Complete Deployment Guide to Dokploy Security & Monitoring: CrowdSec + Traefik + Grafana

This is the third article in the Dokploy series! Here are the security rules and configurations I use.

This article documents the practical experience of building a complete security and monitoring system in a Dokploy environment, covering CrowdSec threat detection, Traefik and Cloudflare integration, and an observability platform based on Grafana/Loki/VictoriaMetrics. All configurations can be directly replicated.

Dokploy Article Series:

Dokploy Deployment and Usage Tutorial - Part 1: Deploy Dokploy from Scratch

Configure Dokploy Backup with Cloudflare R2 - Part 2: Automatic Backup Configuration

This Article - Part 3: Security and Monitoring System

Architecture Overview#

The entire system consists of three core modules:

Dokploy Security and Monitoring Architecture

1
┌─────────────────────────────────────────────────────────────────────────┐
2
│                              Internet                                    │
3
│    User Request ──► Cloudflare CDN ──► Traefik (:80/:443)               │
4
└─────────────────────────────────────────────────────────────────────────┘
5
                                      │
6
                    ┌─────────────────┴─────────────────┐
7
                    ▼                                   ▼
8
        ┌───────────────────┐                 ┌─────────────────┐
9
        │ Traefik Middleware│                 │   Access Log    │
10
        │ ┌───────────────┐ │                 │  (JSON format)  │
11
        │ │Cloudflare-Only│ │                 └────────┬────────┘
12
        │ │  IP Allowlist │ │                          │
13
        │ └───────────────┘ │                          ▼
14
        │ ┌───────────────┐ │                 ┌─────────────────┐
15
        │ │   crowdsec    │◄├─────────────────│   CrowdSec      │
16
        │ │Threat Detection│ │                │   Engine        │
17
        │ └───────────────┘ │                 └────────┬────────┘
18
        └─────────┬─────────┘                          │
19
                  │                     ┌──────────────┼──────────────┐
20
                  ▼                     ▼              ▼              ▼
21
        ┌─────────────────┐   ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
22
        │ Docker Containers│   │  Firewall   │ │  Traefik    │ │VictoriaMetrics│
23
        │  App Services   │   │  Bouncer    │ │  Bouncer    │ │   Alerts    │
24
        └─────────────────┘   │  (nftables) │ │  (Plugin)   │ └─────────────┘
25
                              └─────────────┘ └─────────────┘
26

27
┌─────────────────────────────────────────────────────────────────────────┐
28
│                         Monitoring Stack                                 │
29
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐                  │
30
│  │ Alloy       │───►│    Loki     │───►│  Grafana    │                  │
31
│  │ Log Collector│   │  Log Storage│    │Visualization│                  │
32
│  └─────────────┘    └─────────────┘    └──────┬──────┘                  │
33
│  ┌─────────────┐    ┌─────────────┐           │                         │
34
│  │Node Exporter│───►│VictoriaMetrics│─────────┘                         │
35
│  │ Host Metrics│    │Metrics Storage│                                   │
36
│  └─────────────┘    └─────────────┘                                     │
37
└─────────────────────────────────────────────────────────────────────────┘

Component Responsibilities#

Component	Responsibility	Data Retention
CrowdSec Engine	Threat detection engine, analyzes logs to identify malicious behavior	-
Firewall Bouncer	Host-level firewall, blocks malicious IPs using nftables	-
Traefik Bouncer	Application-level protection, blocks requests in real-time	-
Loki	Log aggregation and storage	14 days
VictoriaMetrics	Time-series metrics storage	90 days
Alloy	Log collector, supports multiple log sources	-
Node Exporter	Host performance metrics collection	-
Grafana	Unified visualization dashboard	-

Part 1: CrowdSec Security Protection#

1.1 Introduction to CrowdSec#

CrowdSec is an open-source collaborative security engine that detects malicious behavior by analyzing logs and executes ban decisions through Bouncers. Its features include:

Behavior Analysis: Scenario-based threat detection
Community Sharing: Global threat intelligence sharing
Multi-layer Protection: Supports both firewall and application-layer Bouncers
Lightweight & Efficient: Written in Go, low resource consumption

1.2 Deploying CrowdSec in Dokploy#

Create a Compose service with the following configuration:

