 2026 17:30:37 GMT","downstream_Permissions-Policy":"camera=(), microphone=(), geolocation=()","downstream_Referrer-Policy":"same-origin","downstream_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","downstream_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","downstream_X-Content-Type-Options":"nosniff","downstream_X-Frame-Options":"SAMEORIGIN","downstream_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","downstream_X-Xss-Protection":"0","level":"info","msg":"","origin_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","origin_Content-Encoding":"gzip","origin_Content-Security-Policy":"upgrade-insecure-requests","origin_Content-Type":"text/x-component","origin_Date":"Sat, 09 May 2026 17:30:37 GMT","origin_Permissions-Policy":"camera=(), microphone=(), geolocation=()","origin_Referrer-Policy":"same-origin","origin_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","origin_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","origin_X-Content-Type-Options":"nosniff","origin_X-Frame-Options":"SAMEORIGIN","origin_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","origin_X-Xss-Protection":"0","request_Accept":"*/*","request_Accept-Encoding":"gzip, deflate, br, zstd","request_Accept-Language":"en-US,en;q=0.9","request_Cookie":"","request_Next-Url":"/homelabs/settings/resources/proxy","request_Priority":"i","request_Referer":"https:///homelabs/settings/resources/proxy","request_Rsc":"1","request_Sec-Ch-Ua":"\"Google Chrome\";v=\"147\", \"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"147\"","request_Sec-Ch-Ua-Mobile":"?0","request_Sec-Ch-Ua-Platform":"\"Windows\"","request_Sec-Fetch-Dest":"empty","request_Sec-Fetch-Mode":"cors","request_Sec-Fetch-Site":"same-origin","request_Sec-Gpc":"1","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36","request_X-Forwarded-Host":"","request_X-Forwarded-Port":"443","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"713f8dd68d53","request_X-Geoblock-Decision":"pass:allowed_country","request_X-Geoblock-Status":"pass","request_X-Ipcountry":"MY","request_X-Real-Ip":"","time":"2026-05-10T01:30:37+08:00"}
        ├ s00-raw
        |       ├ 🔴 crowdsecurity/cri-logs
        |       ├ 🔴 crowdsecurity/docker-logs
        |       ├ 🔴 crowdsecurity/syslog-logs
        |       └ 🟢 crowdsecurity/non-syslog (+5 ~8)
        |               └ update evt.ExpectMode : %!s(int=0) -> 1
        |               └ update evt.Stage :  -> s01-parse
        |               └ update evt.Line.Raw :  -> {"ClientAddr":":60806","ClientHost":"","DownstreamContentSize":205,"DownstreamStatus":200,"Duration":66416113,"OriginStatus":200,"RequestAddr":"","RequestHost":"","RequestMethod":"GET","RequestPath":"/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"next-router@file","ServiceAddr":"pangolin:3002","ServiceName":"next-service@file","ServiceURL":"http://pangolin:3002","StartLocal":"2026-05-10T01:30:37.039936871+08:00","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","downstream_Content-Encoding":"gzip","downstream_Content-Security-Policy":"upgrade-insecure-requests","downstream_Content-Type":"text/x-component","downstream_Date":"Sat, 09 May 2026 17:30:37 GMT","downstream_Permissions-Policy":"camera=(), microphone=(), geolocation=()","downstream_Referrer-Policy":"same-origin","downstream_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","downstream_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","downstream_X-Content-Type-Options":"nosniff","downstream_X-Frame-Options":"SAMEORIGIN","downstream_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","downstream_X-Xss-Protection":"0","level":"info","msg":"","origin_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","origin_Content-Encoding":"gzip","origin_Content-Security-Policy":"upgrade-insecure-requests","origin_Content-Type":"text/x-component","origin_Date":"Sat, 09 May 2026 17:30:37 GMT","origin_Permissions-Policy":"camera=(), microphone=(), geolocation=()","origin_Referrer-Policy":"same-origin","origin_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","origin_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","origin_X-Content-Type-Options":"nosniff","origin_X-Frame-Options":"SAMEORIGIN","origin_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","origin_X-Xss-Protection":"0","request_Accept":"*/*","request_Accept-Encoding":"gzip, deflate, br, zstd","request_Accept-Language":"en-US,en;q=0.9","request_Cookie":"pangolin-last-org=homelabs;","request_Next-Url":"/homelabs/settings/resources/proxy","request_Priority":"i","request_Referer":"https:///homelabs/settings/resources/proxy","request_Rsc":"1","request_Sec-Ch-Ua":"\"Google Chrome\";v=\"147\", \"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"147\"","request_Sec-Ch-Ua-Mobile":"?0","request_Sec-Ch-Ua-Platform":"\"Windows\"","request_Sec-Fetch-Dest":"empty","request_Sec-Fetch-Mode":"cors","request_Sec-Fetch-Site":"same-origin","request_Sec-Gpc":"1","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36","request_X-Forwarded-Host":"","request_X-Forwarded-Port":"443","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"713f8dd68d53","request_X-Geoblock-Decision":"pass:allowed_country","request_X-Geoblock-Status":"pass","request_X-Ipcountry":"MY","request_X-Real-Ip":"","time":"2026-05-10T01:30:37+08:00"}
        |               └ update evt.Line.Src :  -> /var/log/traefik/test.log
        |               └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2026-05-09 17:58:54.484770772 +0000 UTC
        |               └ create evt.Line.Labels.type : traefik-logs
        |               └ update evt.Line.Process : %!s(bool=false) -> true
        |               └ update evt.Line.Module :  -> file
        |               └ create evt.Parsed.message : {"ClientAddr":":60806","ClientHost":"","DownstreamContentSize":205,"DownstreamStatus":200,"Duration":66416113,"OriginStatus":200,"RequestAddr":"","RequestHost":"","RequestMethod":"GET","RequestPath":"/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"next-router@file","ServiceAddr":"pangolin:3002","ServiceName":"next-service@file","ServiceURL":"http://pangolin:3002","StartLocal":"2026-05-10T01:30:37.039936871+08:00","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","downstream_Content-Encoding":"gzip","downstream_Content-Security-Policy":"upgrade-insecure-requests","downstream_Content-Type":"text/x-component","downstream_Date":"Sat, 09 May 2026 17:30:37 GMT","downstream_Permissions-Policy":"camera=(), microphone=(), geolocation=()","downstream_Referrer-Policy":"same-origin","downstream_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","downstream_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","downstream_X-Content-Type-Options":"nosniff","downstream_X-Frame-Options":"SAMEORIGIN","downstream_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","downstream_X-Xss-Protection":"0","level":"info","msg":"","origin_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","origin_Content-Encoding":"gzip","origin_Content-Security-Policy":"upgrade-insecure-requests","origin_Content-Type":"text/x-component","origin_Date":"Sat, 09 May 2026 17:30:37 GMT","origin_Permissions-Policy":"camera=(), microphone=(), geolocation=()","origin_Referrer-Policy":"same-origin","origin_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","origin_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","origin_X-Content-Type-Options":"nosniff","origin_X-Frame-Options":"SAMEORIGIN","origin_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","origin_X-Xss-Protection":"0","request_Accept":"*/*","request_Accept-Encoding":"gzip, deflate, br, zstd","request_Accept-Language":"en-US,en;q=0.9","request_Cookie"","request_Next-Url":"/homelabs/settings/resources/proxy","request_Priority":"i","request_Referer":"https:///homelabs/settings/resources/proxy","request_Rsc":"1","request_Sec-Ch-Ua":"\"Google Chrome\";v=\"147\", \"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"147\"","request_Sec-Ch-Ua-Mobile":"?0","request_Sec-Ch-Ua-Platform":"\"Windows\"","request_Sec-Fetch-Dest":"empty","request_Sec-Fetch-Mode":"cors","request_Sec-Fetch-Site":"same-origin","request_Sec-Gpc":"1","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36","request_X-Forwarded-Host":"","request_X-Forwarded-Port":"443","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"713f8dd68d53","request_X-Geoblock-Decision":"pass:allowed_country","request_X-Geoblock-Status":"pass","request_X-Ipcountry":"MY","request_X-Real-Ip":"","time":"2026-05-10T01:30:37+08:00"}
