Skip to content

Crowdsec Dashboard Protection docs#831

Open
PizzaLovingNerd wants to merge 6 commits into
netbirdio:mainfrom
PizzaLovingNerd:crowdsec-dashboard
Open

Crowdsec Dashboard Protection docs#831
PizzaLovingNerd wants to merge 6 commits into
netbirdio:mainfrom
PizzaLovingNerd:crowdsec-dashboard

Conversation

@PizzaLovingNerd

@PizzaLovingNerd PizzaLovingNerd commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

People were asking how to protect the actual dashboard with crowdsec, so I wrote a little guide in the docs on how to do so.

Summary by CodeRabbit

  • Documentation
    • Added a new guide for protecting the self-hosted NetBird dashboard using CrowdSec AppSec with the Traefik CrowdSec bouncer plugin.
    • Includes prerequisites, domain/port requirements, step-by-step configuration, verification expectations (allowed vs. blocked probes), and a stream-mode temporary IP blocking workflow.
    • Added troubleshooting coverage for startup ordering, networking, and AppSec metrics behavior.
    • Updated the documentation navigation with a new “CrowdSec Dashboard Protection” link under Self-Hosted NetBird → Maintenance.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds a new MDX guide and navigation entry for protecting the self-hosted NetBird dashboard with CrowdSec AppSec and the Traefik CrowdSec bouncer plugin, covering setup, Compose/Traefik configuration, verification, manual testing, and troubleshooting.

Changes

CrowdSec Dashboard Documentation

Layer / File(s) Summary
Navigation entry
src/components/NavigationDocs.jsx
Adds a Maintenance navigation link for the new CrowdSec dashboard protection page and terminates the navigation declaration with a semicolon.
Page intro and prerequisites
src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx
Adds the exported page description, introduction, prerequisites, and required shell variables.
Deployment and config setup
src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx
Adds new-install and migration guidance, dashboard bouncer key creation, and the AppSec acquisition configuration.
Compose and Traefik wiring
src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx
Documents the plugin, middleware, router priority, network settings, health gating, readiness checks, collections, and bouncer registration.
Apply, verify, and troubleshoot
src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx
Adds apply commands, verification checks, manual IP-block testing, troubleshooting notes, and related documentation links.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: SunsetDrifter, mlsmaycon, lixmal

Poem

I’m a rabbit with a docs-filled cart,
Hop-hop through CrowdSec, page by page.
Traefik guards the dashboard heart,
Bouncer keys take center stage,
Safe hops bloom on every page. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change by indicating documentation for CrowdSec-based dashboard protection.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx (1)

128-131: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use a Warning component for the critical "don't attach to proxy-passthrough" caveat.

This callout guards against a config mistake that could break NetBird Proxy TCP passthrough. Per coding guidelines, alert-worthy content should use the Warning component from @/components/mdx rather than plain text, to make it visually distinct.

As per coding guidelines: "Import custom components from @/components/mdx (Note, Warning, Success) ... as needed for alerts, layout, media, and UI".

📝 Proposed change
+import { Warning } from '`@/components/mdx`'
+
...
-Leave the NetBird Proxy TCP passthrough labels unchanged. Do not attach this middleware to the `proxy-passthrough` TCP router.
+<Warning>
+  Leave the NetBird Proxy TCP passthrough labels unchanged. Do not attach this middleware to the `proxy-passthrough` TCP router.
+</Warning>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx` around lines 128 -
131, The caveat about not attaching the middleware to the proxy-passthrough TCP
router is currently plain text and should be converted to the mdx Warning
component for alert-worthy guidance. Update the crowdsec-dashboard.mdx content
to use Warning from `@/components/mdx` for this specific “do not attach to
proxy-passthrough” instruction, while keeping the NetBird domain replacement
note separate and leaving the NetBird Proxy TCP passthrough labels unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx`:
- Around line 132-152: This update should be applied as a merge into the
generated crowdsec service, not as a full replacement, because the existing
installer-created service already includes fields like labels and logging that
must be preserved. In the crowdsec service definition used by the
installer/quickstart, add the AppSec collections, the dashboard bouncer
environment entry, and the stricter healthcheck while keeping all current keys
and settings intact. Make the changes in the crowdsec service block so it still
includes the existing metadata and runtime configuration alongside the new
COLLECTIONS, BOUNCER_KEY_netbird_dashboard, and healthcheck behavior.

---

Nitpick comments:
In `@src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx`:
- Around line 128-131: The caveat about not attaching the middleware to the
proxy-passthrough TCP router is currently plain text and should be converted to
the mdx Warning component for alert-worthy guidance. Update the
crowdsec-dashboard.mdx content to use Warning from `@/components/mdx` for this
specific “do not attach to proxy-passthrough” instruction, while keeping the
NetBird domain replacement note separate and leaving the NetBird Proxy TCP
passthrough labels unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 774b8ea5-8e42-4149-bc5b-eb30306b28ce

📥 Commits

Reviewing files that changed from the base of the PR and between b3e19fd and 56ecbcf.