1
services:
2
  crowdsec:
3
    image: crowdsecurity/crowdsec:latest
4
    environment:
5
      GID: "${GID-1000}"
6
      COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-cve"
7
    volumes:
8
      - crowdsec-db:/var/lib/crowdsec/data/
9
      - crowdsec-config:/etc/crowdsec/
10
      - ../files/acquis.yaml:/etc/crowdsec/acquis.yaml
11
      - ../files/victoriametrics.yaml:/etc/crowdsec/notifications/http_victoriametrics.yaml
12
      - ../files/profiles.yaml:/etc/crowdsec/profiles.yaml
13
      - /etc/dokploy/traefik/dynamic/access.log:/var/log/traefik/access.log:ro
14
      - /var/log/auth.log:/var/log/ssh/auth.log:ro
15
    security_opt:
16
      - no-new-privileges:true
17
    ports:
18
      - "127.0.0.1:8080:8080"  # LAPI
19
      - "127.0.0.1:6060:6060"  # Prometheus metrics
20
    labels:
21
      - traefik.enable=false
22
    restart: unless-stopped
23
    networks:
24
      - default
25
      - dokploy-network
26

27
networks:
28
  default:
29
  dokploy-network:
30
    external: true
31

32
volumes:
33
  crowdsec-db:
34
  crowdsec-config:

Key Configuration Notes:

COLLECTIONS: Detection collections enabled, including Linux system, Traefik Web, and HTTP CVE
Mount Traefik access logs for CrowdSec analysis
Mount SSH auth logs to detect brute force attacks
Ports bound only to 127.0.0.1 for enhanced security

1.3 Log Acquisition Configuration#

Create files/acquis.yaml to define log sources for CrowdSec to analyze:

1
---
2
# Traefik access log acquisition
3
filenames:
4
  - /var/log/traefik/access.log
5
poll_without_inotify: true
6
labels:
7
  type: traefik
8

9
---
10
# SSH auth log acquisition
11
filenames:
12
  - /var/log/ssh/auth.log
13
labels:
14
  type: syslog

1.4 Decision Configuration#

Create files/profiles.yaml to define ban policies:

1
name: default_ip_remediation
2
filters:
3
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
4
decisions:
5
 - type: ban
6
   duration: 4h
7
notifications:
8
 - http_victoriametrics
9
on_success: break
10
---
11
name: default_range_remediation
12
filters:
13
 - Alert.Remediation == true && Alert.GetScope() == "Range"
14
decisions:
15
 - type: ban
16
   duration: 4h
17
notifications:
18
 - http_victoriametrics
19
on_success: break

Configuration Notes:

Ban malicious IPs for 4 hours upon detection
Supports both single IP and IP range bans
Each decision is notified to VictoriaMetrics for monitoring

1.5 Host-level Firewall Bouncer#

Install the Firewall Bouncer on the host to implement firewall-level blocking using nftables:

1
# Installation
2
curl -s https://install.crowdsec.net | sudo sh
3
apt install crowdsec-firewall-bouncer-nftables

Configuration file /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml:

1
mode: nftables
2
update_frequency: 10s
3
log_mode: file
4
log_dir: /var/log/
5
log_level: info
6
log_compression: true
7
log_max_size: 100
8
log_max_backups: 3
9
log_max_age: 30
10
api_url: http://127.0.0.1:8080/
11
api_key: YOUR_API_KEY_HERE
12
insecure_skip_verify: false
13
disable_ipv6: false
14
deny_action: DROP
15
deny_log: false
16
supported_decisions_types:
17
  - ban
18

19
blacklists_ipv4: crowdsec-blacklists
20
blacklists_ipv6: crowdsec6-blacklists
21
ipset_type: nethash
22
iptables_chains:
23
  - INPUT
24
iptables_add_rule_comments: true
25

26
nftables:
27
  ipv4:
28
    enabled: true
29
    set-only: false
30
    table: crowdsec
31
    chain: crowdsec-chain
32
    priority: -10
33
  ipv6:
34
    enabled: true
35
    set-only: false
36
    table: crowdsec6
37
    chain: crowdsec6-chain
38
    priority: -10
39

40
nftables_hooks:
41
  - input
42
  - forward
43

44
prometheus:
45
  enabled: false
46
  listen_addr: 127.0.0.1
47
  listen_port: 60601