        |               └ create evt.Parsed.program : traefik-logs
        |               └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2026-05-09 17:58:54.484888014 +0000 UTC
        |               └ create evt.Meta.datasource_path : /var/log/traefik/test.log
        |               └ create evt.Meta.datasource_type : file
        ├ s01-parse
        |       ├ 🔴 crowdsecurity/appsec-logs
        |       ├ 🔴 crowdsecurity/iptables-logs
        |       ├ 🔴 crowdsecurity/sshd-logs
        |       ├ 🔴 crowdsecurity/sshd-success-logs
        |       └ 🟢 crowdsecurity/traefik-logs (+27 ~2)
        |               └ update evt.Stage : s01-parse -> s02-enrich
        |               └ create evt.Parsed.service_addr : pangolin
        |               └ create evt.Parsed.status : 200
        |               └ create evt.Parsed.traefik_router_intermediate : 
        |               └ create evt.Parsed.traefik_router_name : next-router@file
        |               └ create evt.Parsed.http_version : 2.0
        |               └ create evt.Parsed.request : /homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm
        |               └ create evt.Parsed.request_addr : 
        |               └ create evt.Parsed.verb : GET
        |               └ create evt.Parsed.body_bytes_sent : 205
        |               └ create evt.Parsed.time_local : 2026-05-10T01:30:37+08:00
        |               └ create evt.Parsed.dest_addr : 
        |               └ create evt.Parsed.port : 
        |               └ create evt.Parsed.remote_addr : 
        |               └ create evt.Parsed.request_duration_in_ms : 66416113
        |               └ create evt.Parsed.traefik_router_leaf : 
        |               └ create evt.Parsed.traefik_router_name_root : next-router@file
        |               └ create evt.Parsed.http_user_agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
        |               └ create evt.Unmarshaled.traefik : map[ClientAddr::60806 ClientHost: DownstreamContentSize:205 DownstreamStatus:200 Duration:6.6416113e+07 OriginStatus:200 RequestAddr: RequestHost: RequestMethod:GET RequestPath:/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm RequestPort:- RequestProtocol:HTTP/2.0 RequestScheme:https RetryAttempts:0 RouterName:next-router@file ServiceAddr:pangolin:3002 ServiceName:next-service@file ServiceURL:http://pangolin:3002 StartLocal:2026-05-10T01:30:37.039936871+08:00 TLSCipher:TLS_AES_128_GCM_SHA256 TLSVersion:1.3 downstream_Cache-Control:private, no-cache, no-store, max-age=0, must-revalidate downstream_Content-Encoding:gzip downstream_Content-Security-Policy:upgrade-insecure-requests downstream_Content-Type:text/x-component downstream_Date:Sat, 09 May 2026 17:30:37 GMT downstream_Permissions-Policy:camera=(), microphone=(), geolocation=() downstream_Referrer-Policy:same-origin downstream_Strict-Transport-Security:max-age=63072000; includeSubDomains; preload downstream_Vary:rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding downstream_X-Content-Type-Options:nosniff downstream_X-Frame-Options:SAMEORIGIN downstream_X-Robots-Tag:none, noarchive, nosnippet, notranslate, noimageindex downstream_X-Xss-Protection:0 level:info msg: origin_Cache-Control:private, no-cache, no-store, max-age=0, must-revalidate origin_Content-Encoding:gzip origin_Content-Security-Policy:upgrade-insecure-requests origin_Content-Type:text/x-component origin_Date:Sat, 09 May 2026 17:30:37 GMT origin_Permissions-Policy:camera=(), microphone=(), geolocation=() origin_Referrer-Policy:same-origin origin_Strict-Transport-Security:max-age=63072000; includeSubDomains; preload origin_Vary:rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding origin_X-Content-Type-Options:nosniff origin_X-Frame-Options:SAMEORIGIN origin_X-Robots-Tag:none, noarchive, nosnippet, notranslate, noimageindex origin_X-Xss-Protection:0 request_Accept:*/* request_Accept-Encoding:gzip, deflate, br, zstd request_Accept-Language:en-US,en;q=0.9 request_Cookie: request_Next-Url:/homelabs/settings/resources/proxy request_Priority:i request_Referer:https:///homelabs/settings/resources/proxy request_Rsc:1 request_Sec-Ch-Ua:"Google Chrome";v="147", "Not.A/Brand";v="8", "Chromium";v="147" request_Sec-Ch-Ua-Mobile:?0 request_Sec-Ch-Ua-Platform:"Windows" request_Sec-Fetch-Dest:empty request_Sec-Fetch-Mode:cors request_Sec-Fetch-Site:same-origin request_Sec-Gpc:1 request_User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 request_X-Forwarded-Host: request_X-Forwarded-Port:443 request_X-Forwarded-Proto:https request_X-Forwarded-Server:713f8dd68d53 request_X-Geoblock-Decision:pass:allowed_country request_X-Geoblock-Status:pass request_X-Ipcountry:MY request_X-Real-Ip: time:2026-05-10T01:30:37+08:00]
        |               └ update evt.StrTime :  -> 2026-05-10T01:30:37+08:00
        |               └ create evt.Meta.target_fqdn : 
        |               └ create evt.Meta.http_status : 200
        |               └ create evt.Meta.service : http
        |               └ create evt.Meta.traefik_router_name : next-router@file
        |               └ create evt.Meta.http_path : /homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm
        |               └ create evt.Meta.http_user_agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36
        |               └ create evt.Meta.http_verb : GET
        |               └ create evt.Meta.log_type : http_access-log
        |               └ create evt.Meta.source_ip : 
        ├ s02-enrich
        |       ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2)
        |               ├ create evt.Enriched.MarshaledTime : 2026-05-10T01:30:37+08:00
        |               ├ update evt.Time : 2026-05-09 17:58:54.484888014 +0000 UTC -> 2026-05-10 01:30:37 +0800 +0800
        |               ├ update evt.MarshaledTime :  -> 2026-05-10T01:30:37+08:00
        |               ├ create evt.Meta.timestamp : 2026-05-10T01:30:37+08:00
        |       ├ 🟢 crowdsecurity/geoip-enrich (+13)
        |               ├ create evt.Enriched.ASNumber : 
        |               ├ create evt.Enriched.IsoCode : 
        |               ├ create evt.Enriched.Longitude : 
        |               ├ create evt.Enriched.SourceRange : 
        |               ├ create evt.Enriched.IsInEU : false
        |               ├ create evt.Enriched.Latitude : 
        |               ├ create evt.Enriched.ASNNumber : 
        |               ├ create evt.Enriched.ASNOrg : 
        |               ├ create evt.Meta.SourceRange : 
        |               ├ create evt.Meta.ASNNumber : 
        |               ├ create evt.Meta.ASNOrg : 
        |               ├ create evt.Meta.IsInEU : false
        |               ├ create evt.Meta.IsoCode : 
        |       ├ 🟢 crowdsecurity/http-logs (+8 ~1)
        |               ├ update evt.Parsed.request : /homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm -> /homelabs/settings/resources/proxy/bad-aztec-mouse
        |               ├ create evt.Parsed.impact_completion : true
        |               ├ create evt.Parsed.file_frag : bad-aztec-mouse
        |               ├ create evt.Parsed.file_dir : /homelabs/settings/resources/proxy/
        |               ├ create evt.Parsed.file_ext : 
        |               ├ create evt.Parsed.file_name : bad-aztec-mouse
        |               ├ create evt.Parsed.static_ressource : false
        |               ├ create evt.Parsed.http_args : _rsc=1j2gm
        |               ├ create evt.Meta.http_args_len : 10
        |       ├ 🟢 crowdsecurity/public-dns-allowlist (unchanged)
        |       └ 🟢 crowdsecurity/whitelists (unchanged)
        ├-------- parser success 🟢
        ├ Scenarios
                ├ 🟢 crowdsecurity/http-crawl-non_statics
                └ 🟢 crowdsecurity/http-dos-swithcing-ua

