Securing Your Services Part 1: A Practical Guide to Deploying CrowdSec on Dokploy
Securing Your Services Part 1: A Practical Guide to Deploying CrowdSec on Dokploy
Write your content here...
Introduction
Deploying applications with a modern PaaS like Dokploy is incredibly efficient, but securing them is something we should always take care of first. CrowdSec, the open-source and collaborative security engine, offers a powerful way to detect and block malicious behavior by analyzing logs. However, configuring it to run correctly within Dokploy's containerized environment presents a common challenge: granting it the necessary access to host and Traefik logs.
After some trial and error, I've established a streamlined and reliable method. This tutorial will walk you through the exact steps to get a fully functional CrowdSec instance running on Dokploy, protecting your server and your applications.
Main Content
The Goal
Our objective is to deploy a single CrowdSec container that can:
Read and analyze system logs from the host server (like auth.log and syslog). Read and analyze the access logs from Dokploy's built-in Traefik instance. Persist its own configuration and data across restarts and redeployments.
Let's get started.
Step 1: The Docker Compose Configuration
The foundation of our setup is a carefully crafted docker-compose.yml file. This configuration eliminates unnecessary complexity and focuses on the core requirements: direct log access and reliable data persistence.
In your Dokploy project, create a new Compose service and paste the following configuration into the Raw editor:
YAML
services: crowdsec: image: crowdsecurity/crowdsec:v1.6.10 # Run as root to grant permissions to read host log files user: root restart: unless-stopped expose: - 8080 - 6060 - 7422 volumes: # CrowdSec's own persistent data volumes - crowdsec-data:/var/lib/crowdsec/data - crowdsec-etc:/etc/crowdsec # Mount host log directory directly into the container (read-only) - /var/log:/var/log:ro # Mount the Traefik log volume directly into the container (read-only) - traefik-logs:/var/log/traefik:ro environment: # Set Group ID to root as well - GID=0 - COLLECTIONS=crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/base-http-scenarios crowdsecurity/sshd crowdsecurity/linux crowdsecurity/appsec-generic-rules crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-crs networks: - dokploy-network
networks: dokploy-network: external: true
volumes: crowdsec-data: crowdsec-etc: # This volume must be populated by your Traefik container traefik-logs:
Key Configuration Points:
user: root and GID=0: This is the most critical part of the solution. By default, a container doesn't have permission to read protected log files from the host's filesystem. Running the container as the root user grants it the necessary access. Volumes: We define three types of volumes: crowdsec-data & crowdsec-etc: These are standard named volumes that ensure CrowdSec's database and configurations persist between deployments. /var/log:/var/log:ro: This is a direct bind mount. It maps the host's /var/log directory into the container at the same path, in read-only mode. traefik-logs:/var/log/traefik:ro: This assumes your Traefik container is writing its logs to a named volume called traefik-logs. CrowdSec mounts this volume to read the access logs. Network: The service is attached to dokploy-network, which is mandatory for any service managed by Dokploy.
Step 2: Configure Log Acquisition with a File Mount
Now that the log files are available inside the container, we need to tell CrowdSec where to find them. The default CrowdSec configuration won't know about our specific setup. We will override its log acquisition settings using Dokploy's "File Mount" feature, which is an ideal method for injecting single configuration files.
In your Dokploy service, navigate to the Advanced -> Mounts tab. Click Create a new File Mount. Fill in the form with the following details: Save the file mount.
Mount Path: Enter the exact path where CrowdSec expects this configuration file.
/etc/crowdsec/acquis.yaml
Content: Paste the entire configuration below. This file tells CrowdSec to monitor two sets of files: the system logs and the Traefik logs.YAML
This single acquisition file defines all log sources for CrowdSec.
Entry for system logs (auth, syslog)
filenames: - /var/log/auth.log - /var/log/syslog labels: type: syslog
---
Entry for Traefik logs from the mounted volume
filenames: - /var/log/traefik/*.log labels: type: traefik
Step 3: Deploy and Verify
With the Docker Compose configuration and the acquisition file in place, you are ready to deploy.
Navigate back to the General tab for your service. Click Deploy.
Once the deployment is complete, check the container's logs in the Dokploy UI. You should see CrowdSec starting up without any "No matching files" errors. Instead, you'll see it processing logs from the collections you installed (linux, traefik, etc.).
Conclusion
You now have a robust and simplified CrowdSec instance running in Dokploy, actively monitoring your host and Traefik logs for threats. By mounting the log directories directly and running the container as root, we resolve complex permission issues and eliminate the need for a separate log-forwarding container. This direct approach is clean, effective, and easy to manage.
Your next step is to install and configure a CrowdSec bouncer (like the firewall bouncer or the Traefik bouncer) to start blocking the malicious IPs that CrowdSec identifies.