Getting the API Key:

1
# Execute in CrowdSec container
2
docker exec -it <crowdsec-container> cscli bouncers add firewall-bouncer

1.6 Traefik Bouncer Plugin#

The Traefik Bouncer implements real-time request filtering at the application layer. First, enable the plugin in traefik.yml:

1
experimental:
2
  plugins:
3
    bouncer:
4
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
5
      version: v1.4.6

Then use it in middleware configuration:

1
http:
2
  middlewares:
3
    crowdsec:
4
      plugin:
5
        bouncer:
6
          enabled: true
7
          crowdsecMode: live
8
          crowdsecLapiKey: YOUR_TRAEFIK_BOUNCER_KEY
9
          crowdsecLapiHost: service-crowdsec-k5ws6c-crowdsec-1:8080

Getting the Traefik Bouncer Key:

1
docker exec -it <crowdsec-container> cscli bouncers add traefik-bouncer

1.7 VictoriaMetrics Alert Notification#

Create files/victoriametrics.yaml to push CrowdSec decisions to VictoriaMetrics:

1
type: http
2
name: http_victoriametrics
3
log_level: debug
4
format: >
5
  {{- range $Alert := . -}}
6
  {{- $traefikRouters := GetMeta . "traefik_router_name" -}}
7
  {{- range .Decisions -}}
8
  {"metric":{"__name__":"cs_lapi_decision","instance":"dokploy-server","country":"{{$Alert.Source.Cn}}","asname":"{{$Alert.Source.AsName}}","asnumber":"{{$Alert.Source.AsNumber}}","latitude":"{{$Alert.Source.Latitude}}","longitude":"{{$Alert.Source.Longitude}}","iprange":"{{$Alert.Source.Range}}","scenario":"{{.Scenario}}","type":"{{.Type}}","duration":"{{.Duration}}","scope":"{{.Scope}}","ip":"{{.Value}}","traefik_routers":{{ printf "%q" ($traefikRouters | uniq | join ",")}}},"values": [1],"timestamps":[{{now|unixEpoch}}000]}
9
  {{- end }}
10
  {{- end -}}
11
url: http://service-victoriametrics-dhydty-victoriametrics-1:8428/api/v1/import
12
method: POST
13
headers:
14
  Content-Type: application/json

This creates the cs_lapi_decision metric containing attacker’s geolocation, ASN, scenario, and other information for analysis in Grafana.

Part 2: Traefik and Cloudflare Integration#

2.1 Why Cloudflare IP Allowlist is Needed#

When using Cloudflare as a CDN, all requests pass through Cloudflare proxies. This creates two issues:

Source IP Confusion: Traefik sees Cloudflare’s proxy IP, not the real user IP
Direct Access Bypass: Attackers might directly access the origin server IP, bypassing Cloudflare’s protection

Solution:

Configure forwardedHeaders.trustedIPs to trust Cloudflare IPs and correctly obtain real client IPs
Configure ipAllowList middleware to only allow Cloudflare IPs

2.2 Traefik Static Configuration#

Complete /etc/dokploy/traefik/traefik.yml configuration:

1
global:
2
  sendAnonymousUsage: false
3

4
experimental:
5
  plugins:
6
    bouncer:
7
      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
8
      version: v1.4.6
9

10
accessLog:
11
  filePath: "/etc/dokploy/traefik/dynamic/access.log"
12
  format: json
13
  bufferingSize: 100
14

15
providers:
16
  swarm:
17
    exposedByDefault: false
18
    watch: true
19
  docker:
20
    exposedByDefault: false
21
    watch: true
22
  file:
23
    directory: /etc/dokploy/traefik/dynamic
24
    watch: true
25

26
entryPoints:
27
  web:
28
    address: :80
29
    forwardedHeaders:
30
      trustedIPs:
31
        # Cloudflare IPv4
32
        - 173.245.48.0/20
33
        - 103.21.244.0/22
34
        - 103.22.200.0/22
35
        - 103.31.4.0/22
36
        - 141.101.64.0/18
37
        - 108.162.192.0/18
38
        - 190.93.240.0/20
39
        - 188.114.96.0/20
40
        - 197.234.240.0/22
41
        - 198.41.128.0/17
42
        - 162.158.0.0/15
43
        - 104.16.0.0/13
44
        - 104.24.0.0/14
45
        - 172.64.0.0/13
46
        - 131.0.72.0/22
47
    http:
48
      middlewares:
49
        - cloudflare-only@file
50
        - crowdsec@file
51

