What is a WAF?#
The term WAF stands for Web Application Firewall.
A traditional firewall mainly operates at the network layer, filtering packets based on source IP, destination IP, source port, destination port, and protocol (TCP/UDP/ICMP). In other words, it ensures that only authorized connections reach the server, but it does not understand the content of the traffic.
The WAF, however, goes further: it is specifically designed to protect web applications. Instead of only analyzing addresses and ports, the WAF inspects the content of HTTP/HTTPS requests. This allows it to identify and block malicious access attempts that a traditional firewall would miss.
Examples of threats a WAF helps mitigate#
- SQL Injection – when malicious SQL commands are sent to manipulate databases.
- Cross-Site Scripting (XSS) – injection of scripts that can steal user data.
- Malicious bots – attempting to exploit vulnerabilities or overload the application.
- Brute force – automated attempts to guess usernames and passwords.
In summary#
- Traditional firewall = focuses on network → controls who can connect (based on IP, ports, and protocols).
- WAF = focuses on web applications → analyzes what’s inside the request and protects against attacks targeting site functionality.
In other words, the WAF acts as a shield between the internet and your web application, blocking threats before they can cause damage.
What is CrowdSec?#
CrowdSec is the WAF we use here at Gole.
It is an open-source, collaborative, and modern solution that not only protects your application in real time but also learns from attacks occurring elsewhere in the world.
That means: when a malicious IP is detected in one environment, the entire CrowdSec community can benefit and block that same IP.
How does CrowdSec work?#
The process is simple to understand:
- Monitors logs from services such as Nginx, Traefik, SSH, web applications.
- Detects suspicious behavior (brute force, scans, abuses).
- Automatically blocks malicious IPs.
- Shares this information anonymously, strengthening the protection network.
Key Features#
- Real-time monitoring: captures logs from services like Nginx, Traefik, SSH, and more.
- Attack and abuse detection: identifies brute force, scans, and anomalous behavior.
- Automatic IP blocking: applies local or remote sanctions, protecting your applications.
Step by Step: Configuring CrowdSec in Kubernetes#
1. Add the Helm repository and get default values**#
helm repo add crowdsec https://crowdsecurity.github.io/helm-charts
helm repo update
helm show values crowdsec/crowdsec > crowdsec-default-values.yaml
2. Edit the crowdsec-default-values.yaml file#
a) Configure log acquisition (Traefik)#
agent:
acquisition:
- namespace: traefik
podName: traefik-*
program: traefik
b) Instance registration (LAPI)#
lapi:
env:
- name: ENROLL_KEY
value: "YOUR_ENROLL_KEY"
- name: ENROLL_INSTANCE_NAME
value: "my-k8s-cluster"
- name: ENROLL_TAGS
value: "k8s linux production"
c) Persistent volumes#
persistentVolume:
data:
enabled: true
storageClassName: "your-storage-class-name"
size: 1Gi
config:
enabled: true
storageClassName: "your-storage-class-name"
size: 100Mi
3. Create namespace#
kubectl create ns crowdsec
4. Install CrowdSec#
helm install crowdsec crowdsec/crowdsec -n crowdsec -f crowdsec-default-values.yaml
5. Configure bouncers (Traefik and Nginx)#
a) Create API Key#
kubectl -n crowdsec exec -it crowdsec-lapi-* -- sh
cscli bouncers add traefik
b) Configure middleware in Traefik#
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: bouncer
namespace: traefik
spec:
plugin:
bouncer:
CrowdsecLapiKey: <YOUR_API_KEY>
crowdsecLapiHost: "crowdsec-service.crowdsec.svc.cluster.local"
crowdsecLapiPort: "8080"
crowdsecAppsecHost: "crowdsec-appsec-service.crowdsec.svc.cluster.local"
crowdsecAppsecPort: "7422"
crowdsecAppsecScheme: http
Enabled: true
logLevel: DEBUG
crowdsecMode: appsec
c) Configure bouncer in Nginx#
controller:
extraInitContainers:
- name: init-clone-crowdsec-bouncer
image: crowdsecurity/lua-bouncer-plugin
env:
- name: API_URL
value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080"
- name: API_KEY
value: "<API KEY>"
- name: BOUNCER_CONFIG
value: "/crowdsec/crowdsec-bouncer.conf"
6. Enable AppSec (WAF)#
appsec:
enabled: true
acquisitions:
- source: appsec
listen_addr: "0.0.0.0:7422"
path: /
appsec_config: crowdsecurity/crs-vpatch
labels:
type: appsec
env:
- name: COLLECTIONS
value: "crowdsecurity/appsec-wordpress"
Advanced Monitoring with Grafana#
The CrowdSec console has a limit of 500 alerts, which can restrict the visibility of events in high-traffic environments. For a complete and detailed monitoring, we created a Grafana dashboard that allows you to observe IP blocks, attacks, and security decisions in real-time.
This dashboard includes:
- Block Total for Pods: Number of blocked attempts per pod, helping to identify which pods are under the most attacks.
- Attacks by Scenarios: Distribution of attacks based on CrowdSec detection scenarios, showing the most frequent threat types.
- Total Ban by IP: List of blocked IPs, the scenario, and total occurrences, allowing easy tracking of malicious sources.
- Decisions Log: Detailed decision logs with timestamps and request data, providing full transparency of CrowdSec actions.
Access the dashboard: CrowdSec Monitoring on Grafana
This feature is essential for security teams to monitor, analyze, and respond quickly to threats in the infrastructure.
Conclusion#
With these configurations, CrowdSec is integrated into your Kubernetes cluster, monitoring logs, registering instances, and protecting your applications with Traefik, Nginx, and WAF AppSec.
Access the console: https://app.crowdsec.net/security-engines