Environment

• OS Type & Version: Ubuntu 24.04.4 LTS
• Pangolin Version: ee-1.18.3
• Gerbil Version: latest
• Traefik Version: 3.6.16
• Newt Version: -
• Olm Version: -

To Reproduce

Expected Behavior

Originally created by @DKT69 on GitHub (May 11, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/3054 ### Describe the Bug after upgrade from 1.17.1 to 1.18.3 crowdsec false ban with http-crawl-non-statics. <img width="435" height="565" alt="Image" src="https://github.com/user-attachments/assets/f2656d89-caa7-4f48-b4b8-b13c84e89e2a" /> ``` root@pangolin:/opt/pangolin# docker exec -it crowdsec cscli explain --file /var/log/traefik/test.log --type traefik-logs -v line: {"ClientAddr":":60806","ClientHost":"","DownstreamContentSize":205,"DownstreamStatus":200,"Duration":66416113,"OriginStatus":200,"RequestAddr":"","RequestHost":"","RequestMethod":"GET","RequestPath":"/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"next-router@file","ServiceAddr":"pangolin:3002","ServiceName":"next-service@file","ServiceURL":"http://pangolin:3002","StartLocal":"2026-05-10T01:30:37.039936871+08:00","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","downstream_Content-Encoding":"gzip","downstream_Content-Security-Policy":"upgrade-insecure-requests","downstream_Content-Type":"text/x-component","downstream_Date":"Sat, 09 May 2026 17:30:37 GMT","downstream_Permissions-Policy":"camera=(), microphone=(), geolocation=()","downstream_Referrer-Policy":"same-origin","downstream_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","downstream_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","downstream_X-Content-Type-Options":"nosniff","downstream_X-Frame-Options":"SAMEORIGIN","downstream_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","downstream_X-Xss-Protection":"0","level":"info","msg":"","origin_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","origin_Content-Encoding":"gzip","origin_Content-Security-Policy":"upgrade-insecure-requests","origin_Content-Type":"text/x-component","origin_Date":"Sat, 09 May 2026 17:30:37 GMT","origin_Permissions-Policy":"camera=(), microphone=(), geolocation=()","origin_Referrer-Policy":"same-origin","origin_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","origin_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","origin_X-Content-Type-Options":"nosniff","origin_X-Frame-Options":"SAMEORIGIN","origin_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","origin_X-Xss-Protection":"0","request_Accept":"*/*","request_Accept-Encoding":"gzip, deflate, br, zstd","request_Accept-Language":"en-US,en;q=0.9","request_Cookie":"","request_Next-Url":"/homelabs/settings/resources/proxy","request_Priority":"i","request_Referer":"https:///homelabs/settings/resources/proxy","request_Rsc":"1","request_Sec-Ch-Ua":"\"Google Chrome\";v=\"147\", \"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"147\"","request_Sec-Ch-Ua-Mobile":"?0","request_Sec-Ch-Ua-Platform":"\"Windows\"","request_Sec-Fetch-Dest":"empty","request_Sec-Fetch-Mode":"cors","request_Sec-Fetch-Site":"same-origin","request_Sec-Gpc":"1","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36","request_X-Forwarded-Host":"","request_X-Forwarded-Port":"443","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"713f8dd68d53","request_X-Geoblock-Decision":"pass:allowed_country","request_X-Geoblock-Status":"pass","request_X-Ipcountry":"MY","request_X-Real-Ip":"","time":"2026-05-10T01:30:37+08:00"} ├ s00-raw | ├ 🔴 crowdsecurity/cri-logs | ├ 🔴 crowdsecurity/docker-logs | ├ 🔴 crowdsecurity/syslog-logs | └ 🟢 crowdsecurity/non-syslog (+5 ~8) | └ update evt.ExpectMode : %!s(int=0) -> 1 | └ update evt.Stage : -> s01-parse | └ update evt.Line.Raw : -> {"ClientAddr":":60806","ClientHost":"","DownstreamContentSize":205,"DownstreamStatus":200,"Duration":66416113,"OriginStatus":200,"RequestAddr":"","RequestHost":"","RequestMethod":"GET","RequestPath":"/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"next-router@file","ServiceAddr":"pangolin:3002","ServiceName":"next-service@file","ServiceURL":"http://pangolin:3002","StartLocal":"2026-05-10T01:30:37.039936871+08:00","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","downstream_Content-Encoding":"gzip","downstream_Content-Security-Policy":"upgrade-insecure-requests","downstream_Content-Type":"text/x-component","downstream_Date":"Sat, 09 May 2026 17:30:37 GMT","downstream_Permissions-Policy":"camera=(), microphone=(), geolocation=()","downstream_Referrer-Policy":"same-origin","downstream_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","downstream_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","downstream_X-Content-Type-Options":"nosniff","downstream_X-Frame-Options":"SAMEORIGIN","downstream_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","downstream_X-Xss-Protection":"0","level":"info","msg":"","origin_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","origin_Content-Encoding":"gzip","origin_Content-Security-Policy":"upgrade-insecure-requests","origin_Content-Type":"text/x-component","origin_Date":"Sat, 09 May 2026 17:30:37 GMT","origin_Permissions-Policy":"camera=(), microphone=(), geolocation=()","origin_Referrer-Policy":"same-origin","origin_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","origin_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","origin_X-Content-Type-Options":"nosniff","origin_X-Frame-Options":"SAMEORIGIN","origin_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","origin_X-Xss-Protection":"0","request_Accept":"*/*","request_Accept-Encoding":"gzip, deflate, br, zstd","request_Accept-Language":"en-US,en;q=0.9","request_Cookie":"pangolin-last-org=homelabs;","request_Next-Url":"/homelabs/settings/resources/proxy","request_Priority":"i","request_Referer":"https:///homelabs/settings/resources/proxy","request_Rsc":"1","request_Sec-Ch-Ua":"\"Google Chrome\";v=\"147\", \"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"147\"","request_Sec-Ch-Ua-Mobile":"?0","request_Sec-Ch-Ua-Platform":"\"Windows\"","request_Sec-Fetch-Dest":"empty","request_Sec-Fetch-Mode":"cors","request_Sec-Fetch-Site":"same-origin","request_Sec-Gpc":"1","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36","request_X-Forwarded-Host":"","request_X-Forwarded-Port":"443","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"713f8dd68d53","request_X-Geoblock-Decision":"pass:allowed_country","request_X-Geoblock-Status":"pass","request_X-Ipcountry":"MY","request_X-Real-Ip":"","time":"2026-05-10T01:30:37+08:00"} | └ update evt.Line.Src : -> /var/log/traefik/test.log | └ update evt.Line.Time : 0001-01-01 00:00:00 +0000 UTC -> 2026-05-09 17:58:54.484770772 +0000 UTC | └ create evt.Line.Labels.type : traefik-logs | └ update evt.Line.Process : %!s(bool=false) -> true | └ update evt.Line.Module : -> file | └ create evt.Parsed.message : {"ClientAddr":":60806","ClientHost":"","DownstreamContentSize":205,"DownstreamStatus":200,"Duration":66416113,"OriginStatus":200,"RequestAddr":"","RequestHost":"","RequestMethod":"GET","RequestPath":"/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"next-router@file","ServiceAddr":"pangolin:3002","ServiceName":"next-service@file","ServiceURL":"http://pangolin:3002","StartLocal":"2026-05-10T01:30:37.039936871+08:00","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","downstream_Content-Encoding":"gzip","downstream_Content-Security-Policy":"upgrade-insecure-requests","downstream_Content-Type":"text/x-component","downstream_Date":"Sat, 09 May 2026 17:30:37 GMT","downstream_Permissions-Policy":"camera=(), microphone=(), geolocation=()","downstream_Referrer-Policy":"same-origin","downstream_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","downstream_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","downstream_X-Content-Type-Options":"nosniff","downstream_X-Frame-Options":"SAMEORIGIN","downstream_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","downstream_X-Xss-Protection":"0","level":"info","msg":"","origin_Cache-Control":"private, no-cache, no-store, max-age=0, must-revalidate","origin_Content-Encoding":"gzip","origin_Content-Security-Policy":"upgrade-insecure-requests","origin_Content-Type":"text/x-component","origin_Date":"Sat, 