52
  websecure:
53
    address: :443
54
    http3:
55
      advertisedPort: 443
56
    forwardedHeaders:
57
      trustedIPs:
58
        # Cloudflare IPv4 (same as web)
59
        - 173.245.48.0/20
60
        - 103.21.244.0/22
61
        - 103.22.200.0/22
62
        - 103.31.4.0/22
63
        - 141.101.64.0/18
64
        - 108.162.192.0/18
65
        - 190.93.240.0/20
66
        - 188.114.96.0/20
67
        - 197.234.240.0/22
68
        - 198.41.128.0/17
69
        - 162.158.0.0/15
70
        - 104.16.0.0/13
71
        - 104.24.0.0/14
72
        - 172.64.0.0/13
73
        - 131.0.72.0/22
74
    http:
75
      middlewares:
76
        - cloudflare-only@file
77
        - crowdsec@file
78
      tls:
79
        certResolver: letsencrypt
80

81
api:
82
  insecure: true
83

84
certificatesResolvers:
85
  letsencrypt:
86
    acme:
87
      email: your-email@example.com
88
      storage: /etc/dokploy/traefik/dynamic/acme.json
89
      httpChallenge:
90
        entryPoint: web

Key Configuration Notes:

forwardedHeaders.trustedIPs: Trust Cloudflare IPs so Traefik correctly parses the X-Forwarded-For header to get real client IPs
http.middlewares: Entry-point level middleware chain, all requests pass through cloudflare-only and crowdsec middlewares
accessLog.format: json: JSON format logs for easy parsing by CrowdSec and Alloy

2.3 Dynamic Middleware Configuration#

/etc/dokploy/traefik/dynamic/middlewares.yml:

1
http:
2
  middlewares:
3
    redirect-to-https:
4
      redirectScheme:
5
        scheme: https
6
        permanent: true
7

8
    cloudflare-only:
9
      ipAllowList:
10
        sourceRange:
11
          # Cloudflare IPv4
12
          - "173.245.48.0/20"
13
          - "103.21.244.0/22"
14
          - "103.22.200.0/22"
15
          - "103.31.4.0/22"
16
          - "141.101.64.0/18"
17
          - "108.162.192.0/18"
18
          - "190.93.240.0/20"
19
          - "188.114.96.0/20"
20
          - "197.234.240.0/22"
21
          - "198.41.128.0/17"
22
          - "162.158.0.0/15"
23
          - "104.16.0.0/13"
24
          - "104.24.0.0/14"
25
          - "172.64.0.0/13"
26
          - "131.0.72.0/22"
27
          # Cloudflare IPv6
28
          - "2400:cb00::/32"
29
          - "2606:4700::/32"
30
          - "2803:f800::/32"
31
          - "2405:b500::/32"
32
          - "2405:8100::/32"
33
          - "2a06:98c0::/29"
34
          - "2c0f:f248::/32"
35

36
    crowdsec:
37
      plugin:
38
        bouncer:
39
          enabled: true
40
          crowdsecMode: live
41
          crowdsecLapiKey: YOUR_TRAEFIK_BOUNCER_KEY
42
          crowdsecLapiHost: service-crowdsec-k5ws6c-crowdsec-1:8080

TIP
Cloudflare IP lists may update. It’s recommended to periodically fetch the latest list from https://www.cloudflare.com/ips/.

2.4 Real IP Recognition Mechanism#

When requests flow through the following path, IP information changes:

1
User (203.0.113.50)
2
    → Cloudflare (adds CF-Connecting-IP: 203.0.113.50)
3
    → Traefik (trusts Cloudflare IP, parses X-Forwarded-For)
4
    → CrowdSec (gets real IP 203.0.113.50 from logs)

Traefik access log example:

1
{
2
  "ClientAddr": "172.71.99.180:11150",
3
  "ClientHost": "203.0.113.50",
4
  "RequestHost": "example.com",
5
  "RequestMethod": "GET",
6
  "RequestPath": "/api/data",
7
  "DownstreamStatus": 200,
8
  "RouterName": "my-router@docker"
9
}

