Pangolin + Crowdsec - Recent Guide?

General
1

Hi everyone,

does anyone have a recent guide on getting Crowdsec working with Pangolin?

I’m trying to get it configured on Ubuntu 26.04 VPS using docker.

However getting confused between nftables and iptables options and also syslog and journalctl. There also seem to multiple different bouncers recommended - ranging from the standard traefik one to this one: https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin?ref=blog.lrvt.de

I’ve used the Pangolin supplied installer with the --crowdsec option which does a lot of the work.

Not just trying to get everything connected but the community guide on the Pangolin site has a few steps missing I think.

I also saw the comment here about not using docker if on a VPS. Can anyone elaborate on why docker route might not be the way to go? I nearly got that working but then broke Pangolin, so I’m back to the docker route again.

Many thanks,

Mike

2

hey mike,

you’re on the right track using the official installer with --crowdsec — that does most of the heavy lifting (Traefik logging + the maxlerebourg Traefik plugin).

Quick Answers to Your Questions

  • Docker vs Host install: On a VPS, the Docker route (what the installer uses) is usually fine and simpler, especially if your whole stack is Dockerized. The main reason some recommend host install is for the firewall bouncer (nftables/iptables), which needs better kernel access. For most people, the Traefik plugin bouncer (which the installer sets up) is enough and easier.

  • nftables vs iptables: On Ubuntu 26.04 you should use nftables. If you want the firewall bouncer, install the nftables version.

  • syslog vs journalctl: With the Pangolin setup, CrowdSec usually reads Traefik access logs directly (via volume mount). You generally don’t need syslog/journalctl unless you want to monitor SSH/auth logs too.

Troubleshooting Steps

  1. Check current status

    docker logs crowdsec --tail 100
docker exec crowdsec cscli decisions list
docker exec crowdsec cscli bouncers list
docker exec crowdsec cscli lapi status

  2. Verify Traefik is logging
    Check if the access log is being written:

    docker exec traefik tail -f /var/log/traefik/access.log

  3. Check the plugin is applied
    Look in your traefik_config.yml (or dynamic config) for a middleware like:

    http:
  middlewares:
    crowdsec:
      plugin:
        bouncer:
          enabled: true
          crowdsecLapiKey: "your_key_here"

    Then make sure your routers use this middleware.

Common Missing Steps

The community guide sometimes misses:

  • Restarting the stack properly after changes (docker compose down && docker compose up -d)
  • Adding more collections (e.g. crowdsecurity/traefik, crowdsecurity/appsec-virtual-patching)
  • Setting up the bouncer API key correctly between containers

What exactly is not working right now?
For example:

  • No decisions/bans appearing?
  • Traefik plugin errors in logs?
  • CrowdSec container unhealthy?
  • Bans not being enforced?

Share the output of the commands above (especially docker logs crowdsec and cscli decisions list) and I (or others) can give you much more targeted help.

Happy to walk you through the firewall bouncer setup too if you want deeper protection.

hhf