09 May 2026 17:30:37 GMT","origin_Permissions-Policy":"camera=(), microphone=(), geolocation=()","origin_Referrer-Policy":"same-origin","origin_Strict-Transport-Security":"max-age=63072000; includeSubDomains; preload","origin_Vary":"rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding","origin_X-Content-Type-Options":"nosniff","origin_X-Frame-Options":"SAMEORIGIN","origin_X-Robots-Tag":"none, noarchive, nosnippet, notranslate, noimageindex","origin_X-Xss-Protection":"0","request_Accept":"*/*","request_Accept-Encoding":"gzip, deflate, br, zstd","request_Accept-Language":"en-US,en;q=0.9","request_Cookie"","request_Next-Url":"/homelabs/settings/resources/proxy","request_Priority":"i","request_Referer":"https:///homelabs/settings/resources/proxy","request_Rsc":"1","request_Sec-Ch-Ua":"\"Google Chrome\";v=\"147\", \"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"147\"","request_Sec-Ch-Ua-Mobile":"?0","request_Sec-Ch-Ua-Platform":"\"Windows\"","request_Sec-Fetch-Dest":"empty","request_Sec-Fetch-Mode":"cors","request_Sec-Fetch-Site":"same-origin","request_Sec-Gpc":"1","request_User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36","request_X-Forwarded-Host":"","request_X-Forwarded-Port":"443","request_X-Forwarded-Proto":"https","request_X-Forwarded-Server":"713f8dd68d53","request_X-Geoblock-Decision":"pass:allowed_country","request_X-Geoblock-Status":"pass","request_X-Ipcountry":"MY","request_X-Real-Ip":"","time":"2026-05-10T01:30:37+08:00"} | └ create evt.Parsed.program : traefik-logs | └ update evt.Time : 0001-01-01 00:00:00 +0000 UTC -> 2026-05-09 17:58:54.484888014 +0000 UTC | └ create evt.Meta.datasource_path : /var/log/traefik/test.log | └ create evt.Meta.datasource_type : file ├ s01-parse | ├ 🔴 crowdsecurity/appsec-logs | ├ 🔴 crowdsecurity/iptables-logs | ├ 🔴 crowdsecurity/sshd-logs | ├ 🔴 crowdsecurity/sshd-success-logs | └ 🟢 crowdsecurity/traefik-logs (+27 ~2) | └ update evt.Stage : s01-parse -> s02-enrich | └ create evt.Parsed.service_addr : pangolin | └ create evt.Parsed.status : 200 | └ create evt.Parsed.traefik_router_intermediate : | └ create evt.Parsed.traefik_router_name : next-router@file | └ create evt.Parsed.http_version : 2.0 | └ create evt.Parsed.request : /homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm | └ create evt.Parsed.request_addr : | └ create evt.Parsed.verb : GET | └ create evt.Parsed.body_bytes_sent : 205 | └ create evt.Parsed.time_local : 2026-05-10T01:30:37+08:00 | └ create evt.Parsed.dest_addr : | └ create evt.Parsed.port : | └ create evt.Parsed.remote_addr : | └ create evt.Parsed.request_duration_in_ms : 66416113 | └ create evt.Parsed.traefik_router_leaf : | └ create evt.Parsed.traefik_router_name_root : next-router@file | └ create evt.Parsed.http_user_agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 | └ create evt.Unmarshaled.traefik : map[ClientAddr::60806 ClientHost: DownstreamContentSize:205 DownstreamStatus:200 Duration:6.6416113e+07 OriginStatus:200 RequestAddr: RequestHost: RequestMethod:GET RequestPath:/homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm RequestPort:- RequestProtocol:HTTP/2.0 RequestScheme:https RetryAttempts:0 RouterName:next-router@file ServiceAddr:pangolin:3002 ServiceName:next-service@file ServiceURL:http://pangolin:3002 StartLocal:2026-05-10T01:30:37.039936871+08:00 TLSCipher:TLS_AES_128_GCM_SHA256 TLSVersion:1.3 downstream_Cache-Control:private, no-cache, no-store, max-age=0, must-revalidate downstream_Content-Encoding:gzip downstream_Content-Security-Policy:upgrade-insecure-requests downstream_Content-Type:text/x-component downstream_Date:Sat, 09 May 2026 17:30:37 GMT downstream_Permissions-Policy:camera=(), microphone=(), geolocation=() downstream_Referrer-Policy:same-origin downstream_Strict-Transport-Security:max-age=63072000; includeSubDomains; preload downstream_Vary:rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding downstream_X-Content-Type-Options:nosniff downstream_X-Frame-Options:SAMEORIGIN downstream_X-Robots-Tag:none, noarchive, nosnippet, notranslate, noimageindex downstream_X-Xss-Protection:0 level:info msg: origin_Cache-Control:private, no-cache, no-store, max-age=0, must-revalidate origin_Content-Encoding:gzip origin_Content-Security-Policy:upgrade-insecure-requests origin_Content-Type:text/x-component origin_Date:Sat, 09 May 2026 17:30:37 GMT origin_Permissions-Policy:camera=(), microphone=(), geolocation=() origin_Referrer-Policy:same-origin origin_Strict-Transport-Security:max-age=63072000; includeSubDomains; preload origin_Vary:rsc, next-router-state-tree, next-router-prefetch, next-router-segment-prefetch, Accept-Encoding origin_X-Content-Type-Options:nosniff origin_X-Frame-Options:SAMEORIGIN origin_X-Robots-Tag:none, noarchive, nosnippet, notranslate, noimageindex origin_X-Xss-Protection:0 request_Accept:*/* request_Accept-Encoding:gzip, deflate, br, zstd request_Accept-Language:en-US,en;q=0.9 request_Cookie: request_Next-Url:/homelabs/settings/resources/proxy request_Priority:i request_Referer:https:///homelabs/settings/resources/proxy request_Rsc:1 request_Sec-Ch-Ua:"Google Chrome";v="147", "Not.A/Brand";v="8", "Chromium";v="147" request_Sec-Ch-Ua-Mobile:?0 request_Sec-Ch-Ua-Platform:"Windows" request_Sec-Fetch-Dest:empty request_Sec-Fetch-Mode:cors request_Sec-Fetch-Site:same-origin request_Sec-Gpc:1 request_User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 request_X-Forwarded-Host: request_X-Forwarded-Port:443 request_X-Forwarded-Proto:https request_X-Forwarded-Server:713f8dd68d53 request_X-Geoblock-Decision:pass:allowed_country request_X-Geoblock-Status:pass request_X-Ipcountry:MY request_X-Real-Ip: time:2026-05-10T01:30:37+08:00] | └ update evt.StrTime : -> 2026-05-10T01:30:37+08:00 | └ create evt.Meta.target_fqdn : | └ create evt.Meta.http_status : 200 | └ create evt.Meta.service : http | └ create evt.Meta.traefik_router_name : next-router@file | └ create evt.Meta.http_path : /homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm | └ create evt.Meta.http_user_agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 | └ create evt.Meta.http_verb : GET | └ create evt.Meta.log_type : http_access-log | └ create evt.Meta.source_ip : ├ s02-enrich | ├ 🟢 crowdsecurity/dateparse-enrich (+2 ~2) | ├ create evt.Enriched.MarshaledTime : 2026-05-10T01:30:37+08:00 | ├ update evt.Time : 2026-05-09 17:58:54.484888014 +0000 UTC -> 2026-05-10 01:30:37 +0800 +0800 | ├ update evt.MarshaledTime : -> 2026-05-10T01:30:37+08:00 | ├ create evt.Meta.timestamp : 2026-05-10T01:30:37+08:00 | ├ 🟢 crowdsecurity/geoip-enrich (+13) | ├ create evt.Enriched.ASNumber : | ├ create evt.Enriched.IsoCode : | ├ create evt.Enriched.Longitude : | ├ create evt.Enriched.SourceRange : | ├ create evt.Enriched.IsInEU : false | ├ create evt.Enriched.Latitude : | ├ create evt.Enriched.ASNNumber : | ├ create evt.Enriched.ASNOrg : | ├ create evt.Meta.SourceRange : | ├ create evt.Meta.ASNNumber : | ├ create evt.Meta.ASNOrg : | ├ create evt.Meta.IsInEU : false | ├ create evt.Meta.IsoCode : | ├ 🟢 crowdsecurity/http-logs (+8 ~1) | ├ update evt.Parsed.request : /homelabs/settings/resources/proxy/bad-aztec-mouse?_rsc=1j2gm -> /homelabs/settings/resources/proxy/bad-aztec-mouse | ├ create evt.Parsed.impact_completion : true | ├ create evt.Parsed.file_frag : bad-aztec-mouse | ├ create evt.Parsed.file_dir : /homelabs/settings/resources/proxy/ | ├ create evt.Parsed.file_ext : | ├ create evt.Parsed.file_name : bad-aztec-mouse | ├ create evt.Parsed.static_ressource : false | ├ create evt.Parsed.http_args : _rsc=1j2gm | ├ create evt.Meta.http_args_len : 10 | ├ 🟢 crowdsecurity/public-dns-allowlist (unchanged) | └ 🟢 crowdsecurity/whitelists (unchanged) ├-------- parser success 🟢 ├ Scenarios ├ 🟢 crowdsecurity/http-crawl-non_statics └ 🟢 crowdsecurity/http-dos-swithcing-ua ``` ### Environment - OS Type & Version: Ubuntu 24.04.4 LTS - Pangolin Version: ee-1.18.3 - Gerbil Version: latest - Traefik Version: 3.6.16 - Newt Version: - - Olm Version: - ### To Reproduce - ### Expected Behavior -

