How to make NPMPlus + Crowdsec work with br0 network (seperate ipv4 for NPMPlus)?

[dangnhdev]

I am currently using NPMPlus on Unraid with the br0 network and a fixed IP address (192.168.1.2). This setup allows me to use Adguard DNS to redirect public domains to NPM’s IP address on my home network. Without CrowdSec enabled, NPM functions perfectly. However, when I enable CrowdSec, it appears that AppSec is blocking all requests.

Unauthorized request from '192.168.1.2:38250' (real IP = 127.0.0.1)

I am aware that the sample compose file suggests setting CrowdSec’s network to host and running NPMPlus and CrowdSec on the same network. However, I would like to explore if there are any alternative solutions to make this stack work. Any guidance or suggestions would be greatly appreciated.

Here is my compose.yml and NPMplus crowdsec.conf file:

networks:
  br0:
    external: true
services:
  npmplus:
    container_name: npmplus
    image: docker.io/zoeyvid/npmplus:latest # or ghcr.io/zoeyvid/npmplus:latest
    restart: always
    depends_on:
      - geoipupdate
      - crowdsec
    mac_address: "02:42:46:1C:BF:AA"
    networks:
      br0:
        ipv4_address: 192.168.1.2
    ports:
      - "80:80"
      - "443:443"
      - "81:81"
      - "91:91"
    volumes:
      - "/mnt/user/appdata/npmplus:/data"
    environment:
      - "TZ=America/New_York"
      - "NPM_PORT=81"
      - "INITIAL_DEFAULT_PAGE=404"
      - "INITIAL_ADMIN_EMAIL=admin@example.com"
      - "INITIAL_ADMIN_PASSWORD=admin"
      - "GOA=true"
      - "GOA_PORT=91"
      - "LOGROTATE=true"
      - "LOGROTATIONS=7"
  crowdsec:
    container_name: crowdsec
    image: docker.io/crowdsecurity/crowdsec:latest
    restart: always
    mac_address: "02:42:F9:BC:DE:CB"
    networks:
      br0:
        ipv4_address: 192.168.1.3
    ports:
      - "7422:7422"
      - "8080:8080"
    environment:
      - "TZ=America/New_York"
      - "COLLECTIONS=ZoeyVid/npmplus"
    volumes:
      - "/mnt/user/appdata/crowdsec/conf:/etc/crowdsec"
      - "/mnt/user/appdata/crowdsec/data:/var/lib/crowdsec/data"
      - "/mnt/user/appdata/npmplus/nginx:/opt/npmplus/nginx:ro"
  geoipupdate:
    ### 

crowdsec.conf file, everything is as default example. I just modify the URL to point to crowdsec's IP

ENABLED=true
API_URL=http://192.168.1.3:8080
API_KEY="..."
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=2500
UPDATE_FREQUENCY=10
# By default internal requests are ignored, such as any path affected by rewrite rule.
# set ENABLE_INTERNAL=true to allow checking on these internal requests.
ENABLE_INTERNAL=false
# live or stream
MODE=live
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/data/crowdsec/ban.html
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=
# Captcha Secret Key
SECRET_KEY=
# Captcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/data/crowdsec/captcha.html
CAPTCHA_EXPIRATION=3600

APPSEC_URL=http://192.168.1.3:7422
APPSEC_FAILURE_ACTION=deny
APPSEC_CONNECT_TIMEOUT=1000
APPSEC_SEND_TIMEOUT=30000
APPSEC_PROCESS_TIMEOUT=10000
ALWAYS_SEND_TO_APPSEC=false
SSL_VERIFY=true

I'm using the default npmplus.yml in CrowdSec

filenames:
  - /opt/npmplus/nginx/*.log
labels:
  type: npmplus
---
filenames:
  - /opt/npmplus/nginx/*.log
labels:
  type: modsecurity
---
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/appsec-default
name: appsec
source: appsec
labels:
  type: appsec
# if you use openappsec you can enable this
#---
#source: file
#filenames:
# - /opt/openappsec/logs/cp-nano-http-transaction-handler.log*
#labels:
#  type: openappsec

[Zoey2936]

can you also post your npmplus.yaml?

[dangnhdev]

Thanks for quick reply. I'm using the default npmplus.yml in CrowdSec. I updated my question with it.

[Zoey2936]

I have the felling that appsec blocks this request because of your network setup, can you maybe ask this at crowdec, please?

[MikeNatC]

Hi @dangnhdev do you have an answer to this? I think I'm facing a similar issue:

2025/04/12 01:50:57 [error] 281#281: [lua] crowdsec.lua:126: init(): APPSEC is enabled on '10.10.4.2:6060'
2025/04/12 01:51:26 [error] 1119#1119: *1 connect() failed (111: Connection refused), client: 127.0.0.1, server: _, request: "GET /api/ HTTP/2.0", host: "127.0.0.1:81"
2025/04/12 01:51:26 [error] 1119#1119: *1 [lua] crowdsec.lua:510: AppSecCheck(): Bad request to APPSEC (404): 404 page not found
, client: 127.0.0.1, server: _, request: "GET /api/ HTTP/2.0", host: "127.0.0.1:81"
2025/04/12 01:51:26 [alert] 1119#1119: *1 [lua] crowdsec.lua:637: Allow(): [Crowdsec] denied '127.0.0.1' with 'ban' (by appsec), client: 127.0.0.1, server: _, request: "GET /api/ HTTP/2.0", host: "127.0.0.1:81"

[bhavikbhakta]

Getting the same thing. NPMPlus is banning itself:

2025/04/25 22:48:13 [alert] 3467#3467: *11 [lua] crowdsec.lua:637: Allow(): [Crowdsec] denied '127.0.0.1' with 'ban' (by appsec), client: 127.0.0.1, server: _, request: "GET /api/ HTTP/2.0", host: "127.0.0.1:81"

I don't see it in the Crowdsec CLI anymore though, just in the NPM logs.

[Zoey2936]

Please open a new discussion