ClientAddr: Cloudflare proxy IP
ClientHost: Real client IP (correctly parsed through trust configuration)

2.5 Special Route Bypass Configuration#

Some services may need to bypass CrowdSec detection (like analytics services). Create a separate route configuration:

1
http:
2
  routers:
3
    rybbit-backend-websecure:
4
      rule: Host(`analytics.example.com`) && PathPrefix(`/api`)
5
      service: rybbit-backend-service
6
      entryPoints:
7
        - websecure
8
      tls:
9
        certResolver: letsencrypt
10
      priority: 100  # High priority ensures matching first
11

12
  services:
13
    rybbit-backend-service:
14
      loadBalancer:
15
        servers:
16
          - url: http://rybbit-backend:3001
17
        passHostHeader: true

Note: These routes don’t have the crowdsec@file middleware applied, so they’re not protected by CrowdSec.

Part 3: Monitoring and Logging System#

3.1 Loki Log Storage#

Loki is a log aggregation system developed by Grafana Labs, designed for Kubernetes and container environments.

files/loki-config.yaml configuration:

1
# Loki 3.x configuration - Storage optimized
2
auth_enabled: false
3

4
server:
5
  http_listen_port: 3100
6
  grpc_listen_port: 9096
7
  log_level: info
8

9
common:
10
  path_prefix: /loki
11
  storage:
12
    filesystem:
13
      chunks_directory: /loki/chunks
14
      rules_directory: /loki/rules
15
  replication_factor: 1
16
  ring:
17
    kvstore:
18
      store: inmemory
19

20
# Loki 3.x uses TSDB + v13 schema
21
schema_config:
22
  configs:
23
    - from: 2024-01-01
24
      store: tsdb
25
      object_store: filesystem
26
      schema: v13
27
      index:
28
        prefix: index_
29
        period: 24h
30

31
storage_config:
32
  tsdb_shipper:
33
    active_index_directory: /loki/tsdb-shipper-active
34
    cache_location: /loki/tsdb-shipper-cache
35
    cache_ttl: 24h
36
  filesystem:
37
    directory: /loki/chunks
38

39
# Ingester optimization for better compression
40
ingester:
41
  chunk_idle_period: 30m
42
  chunk_block_size: 262144     # 256KB blocks
43
  chunk_target_size: 1572864   # 1.5MB chunks
44
  chunk_retain_period: 1m
45
  max_chunk_age: 2h
46
  flush_check_period: 30s
47
  flush_op_timeout: 10m
48
  wal:
49
    enabled: true
50
    dir: /loki/wal
51
    flush_on_shutdown: true
52

53
limits_config:
54
  retention_period: 336h       # 14 days retention
55
  ingestion_rate_mb: 8
56
  ingestion_burst_size_mb: 16
57
  max_streams_per_user: 5000
58
  max_entries_limit_per_query: 5000
59
  max_line_size: 128KB
60
  allow_structured_metadata: true
61
  per_stream_rate_limit: 3MB
62
  per_stream_rate_limit_burst: 10MB
63
  max_label_name_length: 1024
64
  max_label_value_length: 2048
65
  max_label_names_per_series: 15
66

67
compactor:
68
  working_directory: /loki/compactor
69
  retention_enabled: true
70
  retention_delete_delay: 1h
71
  delete_request_store: filesystem
72
  compaction_interval: 10m
73
  retention_delete_worker_count: 150
74

75
query_range:
76
  results_cache:
77
    cache:
78
      embedded_cache:
79
        enabled: true
80
        max_size_mb: 100
81
  parallelise_shardable_queries: true
82
  cache_results: true
83

84
query_scheduler:
85
  max_outstanding_requests_per_tenant: 100
86

87
analytics:
88
  reporting_enabled: false

3.2 Alloy Log Collection#

Grafana Alloy is the next-generation log/metrics collector, replacing Promtail.

files/alloy-config.alloy configuration:

1
// Grafana Alloy Configuration - Log Collection
2
// Optimized for storage efficiency
3

4
// ============================================
5
// Loki Output Endpoint
6
// ============================================
7
loki.write "default" {
8
  endpoint {
9
    url       = "http://loki:3100/loki/api/v1/push"
10
    batch_wait   = "5s"       // Batch for better compression
11
    batch_size   = "1MiB"     // 1MB batch size
12
  }
13
  external_labels = {
14
    cluster = "dokploy",
15
  }
16
}
17