GiteaMirror closed this issue 2026-05-18 17:46:35 -05:00

GiteaMirror commented 2026-05-18 17:46:36 -05:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (May 11, 2026):

I mean in your image that ?_rsc=1j2gm is not part of pangolin so someone's trying to hit that odd path.. if it's part of pangolin I don't think I've ever seen it before..

If it is where are you and what are you doing at the time of being blocked?

<!-- gh-comment-id:4424973533 --> @AstralDestiny commented on GitHub (May 11, 2026): I mean in your image that ``?_rsc=1j2gm`` is not part of pangolin so someone's trying to hit that odd path.. if it's part of pangolin I don't think I've ever seen it before.. If it is where are you and what are you doing at the time of being blocked?

GiteaMirror commented 2026-05-18 17:46:37 -05:00

Author

Owner

Copy Link

@DKT69 commented on GitHub (May 11, 2026):

I mean in your image that ?_rsc=1j2gm is not part of pangolin so someone's trying to hit that odd path.. if it's part of pangolin I don't think I've ever seen it before..

If it is where are you and what are you doing at the time of being blocked?

when i try visit the public/private resource i will get blocked. i have roll back 1.17.1 and without false ban.

<!-- gh-comment-id:4425021690 --> @DKT69 commented on GitHub (May 11, 2026): > I mean in your image that `?_rsc=1j2gm` is not part of pangolin so someone's trying to hit that odd path.. if it's part of pangolin I don't think I've ever seen it before.. > > If it is where are you and what are you doing at the time of being blocked? when i try visit the public/private resource i will get blocked. i have roll back 1.17.1 and without false ban.

GiteaMirror commented 2026-05-18 17:46:38 -05:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (May 11, 2026):

Settings or the resource itself?

<!-- gh-comment-id:4425119227 --> @AstralDestiny commented on GitHub (May 11, 2026): Settings or the resource itself?

GiteaMirror commented 2026-05-18 17:46:38 -05:00

Author

Owner

Copy Link

@LaurenceJJones commented on GitHub (May 11, 2026):

The explain isn't enough context as stated in discord if you have the alert ID then run cscli alert inspect <ID> -d then it will inform of all paths

Sorry if I presumed your the same person but I think I saw the same discord notification image

<!-- gh-comment-id:4425244069 --> @LaurenceJJones commented on GitHub (May 11, 2026): The explain isn't enough context as stated in discord if you have the alert ID then run `cscli alert inspect <ID> -d` then it will inform of all paths Sorry if I presumed your the same person but I think I saw the same discord notification image

GiteaMirror commented 2026-05-18 17:46:39 -05:00

Author

Owner

Copy Link

@DKT69 commented on GitHub (May 12, 2026):

The explain isn't enough context as stated in discord if you have the alert ID then run cscli alert inspect <ID> -d then it will inform of all paths

Sorry if I presumed your the same person but I think I saw the same discord notification image

yes correct that was me same person.

root@pangolin:/opt/pangolin# docker exec -it crowdsec cscli alert inspect 558 -d

################################################################################################

 - ID           : 558
 - Date         : 2026-05-12T09:52:44Z
 - Machine      : localhost
 - Simulation   : false
 - Remediation  : true
 - Kind         : crowdsec
 - Reason       : crowdsecurity/http-crawl-non_statics
 - Events Count : 55
 - Scope:Value  : Ip:xxx.xxx.xxx.xxx
 - Country      : xx
 - AS           : xxx.xxx
 - Begin        : 2026-05-12T09:52:36Z
 - End          : 2026-05-12T09:52:43Z
 - UUID         : 96d05146-cdff-4437-8d95-91ae4ea00ed1

╭───────────────────────────────────────────────────────────────────────────╮
│ Active Decisions                                                          │
├─────────┬───────────────────┬─────────┬────────────┬──────────────────────┤
│    ID   │    scope:value    │  action │ expiration │      created_at      │
├─────────┼───────────────────┼─────────┼────────────┼──────────────────────┤
│ 2996929 │ Ip:xxx.xxx.xxx.xxx│ captcha │ 23h54m19s  │ 2026-05-12T09:52:44Z │
╰─────────┴───────────────────┴─────────┴────────────┴──────────────────────╯

 - Context  :
╭────────────┬──────────────────────────────────────────────────────────────╮
│     Key    │                             Value                            │
├────────────┼──────────────────────────────────────────────────────────────┤
│ method     │ GET                                                          │
│ status     │ 200                                                          │
│ target_uri │ /homelabs/settings/resources/proxy/separate-euprepiophis-con │
│            │ spicillata?_rsc=n6dmk                                        │
│ target_uri │ /homelabs/settings/resources/proxy/fortunate-indian-desert-j │
│            │ ird?_rsc=n6dmk                                               │
│ target_uri │ /homelabs/settings/resources/proxy/constant-numbat?_rsc=n6dm │
│            │ k                                                            │
│ target_uri │ /homelabs/settings/resources/proxy/putrid-bandy-bandy?_rsc=n │
│            │ 6dmk                                                         │
│ target_uri │ /api/v1/org/homelabs/certificate/domain1/xxxx.xxx.xxx.xx.... │
│ target_uri │ /api/v1/org/homelabs/certificate/domain1/xxxxx.xxx.xxx.xxx. │
│            │ g                                                            │
│ user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│            │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36           │
╰─���──────────┴──────────────────────────────────────────────────────────────╯

 - Events  :

