this post was submitted on 20 Jun 2025
26 points (100.0% liked)

Selfhosted

49551 readers
613 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
26
Suggestions for crowdsec + caddy + docker setup (lemmy.dbzer0.com)
submitted 3 weeks ago* (last edited 3 weeks ago) by whysofurious@lemmy.dbzer0.com to c/selfhosted@lemmy.world
7 comments fedilink hide all child comments
 

Hi all!

I'll try to be quick but I apologise first as I am pretty new to security stuff and my questions might be obvious to the more experts.

I have a VPS (hetzner) set up with docker, caddy for the reverse proxy, and authentik as the only login method for a couple of services (hedgedoc and forgejo). Since most of these has to be available and accessible on the internet, I also setup crowdsec and built caddy with the relevant bouncer. This allows crowdsec to inspect the caddy logs for all the services I am serving through it and act accordingly. Edit: all the services are in docker containers.

So far, so good. However, I also saw that crowdsec can directly monitor container logs with the docker integration or through container labels. Also, I saw a couple of collections on crowdsec hub specifically for Authentik and Gitea.

I feel I am missing something so my question are:

  1. Would it be useful to monitor container logs given my setup or would it be redundant?
  2. Should I add the app-specific collections, or would docker logs monitoring be enough?

My current crowdsec collections

  • crowdsecurity/linux
  • crowdsecurity/appsec-generic-rules
  • crowdsecurity/caddy
  • crowdsecurity/whitelist-good-actors
  • crowdsecurity/http-cve
  • crowdsecurity/iptables

Edit: bonus question, does someone know if the Gitea collection would be useful for Forgejo after it being a hard-fork now?

you are viewing a single comment's thread
view the rest of the comments
[–] irmadlad@lemmy.world 2 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

On the free plan, you should be able to set up 2 remediation components, 4 blocklists, and a variety of scenarios. For the scenarios, I'd only install what you have need for.

As far as logs, I personally think something more along the lines of Grafana+Loki+Alloy (Formerly Prometheus) for logs and metrics. You could even use something like lnav. Lnav is simple to install. It's not a dialed out dashboard of metrics, rather it keeps things simple. After install, to access it simply type lnav and the log location you wish to view: lnav /var/log/auth.log or lnav /var/log/syslog in the cli. Don't let it's simplicity fool you tho. It is quite capable.

I really tried with logging aps like ELK, Graylog, etc. I found them to be quite heavy for my environment. They certainly do have all the bells and whistles and pretty graphics, but again, it comes down to what can run on your server comfortably. I didn't want to eat up 2/3 of my resources just to look at logs. The Grafana+Loki+Alloy combo really sips the resources. I think for all I have Grafana monitoring, it clocks in at around 2+/- gb in used resources.

[–] whysofurious@lemmy.dbzer0.com 2 points 3 weeks ago (1 children)

Thanks for the thorough reply! I didn't know about Inav, but it looks very interesting. I agree on the Grafana stack, it's not something I really need now, and if I have to inspect single containers I can go for something like Dozzle.

About crowdsec free plan, looking at the pricing page, I see that the community plan has unlimited remediation components and 3 blocklist + unlimited scenarios, or am I looking in the wrong place? (honestly that page is pretty confusing)

[–] irmadlad@lemmy.world 1 points 3 weeks ago

I'm probably telling you wrong, but I've only been able to do the cs-blocklist-mirror and firewall-bouncer. There are a bunch of the scenarios that are remediation components. If you look at something like cs-cloudflare-worker-bouncer, well I don't have a use for the cs-cloudflare-worker-bouncer remediation component, so that doesn't get installed. Same for remediation components like cs-aws-waf-bouncer. So yes, there are unlimited remediation components, just not all will fit your use case. As I understand it, you can even write your own, tho I've not dabbled in that aspect.

If all you want to do is look at Docker logs and the occasional syslog, then I would think Dozzle to be quite capable in conjunction with something along the lines of lnav.