Lassi Hirvonen

Configure Crowdsec for an already existing Pangolin instance

The Pangolin installer typically prompts you to install Crowdsec automatically, but it can be also done afterwards if you skipped it. I couldn't find any good instructions for this online, so I hope that this helps at least someone.

Crowdsec and Pangolin

Crowdsec is a security engine that analyzes visitor behavior to detect threats and automatically shares blocklists globally, while Pangolin is a self-hosted platform that uses Traefik and WireGuard to expose private services without opening ports or revealing their actual IP addresses. This approach is ideal for exposing homelab services with Pangolin running on a VPS. Crowdsec and Pangolin are both open-source.

Using them together creates a proactive defense where Pangolin provides the secure entry point and identity management, and Crowdsec acts as a real-time firewall that automatically blocks malicious actors identified by a global community. This combination offers a self-hosted alternative to services like Cloudflare tunnels.

Configuration

This guide will assume that you already have an existing Pangolin instance configured with the automatic installer or manually with docker compose. Pangolin uses Traefik under the hood as the reverse proxy, so most of this will also apply for configuring Crowdsec with Traefik.

First let's make sure that the Pangolin configuration has all the required directories for Crowdsec. In the config directory (includes config.yml, key, traefik/ etc.) create the following Crowdsec files and directories.

mkdir -p ./crowdsec/db
mkdir -p ./crowdsec/hub
mkdir -p ./crowdsec/patterns
mkdir -p ./crowdsec_logs

Next update the existing Pangolin docker-compose.yml file to include the Crowdsec service.

crowdsec:
  image: crowdsecurity/crowdsec:latest
  container_name: crowdsec
  environment:
    GID: "1000"
    COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
  volumes:
    - ./config/crowdsec:/etc/crowdsec
    - ./config/crowdsec/db:/var/lib/crowdsec/data
    - ./config/traefik/logs:/var/log/traefik:ro    #Traefik log access
  restart: unless-stopped

Before moving forwards check that Traefik is actually logging access. It will not be doing that by default. Make sure that you have access log set to something else than "Disabled" in the Pangolin web UI under Settings -> Security. Also ./config/traefik/traefik_config.yml should include something like this:

accessLog:
  filePath: "/var/log/traefik/access.log"
  format: json

If not, then add it. Otherwise Crowdsec will not have anything to analyze.

Before starting the container create file ./config/crowdsec/acquis.yaml and paste the next lines inside. This will tell Crowdsec to use Traefik logs as source (https://docs.crowdsec.net/u/getting_started/post_installation/acquisition_new/).

filenames:
  - /var/log/traefik/access.log
labels:
  type: traefik

Now start the container.

docker compose up -d

After everything is up and running without errors, get the Crowdsec Bouncer API key and save it.

docker exec crowdsec cscli bouncers add traefik-bouncer

You will need this key for configuring a Traefik middleware. To configure the middleware edit ./config/traefik/dynamic_config.yml and add this inside. Paste the API key in crowdsecLapiKey.

http:
  middlewares:
    crowdsec-bouncer:
      plugin:
        bouncer:
          enabled: true
          crowdsecMode: live
          crowdsecLapiKey: 
          crowdsecLapiHost: "crowdsec:8080"
          crowdsecLapiScheme: http

If you already have a some middleware configured just add the crowdsec-bouncer after that.

Now in ./config/traefik/dynamic_config.yml add crowdsec-bouncer@file as a middleware. The config should have this structure:

entryPoints:
  websecure:
    http:
      middlewares:
        - "crowdsec-bouncer@file"

Also add the crowdsec-traefik plugin in the same file.

experimental:
  plugins:
    bouncer:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.5.1"    #Or use latest

Restart the containers to apply the new configurations.

docker compose restart

Now test if everything went correctly by running this command.

docker exec crowdsec cscli bouncers list

You should see a timestamp under "Last API pulled" which indicates that Crowdsec and Traefik can communicate with each other.

qownnotes-media-kaIotn

Now to test that Crowdsec works, try banning your own IP to see if you are blocked from accessing the website.

Ban your IP for 1 minute:

docker exec crowdsec cscli decisions add --ip <YOUR_IP> -d 1m --type ban

Try accessing your Pangolin dashboard or resources. If you see error "403 Forbidden", it works!

Unban your IP:

docker exec crowdsec cscli decisions delete --ip <YOUR_IP>

If everything went correctly Crowdsec will start automatically banning malicious IP's from accessing your Pangolin resources. I recommend also securing the rest of your system (for example SSH) with Crowdsec. For detailed documentation on that, refer to Pangolin's documentation (https://docs.pangolin.net/self-host/community-guides/crowdsec#securing-the-host-system-ssh).

Lassi Hirvonen, 27.2.2026