- Date: 2026-05-12 09:52:43 +0000 UTC
╭─────────────────────┬──────────────────────────────────────────────────────────────╮
│         Key         │                             Value                            │
├─────────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber           │ xxxx                                                         │
│ ASNOrg              │ xxx.xxx                                                      │
│ IsInEU              │ false                                                        │
│ IsoCode             │ xx                                                           │
│ SourceRange         │ xxx.xxx.xxx.xxx/16                                           │
│ datasource_path     │ /var/log/traefik/access.log                                  │
│ datasource_type     │ file                                                         │
│ http_args_len       │ 10                                                           │
│ http_path           │ /homelabs/settings/resources/proxy/separate-euprepiophis-con │
│                     │ spicillata?_rsc=n6dmk                                        │
│ http_status         │ 200                                                          │
│ http_user_agent     │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│                     │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36           │
│ http_verb           │ GET                                                          │
│ log_type            │ http_access-log                                              │
│ service             │ http                                                         │
│ source_ip           │ xxx.xxx.xxx.xxx                                              │
│ target_fqdn         │ pangolin.xxx.xxx.xx                                          │
│ timestamp           │ 2026-05-12T17:52:43+08:00                                    │
│ traefik_router_name │ next-router@file                                             │
╰─────────────────────┴──────────────────────────────────────────────────────────────╯

- Date: 2026-05-12 09:52:43 +0000 UTC
╭─────────────────────┬──────────────────────────────────────────────────────────────╮
│         Key         │                             Value                            │
├─────────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber           │ xxxx                                                         │
│ ASNOrg              │ xxx.xxx                                                      │
│ IsInEU              │ false                                                        │
│ IsoCode             │ xx                                                           │
│ SourceRange         │ xxx.xxx.xxx.xxx/16                                           │
│ datasource_path     │ /var/log/traefik/access.log                                  │
│ datasource_type     │ file                                                         │
│ http_args_len       │ 10                                                           │
│ http_path           │ /homelabs/settings/resources/proxy/fortunate-indian-desert-j │
│                     │ ird?_rsc=n6dmk                                               │
│ http_status         │ 200                                                          │
│ http_user_agent     │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│                     │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36           │
│ http_verb           │ GET                                                          │
│ log_type            │ http_access-log                                              │
│ service             │ http                                                         │
│ source_ip           │ xxx.xxx.xxx.xxx                                              │
│ target_fqdn         │ pangolin.xxx.xxx.xx                                          │
│ timestamp           │ 2026-05-12T17:52:43+08:00                                    │
│ traefik_router_name │ next-router@file                                             │
╰─────────────────────┴──────────────────────────────────────────────────────────────╯

- Date: 2026-05-12 09:52:43 +0000 UTC
╭─────────────────────┬──────────────────────────────────────────────────────────────╮
│         Key         │                             Value                            │
├─────────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber           │ xxxx                                                         │
│ ASNOrg              │ xxx.xxx                                                      │
│ IsInEU              │ false                                                        │
│ IsoCode             │ xx                                                           │
│ SourceRange         │ xxx.xxx.xxx.xxx/16                                           │
│ datasource_path     │ /var/log/traefik/access.log                                  │
│ datasource_type     │ file                                                         │
│ http_args_len       │ 10                                                           │
│ http_path           │ /homelabs/settings/resources/proxy/constant-numbat?_rsc=n6dm │
│                     │ k                                                            │
│ http_status         │ 200                                                          │
│ http_user_agent     │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│                     │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36           │
│ http_verb           │ GET                                                          │
│ log_type            │ http_access-log                                              │
│ service             │ http                                                         │
│ source_ip           │ xxx.xxx.xxx.xxx                                              │
│ target_fqdn         │ pangolin.xxx.xxx.xx                                          │
│ timestamp           │ 2026-05-12T17:52:43+08:00                                    │
│ traefik_router_name │ next-router@file                                             │
╰─────────────────────┴──────────────────────────────────────────────────────────────╯

- Date: 2026-05-12 09:52:43 +0000 UTC
╭─────────────────────┬──────────────────────────────────────────────────────────────╮
│         Key         │                             Value                            │
├─────────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber           │ xxxx                                                         │
│ ASNOrg              │ xxx.xxx                                                      │
│ IsInEU              │ false                                                        │
│ IsoCode             │ xx                                                           │
│ SourceRange         │ xxx.xxx.xxx.xxx/16                                           │
│ datasource_path     │ /var/log/traefik/access.log                                  │
│ datasource_type     │ file                                                         │
│ http_args_len       │ 10                                                           │
│ http_path           │ /homelabs/settings/resources/proxy/putrid-bandy-bandy?_rsc=n │
│                     │ 6dmk                                                         │
│ http_status         │ 200                                                          │
│ http_user_agent     │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│                     │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36           │
│ http_verb           │ GET                                                          │
│ log_type            │ http_access-log                                              │
│ service             │ http                                                         │
│ source_ip           │ xxx.xxx.xxx.xxx                                              │
│ target_fqdn         │ pangolin.xxx.xxx.xx                                          │
│ timestamp           │ 2026-05-12T17:52:43+08:00                                    │
│ traefik_router_name │ next-router@file                                             │
╰─────────────────────┴──────────────────────────────────────────────────────────────╯

- Date: 2026-05-12 09:52:43 +0000 UTC
╭─────────────────────┬──────────────────────────────────────────────────────────────╮
│         Key         │                             Value                            │
├─────────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber           │ xxxx                                                         │
│ ASNOrg              │ xxx.xxx                                                      │
│ IsInEU              │ false                                                        │
│ IsoCode             │ xx                                                           │
│ SourceRange         │ xxx.xxx.xxx.xxx/16                                           │
│ datasource_path     │ /var/log/traefik/access.log                                  │
│ datasource_type     │ file                                                         │
│ http_args_len       │ 0                                                            │
│ http_path           │ /api/v1/org/homelabs/certificate/domain1/xxxx.xxx.xxx.xx │
│ http_status         │ 200                                                          │
│ http_user_agent     │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│                     │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36           │
│ http_verb           │ GET                                                          │
│ log_type            │ http_access-log                                              │
│ service             │ http                                                         │
│ source_ip           │ xxx.xxx.xxx.xxx                                              │
│ target_fqdn         │ pangolin.xxx.xxx.xx                                          │
│ timestamp           │ 2026-05-12T17:52:43+08:00                                    │
│ traefik_router_name │ api-router@file                                              │
╰─────────────────────┴──────────────────────────────────────────────────────────────╯

- Date: 2026-05-12 09:52:43 +0000 UTC
╭─────────────────────┬──────────────────────────────────────────────────────────────╮
│         Key         │                             Value                            │
├─────────────────────┼──────────────────────────────────────────────────────────────┤
│ ASNNumber           │ xxxx                                                         │
│ ASNOrg              │ xxx.xxx                                                      │
│ IsInEU              │ false                                                        │
│ IsoCode             │ xx                                                           │
│ SourceRange         │ xxx.xxx.xxx.xxx/16                                           │
│ datasource_path     │ /var/log/traefik/access.log                                  │
│ datasource_type     │ file                                                         │
│ http_args_len       │ 0                                                            │
│ http_path           │ /api/v1/org/homelabs/certificate/domain1/xxxxxx.xxx.xxx.xx   │
│                     │ g                                                            │
│ http_status         │ 200                                                          │
│ http_user_agent     │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │
│                     │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36           │
│ http_verb           │ GET                                                          │
│ log_type            │ http_access-log                                              │
│ service             │ http                                                         │
│ source_ip           │ xxx.xxx.xxx.xxx                                              │
│ target_fqdn         │ pangolin.xxx.xxx.xx                                          │
│ timestamp           │ 2026-05-12T17:52:43+08:00                                    │
│ traefik_router_name │ api-router@file                                              │
╰─────────────────────┴──────────────────────────────────────────────────────────────╯

<!-- gh-comment-id:4429348537 --> @DKT69 commented on GitHub (May 12, 2026): > The explain isn't enough context as stated in discord if you have the alert ID then run `cscli alert inspect <ID> -d` then it will inform of all paths > > Sorry if I presumed your the same person but I think I saw the same discord notification image yes correct that was me same person. ``` root@pangolin:/opt/pangolin# docker exec -it crowdsec cscli alert inspect 558 -d ################################################################################################ - ID : 558 - Date : 2026-05-12T09:52:44Z - Machine : localhost - Simulation : false - Remediation : true - Kind : crowdsec - Reason : crowdsecurity/http-crawl-non_statics - Events Count : 55 - Scope:Value : Ip:xxx.xxx.xxx.xxx - Country : xx - AS : xxx.xxx - Begin : 2026-05-12T09:52:36Z - End : 2026-05-12T09:52:43Z - UUID : 96d05146-cdff-4437-8d95-91ae4ea00ed1 ╭───────────────────────────────────────────────────────────────────────────╮ │ Active Decisions │ ├─────────┬───────────────────┬─────────┬────────────┬──────────────────────┤ │ ID │ scope:value │ action │ expiration │ created_at │ ├─────────┼───────────────────┼─────────┼────────────┼──────────────────────┤ │ 2996929 │ Ip:xxx.xxx.xxx.xxx│ captcha │ 23h54m19s │ 2026-05-12T09:52:44Z │ ╰─────────┴───────────────────┴─────────┴────────────┴──────────────────────╯ - Context : ╭────────────┬──────────────────────────────────────────────────────────────╮ │ Key │ Value │ ├────────────┼──────────────────────────────────────────────────────────────┤ │ method │ GET │ │ status │ 200 │ │ target_uri │ /homelabs/settings/resources/proxy/separate-euprepiophis-con │ │ │ spicillata?_rsc=n6dmk │ │ target_uri │ /homelabs/settings/resources/proxy/fortunate-indian-desert-j │ │ │ ird?_rsc=n6dmk │ │ target_uri │ /homelabs/settings/resources/proxy/constant-numbat?_rsc=n6dm │ │ │ k │ │ target_uri │ /homelabs/settings/resources/proxy/putrid-bandy-bandy?_rsc=n │ │ │ 6dmk │ │ target_uri │ /api/v1/org/homelabs/certificate/domain1/xxxx.xxx.xxx.xx.... │ │ target_uri │ /api/v1/org/homelabs/certificate/domain1/xxxxx.xxx.xxx.xxx. │ │ │ g │ │ user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │ │ │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 │ ╰─���──────────┴──────────────────────────────────────────────────────────────╯ - Events : - Date: 2026-05-12 09:52:43 +0000 UTC ╭─────────────────────┬──────────────────────────────────────────────────────────────╮ │ Key │ Value │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ ASNNumber │ xxxx │ │ ASNOrg │ xxx.xxx │ │ IsInEU │ false │ │ IsoCode │ xx │ │ SourceRange │ xxx.xxx.xxx.xxx/16 │ │ datasource_path │ /var/log/traefik/access.log │ │ datasource_type │ file │ │ http_args_len │ 10 │ │ http_path │ /homelabs/settings/resources/proxy/separate-euprepiophis-con │ │ │ spicillata?_rsc=n6dmk │ │ http_status │ 200 │ │ http_user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │ │ │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 │ │ http_verb │ GET │ │ log_type │ http_access-log │ │ service │ http │ │ source_ip │ xxx.xxx.xxx.xxx │ │ target_fqdn │ pangolin.xxx.xxx.xx │ │ timestamp │ 2026-05-12T17:52:43+08:00 │ │ traefik_router_name │ next-router@file │ ╰─────────────────────┴──────────────────────────────────────────────────────────────╯ - Date: 2026-05-12 09:52:43 +0000 UTC ╭─────────────────────┬──────────────────────────────────────────────────────────────╮ │ Key │ Value │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ ASNNumber │ xxxx │ │ ASNOrg │ xxx.xxx │ │ IsInEU │ false │ │ IsoCode │ xx │ │ SourceRange │ xxx.xxx.xxx.xxx/16 │ │ datasource_path │ /var/log/traefik/access.log │ │ datasource_type │ file │ │ http_args_len │ 10 │ │ http_path │ /homelabs/settings/resources/proxy/fortunate-indian-desert-j │ │ │ ird?_rsc=n6dmk │ │ http_status │ 200 │ │ http_user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │ │ │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 │ │ http_verb │ GET │ │ log_type │ http_access-log │ │ service │ http │ │ source_ip │ xxx.xxx.xxx.xxx │ │ target_fqdn │ pangolin.xxx.xxx.xx │ │ timestamp │ 2026-05-12T17:52:43+08:00 │ │ traefik_router_name │ next-router@file │ ╰─────────────────────┴──────────────────────────────────────────────────────────────╯ - Date: 2026-05-12 09:52:43 +0000 UTC ╭─────────────────────┬──────────────────────────────────────────────────────────────╮ │ Key │ Value │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ ASNNumber │ xxxx │ │ ASNOrg │ xxx.xxx │ │ IsInEU │ false │ │ IsoCode │ xx │ │ SourceRange │ xxx.xxx.xxx.xxx/16 │ │ datasource_path │ /var/log/traefik/access.log │ │ datasource_type │ file │ │ http_args_len │ 10 │ │ http_path │ /homelabs/settings/resources/proxy/constant-numbat?_rsc=n6dm │ │ │ k │ │ http_status │ 200 │ │ http_user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │ │ │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 │ │ http_verb │ GET │ │ log_type │ http_access-log │ │ service │ http │ │ source_ip │ xxx.xxx.xxx.xxx │ │ target_fqdn │ pangolin.xxx.xxx.xx │ │ timestamp │ 2026-05-12T17:52:43+08:00 │ │ traefik_router_name │ next-router@file │ ╰─────────────────────┴──────────────────────────────────────────────────────────────╯ - Date: 2026-05-12 09:52:43 +0000 UTC ╭─────────────────────┬──────────────────────────────────────────────────────────────╮ │ Key │ Value │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ ASNNumber │ xxxx │ │ ASNOrg │ xxx.xxx │ │ IsInEU │ false │ │ IsoCode │ xx │ │ SourceRange │ xxx.xxx.xxx.xxx/16 │ │ datasource_path │ /var/log/traefik/access.log │ │ datasource_type │ file │ │ http_args_len │ 10 │ │ http_path │ /homelabs/settings/resources/proxy/putrid-bandy-bandy?_rsc=n │ │ │ 6dmk │ │ http_status │ 200 │ │ http_user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │ │ │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 │ │ http_verb │ GET │ │ log_type │ http_access-log │ │ service │ http │ │ source_ip │ xxx.xxx.xxx.xxx │ │ target_fqdn │ pangolin.xxx.xxx.xx │ │ timestamp │ 2026-05-12T17:52:43+08:00 │ │ traefik_router_name │ next-router@file │ ╰─────────────────────┴──────────────────────────────────────────────────────────────╯ - Date: 2026-05-12 09:52:43 +0000 UTC ╭─────────────────────┬──────────────────────────────────────────────────────────────╮ │ Key │ Value │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ ASNNumber │ xxxx │ │ ASNOrg │ xxx.xxx │ │ IsInEU │ false │ │ IsoCode │ xx │ │ SourceRange │ xxx.xxx.xxx.xxx/16 │ │ datasource_path │ /var/log/traefik/access.log │ │ datasource_type │ file │ │ http_args_len │ 0 │ │ http_path │ /api/v1/org/homelabs/certificate/domain1/xxxx.xxx.xxx.xx │ │ http_status │ 200 │ │ http_user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │ │ │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 │ │ http_verb │ GET │ │ log_type │ http_access-log │ │ service │ http │ │ source_ip │ xxx.xxx.xxx.xxx │ │ target_fqdn │ pangolin.xxx.xxx.xx │ │ timestamp │ 2026-05-12T17:52:43+08:00 │ │ traefik_router_name │ api-router@file │ ╰─────────────────────┴──────────────────────────────────────────────────────────────╯ - Date: 2026-05-12 09:52:43 +0000 UTC ╭─────────────────────┬──────────────────────────────────────────────────────────────╮ │ Key │ Value │ ├─────────────────────┼──────────────────────────────────────────────────────────────┤ │ ASNNumber │ xxxx │ │ ASNOrg │ xxx.xxx │ │ IsInEU │ false │ │ IsoCode │ xx │ │ SourceRange │ xxx.xxx.xxx.xxx/16 │ │ datasource_path │ /var/log/traefik/access.log │ │ datasource_type │ file │ │ http_args_len │ 0 │ │ http_path │ /api/v1/org/homelabs/certificate/domain1/xxxxxx.xxx.xxx.xx │ │ │ g │ │ http_status │ 200 │ │ http_user_agent │ Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 │ │ │ (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 │ │ http_verb │ GET │ │ log_type │ http_access-log │ │ service │ http │ │ source_ip │ xxx.xxx.xxx.xxx │ │ target_fqdn │ pangolin.xxx.xxx.xx │ │ timestamp │ 2026-05-12T17:52:43+08:00 │ │ traefik_router_name │ api-router@file │ ╰─────────────────────┴──────────────────────────────────────────────────────────────╯ ```

