Background
I recently made an effort to harden my network due to (technically) exposing more of it with FireZone (WireGuard). For the curious, I shared some details in a recent comment. I didn’t mention it in the comment, but I also set up local DNS (Technitium) with block lists.
I’m approaching a point where I’m comfortable with my setup security-wise, but I’m missing a couple of things still: A solid firewall and proper backups. In this post, I’m interested in discussing the former.
NPM serves as the primary entrypoint into my server. For a while I considered looking into putting fail2ban in front of it, but then I came across CrowdSec which seems like a superior solution. And so I started looking into how to implement it alongside NPM.
There’s an official guide, but it relies on a fork of a fork (Docker Hub) of NPM, which seems unsustainable. I also found this guide in a reddit post, which relies on a fork of the official image. However, it looks like the image is no longer hosted on Docker Hub.
Here is the (NPM) GitHub issue where the “fork of a fork” image came into existence (lepresidente/nginx-proxy-manager). It has some interesting discussions about the challenges of having NPM and CrowdSec coexist and cooperate.
tl;dr
I can’t find any documentet, successful attempt at having CrowdSec function in front of Nginx Proxy Manager. The solutions that are publicly documentet, even officially by CrowdSec, rely on forks of NPM.
Conclusions
I feel like it should be possible to have the two services work together with the official images. Probably with a relatively complex setup. If anyone has made this work somehow, I’d be very happy to look at your docker-compose files.
Thanks for reading.
If you are running proxmox then you can use tteks NPM lxc script and add the crowdsec script on top of that. Took me about 2 minutes with the downside of running something someone else set up instead of going step by step.