📒 Files selected for processing (1)
  • src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx

Comment thread src/pages/selfhosted/maintenance/crowdsec-dashboard.mdx Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/components/NavigationDocs.jsx (1)

547-550: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

CrowdSec Dashboard Protection entry added to the wrong SELF-HOST section.

The new entry was added to the first (malformed, duplicate) SELF-HOST NETBIRD section at lines 475–588. It should be added to the second (complete) SELF-HOST section (lines 652–908), which contains the full set of maintenance links including the existing "CrowdSec IP Reputation" entry at lines 720–723. Adding it there keeps it next to its related CrowdSec entry and ensures it appears in the correct navigation group.

See the proposed fix in the comment above for the correct placement.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/NavigationDocs.jsx` around lines 547 - 550, The “CrowdSec
Dashboard Protection” entry is placed in the duplicate malformed SELF-HOST
NETBIRD section. Move the entry from that section to the complete SELF-HOST
navigation group, positioning it next to the existing “CrowdSec IP Reputation”
entry.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/components/NavigationDocs.jsx`:
- Line 1232: Fix the malformed docsNavigation structure by removing the entire
first duplicate SELF-HOST NETBIRD section, including its misplaced Public API
and For Partners entries, so subsequent sections remain top-level. Add the
CrowdSec Dashboard Protection entry to the complete second SELF-HOST NETBIRD
section immediately after CrowdSec IP Reputation, ensuring docsNavigation closes
correctly at the final bracket.

---

Outside diff comments:
In `@src/components/NavigationDocs.jsx`:
- Around line 547-550: The “CrowdSec Dashboard Protection” entry is placed in
the duplicate malformed SELF-HOST NETBIRD section. Move the entry from that
section to the complete SELF-HOST navigation group, positioning it next to the
existing “CrowdSec IP Reputation” entry.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6d84cfcd-70da-48ae-9918-5433c6712fbd

📥 Commits

Reviewing files that changed from the base of the PR and between f512d8f and 41d54ed.

📒 Files selected for processing (1)
  • src/components/NavigationDocs.jsx

Comment thread src/components/NavigationDocs.jsx Outdated
],
},
]
];

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | 🏗️ Heavy lift

Build failure: trailing semicolon exposes pre-existing bracket mismatch in docsNavigation.

The pipeline and Biome both report Expected ',', got ';' at line 1232. The root cause is a bracket mismatch: the first "SELF-HOST NETBIRD" section (lines 475–588) is never closed before the "AGENT NETWORK" section begins at line 589. All subsequent top-level sections (AGENT NETWORK, the second SELF-HOST, CLIENT, USE CASES, GET MORE HELP) are incorrectly nested inside the first SELF-HOST section's links array. When ] at line 1232 closes that links array, the parser is left inside the unclosed SELF-HOST section object, making the ; a syntax error.

The first SELF-HOST section (475–588) is a malformed duplicate of the second one (652–908). It also contains misplaced "Public API" and "For Partners" entries (lines 564–586) inside the Observability subsection — those already exist correctly in the MANAGE NETBIRD section (lines 450–472).

Recommended fix: Remove the entire first (malformed) SELF-HOST section (lines 475–588) and add the CrowdSec Dashboard Protection entry to the second (complete) SELF-HOST section, after the CrowdSec IP Reputation entry around line 723. Then the ]; at line 1232 will correctly close the docsNavigation array.

🔧 Proposed fix

Remove lines 475–588 (the malformed duplicate SELF-HOST section), and add the entry to the second SELF-HOST section:

  // Around line 723, after the CrowdSec IP Reputation entry in the second SELF-HOST section:
                    {
                        title: 'CrowdSec IP Reputation',
                        href: '/selfhosted/maintenance/crowdsec',
                    },
+                    {
+                        title: 'CrowdSec Dashboard Protection',
+                        href: '/selfhosted/maintenance/crowdsec-dashboard',
+                    },
                ],
            },

And remove the duplicate first SELF-HOST section (lines 475–588) entirely, including the misplaced Public API and For Partners entries inside Observability.

🧰 Tools
🪛 Biome (2.5.1)

[error] 1232-1232: expected , but instead found ;

(parse)

🪛 GitHub Actions: pr-build / 0_lint and build.txt

[error] 1232-1232: Build failed (webpack/Next.js). Syntax error: Expected ',', got ';' at line 1232.

🪛 GitHub Actions: pr-build / lint and build

[error] 1232-1232: Build failed with a JavaScript/TypeScript syntax error in NavigationDocs.jsx (webpack): "Expected ',', got ';'". Parsing failed at line 1232.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/components/NavigationDocs.jsx` at line 1232, Fix the malformed
docsNavigation structure by removing the entire first duplicate SELF-HOST
NETBIRD section, including its misplaced Public API and For Partners entries, so
subsequent sections remain top-level. Add the CrowdSec Dashboard Protection
entry to the complete second SELF-HOST NETBIRD section immediately after
CrowdSec IP Reputation, ensuring docsNavigation closes correctly at the final
bracket.

Sources: Linters/SAST tools, Pipeline failures

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant