A lightweight CrowdSec bouncer for Envoy Proxy using the ext_authz filter.
Warning
This project is in active development and has not been tested in production environments. Use at your own risk. Breaking changes may occur between releases. For the most stable experience, use a tagged release rather than the main branch.
- Block malicious IPs streamed via CrowdSec decisions
- Bouncer metrics reporting
- Request inspection via CrowdSec AppSec
- CAPTCHA challenges for suspicious IPs with support for:
- Google reCAPTCHA v2
- Cloudflare Turnstile
The bouncer integrates with Envoy Proxy as an external authorization service, sitting between Envoy and your backend applications. It evaluates every request through a multi-stage security pipeline:
- IP Extraction
- Extracts the real client IP from forwarded headers, respecting trusted proxy configuration
- Bouncer Check
- Queries the local decision cache for IP-based actions (ban or captcha)
- Decisions are streamed in real-time from CrowdSec via the Stream API
- Low-latency lookups using in-memory cache
- WAF Analysis
- If enabled and no blocking decision exists then the request is forwarded to Crowdsec AppSec for inspection
- Decision Enforcement
- Allow - Request proceeds to backend
- Ban - Returns configurable status code (defaults to 403) with ban page
- Captcha - Creates session and redirects to challenge
When a banned IP attempts access, they receive a 403 response with a ban page:
When CAPTCHA is enabled and a suspicious request is detected:
- Bouncer creates a secure session and redirects to
/captcha/challenge?session=<id> - User completes the CAPTCHA challenge (reCAPTCHA v2 or Cloudflare Turnstile)
- Challenge response is verified at
/captcha/verify - On success, the IP is allowlisted and user is redirected to their original destination
- Configuration Guide - Configuration options, environment variables, and examples
- Deployment Guide - Kubernetes, Helm, Docker, and binary deployment instructions
- CAPTCHA Setup - CAPTCHA provider configuration and integration
- Custom Templates - Customize ban and CAPTCHA page templates
Kubernetes manifest examples can be found below:
- Helm schema generated with helm-values-schema-json
- Helm docs generated with helm-docs