CrowdSec issue - http probing scenario

Undrafted5114 · November 24, 2025, 5:01am

Hello dear community;

Is anyone using CrowdSec? I have secured a reverse proxy on a VPS with CrowdSec. The reverse proxy then forwards traffic via WireGuard to my home server, which hosts sb.md. When I open a new session in a browser for Silverbullet, all data gets cached. This triggers the HTTP probing scenario, and my IP gets banned. My IP changes often, and I don’t want to constantly risk being unable to access my notes.

Does anyone know this problem and have a solution? Currently, I have just adjusted the trigger for the ban to be a bit less sensitive.

rharmonson · November 24, 2025, 7:37am

I use all three products, but my setup differs from yours. Sharing for your consideration but I am not recommending you change your setup. You understand your requirements. I do not.

I establish the VPN connection prior to traversing the reverse proxy to SilverBullet, so the reverse proxy only sees the WireGuard peer assigned IP address. Assuming CrowdSec on the reverse proxy triggers, whitelist the WireGuard peer network.

https://app.crowdsec.net/hub/author/crowdsecurity/configurations/whitelists

Undrafted5114 · November 24, 2025, 1:39pm

That looks like a good approach. I’ll have to think it over and maybe change my setup.

In the meantime, I’m looking for other solutions… maybe the whitelist can be configured so that the HTTP probe scenario gets adjusted by the defined target and not by the requesting ip.

rharmonson · November 24, 2025, 2:41pm

When testing scenarios, I use crowdsec’s simulation feature. As a temporary measure, you could set the scenario to simulate. It will alert but not block.

sudo cscli simulation enable crowdsecurity/http-probing
sudo service crowdsec reload

To turn off simulation.

sudo cscli simulation disable crowdsecurity/http-probing
sudo service crowdsec reload

I installed the crowdsecurity/http-probing scenario and tested without issue.

https://docs.crowdsec.net/docs/cscli/cscli_simulation

rharmonson · November 24, 2025, 3:26pm

No idea if this is a feature. I did a quick hunt but my google-fu may be inadequate. Share if you find the solution. I can see where I may need to do the same at some point.

Have you tried crowdsec’s discord server?

Undrafted5114 · November 24, 2025, 4:01pm

Tanks for your effort. Meanwhile i found some reports about the same error with apps with a high frequency of requests (like immich or netxloucd deck). I will check the crowdsec community for solution an will report back