18
// ============================================
19
// Docker Container Discovery
20
// ============================================
21
discovery.docker "containers" {
22
  host             = "unix:///var/run/docker.sock"
23
  refresh_interval = "30s"
24
}
25

26
// ============================================
27
// Docker Container Log Collection
28
// ============================================
29
discovery.relabel "docker_logs" {
30
  targets = discovery.docker.containers.targets
31

32
  // Extract container name
33
  rule {
34
    source_labels = ["__meta_docker_container_name"]
35
    regex         = "/(.*)"
36
    target_label  = "container"
37
  }
38

39
  // Extract compose project
40
  rule {
41
    source_labels = ["__meta_docker_container_label_com_docker_compose_project"]
42
    target_label  = "compose_project"
43
  }
44

45
  // Extract compose service
46
  rule {
47
    source_labels = ["__meta_docker_container_label_com_docker_compose_service"]
48
    target_label  = "compose_service"
49
  }
50

51
  // Extract image name
52
  rule {
53
    source_labels = ["__meta_docker_container_image"]
54
    target_label  = "image"
55
  }
56
}
57

58
loki.source.docker "containers" {
59
  host       = "unix:///var/run/docker.sock"
60
  targets    = discovery.relabel.docker_logs.output
61
  forward_to = [loki.process.docker.receiver]
62
}
63

64
loki.process "docker" {
65
  stage.static_labels {
66
    values = {
67
      job  = "docker",
68
      host = "dokploy-server",
69
    }
70
  }
71

72
  forward_to = [loki.write.default.receiver]
73
}
74

75
// ============================================
76
// Traefik Access Log (JSON format)
77
// ============================================
78
local.file_match "traefik" {
79
  path_targets = [{"__path__" = "/var/log/traefik/access.log"}]
80
  sync_period  = "15s"
81
}
82

83
loki.source.file "traefik" {
84
  targets       = local.file_match.traefik.targets
85
  forward_to    = [loki.process.traefik.receiver]
86
  tail_from_end = true
87
}
88

89
loki.process "traefik" {
90
  stage.static_labels {
91
    values = {
92
      job  = "traefik",
93
      host = "dokploy-server",
94
    }
95
  }
96

97
  // Parse JSON and extract fields as labels
98
  stage.json {
99
    expressions = {
100
      client_ip    = "ClientHost",
101
      method       = "RequestMethod",
102
      path         = "RequestPath",
103
      status       = "DownstreamStatus",
104
      router       = "RouterName",
105
      request_host = "RequestHost",
106
      entry_point  = "entryPointName",
107
    }
108
  }
109

110
  stage.labels {
111
    values = {
112
      client_ip    = "",
113
      method       = "",
114
      status       = "",
115
      router       = "",
116
      request_host = "",
117
      entry_point  = "",
118
    }
119
  }
120

121
  forward_to = [loki.write.default.receiver]
122
}
123

124
// ============================================
125
// SSH/Auth Log
126
// ============================================
127
local.file_match "auth" {
128
  path_targets = [{"__path__" = "/var/log/host/auth.log"}]
129
  sync_period  = "30s"
130
}
131

132
loki.source.file "auth" {
133
  targets       = local.file_match.auth.targets
134
  forward_to    = [loki.process.auth.receiver]
135
  tail_from_end = true
136
}
137

138
loki.process "auth" {
139
  stage.static_labels {
140
    values = {
141
      job  = "auth",
142
      host = "dokploy-server",
143
    }
144
  }
145

146
  // Parse syslog format
147
  stage.regex {
148
    expression = "^(?P<timestamp>\\w+\\s+\\d+\\s+\\d+:\\d+:\\d+)\\s+(?P<hostname>\\S+)\\s+(?P<service>[^\\[:]+)(?:\\[(?P<pid>\\d+)\\])?:\\s+(?P<message>.*)$"
149
  }
150

151
  stage.labels {
152
    values = {
153
      service = "",
154
    }
155
  }
156

157
  forward_to = [loki.write.default.receiver]
158
}
159

160
// ============================================
161
// UFW Firewall Log
162
// ============================================
163
local.file_match "ufw" {
164
  path_targets = [{"__path__" = "/var/log/host/ufw.log"}]
165
  sync_period  = "30s"
166
}
167