GiteaMirror commented 2026-05-18 17:46:39 -05:00

Author

Owner

Copy Link

@DKT69 commented on GitHub (May 13, 2026):

i see have latest 1.18.4 out have solve this problem?

<!-- gh-comment-id:4443107688 --> @DKT69 commented on GitHub (May 13, 2026): i see have latest 1.18.4 out have solve this problem?

GiteaMirror commented 2026-05-18 17:46:39 -05:00

Author

Owner

Copy Link

@LaurenceJJones commented on GitHub (May 13, 2026):

i see have latest 1.18.4 out have solve this problem?

No, the problem or not so is basically loading the resource page now loads lots of items to get different statuses on the resource itself. Because it seems you have a lot of them it will amplify how many requests are sent during the page load.

I can supply a whitelist file for crowdsec to basically nullify these calls because in theory anything other a 401/403 for pangolin should just be ignored.

<!-- gh-comment-id:4443404597 --> @LaurenceJJones commented on GitHub (May 13, 2026): > i see have latest 1.18.4 out have solve this problem? No, the _problem_ or not so is basically loading the resource page now loads lots of items to get different statuses on the resource itself. Because it seems you have a lot of them it will amplify how many requests are sent during the page load. I can supply a whitelist file for crowdsec to basically nullify these calls because in theory anything other a 401/403 for pangolin should just be ignored.

GiteaMirror commented 2026-05-18 17:46:40 -05:00

Author

Owner

Copy Link

@DKT69 commented on GitHub (May 13, 2026):

i see have latest 1.18.4 out have solve this problem?

No, the problem or not so is basically loading the resource page now loads lots of items to get different statuses on the resource itself. Because it seems you have a lot of them it will amplify how many requests are sent during the page load.

I can supply a whitelist file for crowdsec to basically nullify these calls because in theory anything other a 401/403 for pangolin should just be ignored.

can i get the sample of whitelist?

<!-- gh-comment-id:4443434066 --> @DKT69 commented on GitHub (May 13, 2026): > > i see have latest 1.18.4 out have solve this problem? > > No, the _problem_ or not so is basically loading the resource page now loads lots of items to get different statuses on the resource itself. Because it seems you have a lot of them it will amplify how many requests are sent during the page load. > > I can supply a whitelist file for crowdsec to basically nullify these calls because in theory anything other a 401/403 for pangolin should just be ignored. can i get the sample of whitelist?

GiteaMirror commented 2026-05-18 17:46:40 -05:00

Author

Owner

Copy Link

@AstralDestiny commented on GitHub (May 13, 2026):

Give Loz a bit to make it. They'll likely post it when it's ready

<!-- gh-comment-id:4444752665 --> @AstralDestiny commented on GitHub (May 13, 2026): Give Loz a bit to make it. They'll likely post it when it's ready

GiteaMirror commented 2026-05-18 17:46:41 -05:00

Author

Owner

Copy Link

@LaurenceJJones commented on GitHub (May 14, 2026):

So ill provide two whitelist and you can decide how "lax" you want it for me personally anything thats a 200 from Pangolin itself should just be ignored.

# config/crowdsec/parsers/s02-enrich/my-whitelist.yaml
name: me/pangolin-whitelist
description: "Whitelist events from pangolin"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "Pangolin Whitelist"
  expression:
     - "evt.Meta.traefik_router_name in ['api-router@file', 'next-router@file'] && evt.Meta.http_status not in ['400', '401', '403']"
 ## Whitelist pangolin router names and ignore everything but 400, 401 and 403 status codes

then you could be a little more restrictive but then you could battle with finding the right balance

# config/crowdsec/parsers/s02-enrich/my-whitelist.yaml
name: me/pangolin-whitelist
description: "Whitelist events from pangolin"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Meta.http_status not in ['400', '401', '403']"
whitelist:
  reason: "Pangolin Whitelist"
  expression:
     - "evt.Meta.traefik_router_name == 'api-router@file' && evt.Meta.http_path matches '/api/v1/org/*/certificate/'"
     - "evt.Meta.traefik_router_name == 'next-router@file' &&  && evt.Meta.http_path matches '/*/settings/resources/proxy/'"

in my opinion the first is enough, any valid users will be ignored and any unauthenticated requests will still be monitored

<!-- gh-comment-id:4449622613 --> @LaurenceJJones commented on GitHub (May 14, 2026): So ill provide two whitelist and you can decide how "lax" you want it for me personally anything thats a 200 from Pangolin itself should just be ignored. ```yaml # config/crowdsec/parsers/s02-enrich/my-whitelist.yaml name: me/pangolin-whitelist description: "Whitelist events from pangolin" filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']" whitelist: reason: "Pangolin Whitelist" expression: - "evt.Meta.traefik_router_name in ['api-router@file', 'next-router@file'] && evt.Meta.http_status not in ['400', '401', '403']" ## Whitelist pangolin router names and ignore everything but 400, 401 and 403 status codes ``` then you could be a little more restrictive but then you could battle with finding the right balance ```yaml # config/crowdsec/parsers/s02-enrich/my-whitelist.yaml name: me/pangolin-whitelist description: "Whitelist events from pangolin" filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log'] && evt.Meta.http_status not in ['400', '401', '403']" whitelist: reason: "Pangolin Whitelist" expression: - "evt.Meta.traefik_router_name == 'api-router@file' && evt.Meta.http_path matches '/api/v1/org/*/certificate/'" - "evt.Meta.traefik_router_name == 'next-router@file' && && evt.Meta.http_path matches '/*/settings/resources/proxy/'" ``` in my opinion the first is enough, any valid users will be ignored and any unauthenticated requests will still be monitored

GiteaMirror commented 2026-05-18 17:46:41 -05:00

Author

Owner

Copy Link

@LaurenceJJones commented on GitHub (May 15, 2026):

Will class as completed, we already noted internally we should optimize the fetching of certs and statuses but is a low priority item as the above is a workaround.

remember crowdsec is a separate product, when installing you agreed that you will maintain it yourself so in future we may not aid like this.

<!-- gh-comment-id:4458222360 --> @LaurenceJJones commented on GitHub (May 15, 2026): Will class as completed, we already noted internally we should optimize the fetching of certs and statuses but is a low priority item as the above is a workaround. remember _crowdsec_ is a separate product, when installing you agreed that you will maintain it yourself so in future we may not aid like this.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

fix-3104

dev

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

crowdin_dev

rdp-ssh

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#17284