168
loki.source.file "ufw" {
169
  targets       = local.file_match.ufw.targets
170
  forward_to    = [loki.process.ufw.receiver]
171
  tail_from_end = true
172
}
173

174
loki.process "ufw" {
175
  stage.static_labels {
176
    values = {
177
      job  = "ufw",
178
      host = "dokploy-server",
179
    }
180
  }
181

182
  // Extract UFW fields
183
  stage.regex {
184
    expression = "\\[UFW (?P<action>\\w+)\\].*SRC=(?P<src_ip>[\\d\\.a-fA-F:]+).*PROTO=(?P<proto>\\w+)"
185
  }
186

187
  stage.regex {
188
    expression = "DPT=(?P<dst_port>\\d+)"
189
  }
190

191
  stage.labels {
192
    values = {
193
      action   = "",
194
      src_ip   = "",
195
      proto    = "",
196
      dst_port = "",
197
    }
198
  }
199

200
  forward_to = [loki.write.default.receiver]
201
}
202

203
// ============================================
204
// Kernel Log
205
// ============================================
206
local.file_match "kernel" {
207
  path_targets = [{"__path__" = "/var/log/host/kern.log"}]
208
  sync_period  = "30s"
209
}
210

211
loki.source.file "kernel" {
212
  targets       = local.file_match.kernel.targets
213
  forward_to    = [loki.process.kernel.receiver]
214
  tail_from_end = true
215
}
216

217
loki.process "kernel" {
218
  stage.static_labels {
219
    values = {
220
      job  = "kernel",
221
      host = "dokploy-server",
222
    }
223
  }
224

225
  forward_to = [loki.write.default.receiver]
226
}
227

228
// ============================================
229
// CrowdSec Logs
230
// ============================================
231
local.file_match "crowdsec" {
232
  path_targets = [
233
    {"__path__" = "/var/log/crowdsec/crowdsec.log", "log_type" = "main"},
234
    {"__path__" = "/var/log/crowdsec/crowdsec_api.log", "log_type" = "api"},
235
    {"__path__" = "/var/log/crowdsec/firewall-bouncer.log", "log_type" = "firewall-bouncer"},
236
  ]
237
  sync_period = "30s"
238
}
239

240
loki.source.file "crowdsec" {
241
  targets       = local.file_match.crowdsec.targets
242
  forward_to    = [loki.process.crowdsec.receiver]
243
  tail_from_end = true
244
}
245

246
loki.process "crowdsec" {
247
  stage.static_labels {
248
    values = {
249
      job  = "crowdsec",
250
      host = "dokploy-server",
251
    }
252
  }
253

254
  forward_to = [loki.write.default.receiver]
255
}

3.3 VictoriaMetrics Metrics Storage#

VictoriaMetrics is a high-performance Prometheus-compatible time-series database.

docker-compose.yml:

1
version: "3.8"
2
services:
3
  victoriametrics:
4
    image: victoriametrics/victoria-metrics:latest
5
    restart: unless-stopped
6
    volumes:
7
      - vm-data:/storage
8
      - ../files/scrape.yml:/etc/victoriametrics/scrape.yml
9
      - ../files/blackbox:/etc/prometheus/blackbox
10
    ports:
11
       - "127.0.0.1:20001:8428"
12
    command:
13
      - "--storageDataPath=/storage"
14
      - "--retentionPeriod=90d"
15
      - "--httpListenAddr=:8428"
16
      - "--promscrape.config=/etc/victoriametrics/scrape.yml"
17
    networks:
18
      - default
19
      - dokploy-network
20

21
networks:
22
  default:
23
  dokploy-network:
24
    external: true
25

26
volumes:
27
  vm-data:

files/scrape.yml metrics collection configuration:

1
scrape_configs:
2
  - job_name: 'crowdsec'
3
    scrape_interval: 15s
4
    static_configs:
5
      - targets: ['service-crowdsec-k5ws6c-crowdsec-1:6060']
6

7
  - job_name: 'logporter'
8
    scrape_interval: 15s
9
    static_configs:
10
      - targets: ['service-loki-wykkft-logporter-1:9333']
11
    metric_relabel_configs:
12
      - source_labels: [__name__]
13
        regex: 'docker_.*'
14
        action: keep
15

16
  - job_name: 'node-exporter'
17
    scrape_interval: 15s
18
    static_configs:
19
      - targets: ['service-loki-wykkft-node_exporter-1:9100']

3.4 Complete Docker Compose Configuration#

Complete configuration for Loki + Alloy + Node Exporter + Logporter:

1
version: "3.8"
2

3
services:
4
  loki:
5
    image: grafana/loki:latest
6
    restart: unless-stopped
7
    command: -config.file=/etc/loki/local-config.yaml
8
    volumes:
9
      - loki-data:/loki
10
      - ../files/loki-config.yaml:/etc/loki/local-config.yaml
11
    networks:
12
      - default
13
      - dokploy-network
14

15
  alloy:
16
    image: grafana/alloy:latest
17
    restart: unless-stopped
18
    command:
19
      - run
20
      - /etc/alloy/config.alloy
21
      - --server.http.listen-addr=0.0.0.0:12345
22
      - --storage.path=/var/lib/alloy/data
23
    volumes:
24
      - ../files/alloy-config.alloy:/etc/alloy/config.alloy
25
      - alloy-data:/var/lib/alloy/data
26
      - /var/run/docker.sock:/var/run/docker.sock:ro
27
      # Traefik logs
28
      - /etc/dokploy/traefik/dynamic/access.log:/var/log/traefik/access.log:ro
29
      # System logs
30
      - /var/log/auth.log:/var/log/host/auth.log:ro
31
      - /var/log/ufw.log:/var/log/host/ufw.log:ro
32
      - /var/log/kern.log:/var/log/host/kern.log:ro
33
      # CrowdSec logs
34
      - /var/log/crowdsec.log:/var/log/crowdsec/crowdsec.log:ro
35
      - /var/log/crowdsec_api.log:/var/log/crowdsec/crowdsec_api.log:ro
36
      - /var/log/crowdsec-firewall-bouncer.log:/var/log/crowdsec/firewall-bouncer.log:ro
37
    depends_on:
38
      - loki
39
    networks:
40
      - default
41
      - dokploy-network
42

43
  logporter:
44
    image: lifailon/logporter:latest
45
    restart: unless-stopped
46
    environment:
47
      - DOCKER_LOG_METRICS=false
48
      - DOCKER_LOG_CUSTOM_METRICS=false
49
      - DOCKER_LOG_CUSTOM_QUERY=error|Error|ERROR|exception|Exception|EXCEPTION|fail|Fail|FAIL
50
    volumes:
51
      - /var/run/docker.sock:/var/run/docker.sock
52
    networks:
53
      - default
54
      - dokploy-network
55

56
  node_exporter:
57
    image: quay.io/prometheus/node-exporter:latest
58
    restart: unless-stopped
59
    command:
60
       - '--path.rootfs=/host'
61
       - '--path.procfs=/host/proc'
62
       - '--path.sysfs=/host/sys'
63
       - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
64
    volumes:
65
      - /proc:/host/proc:ro
66
      - /sys:/host/sys:ro
67
      - /:/host:ro,rslave
68
    pid: host
69
    networks:
70
      - default
71
      - dokploy-network
72

73
networks:
74
  default:
75
  dokploy-network:
76
    external: true
77

78
volumes:
79
  loki-data:
80
  alloy-data:

3.5 Grafana Deployment#

Grafana is used for unified visualization of all monitoring data:

1
version: "3.8"
2
services:
3
  grafana:
4
    image: grafana/grafana:latest
5
    restart: unless-stopped
6
    volumes:
7
      - grafana-storage:/var/lib/grafana
8
    ports:
9
      - "127.0.0.1:20000:3000"
10
    networks:
11
      - default
12
      - dokploy-network
13

14
networks:
15
  default:
16
  dokploy-network:
17
    external: true
18

19
volumes:
20
  grafana-storage:

Configuring Data Sources:

Loki: Set URL to http://service-loki-wykkft-loki-1:3100
VictoriaMetrics: Set URL to http://service-victoriametrics-dhydty-victoriametrics-1:8428

Dashboard Screenshots#

Part 4: Troubleshooting#

4.1 CrowdSec Common Issues#

Issue: Bouncer connection failed

1
# Check CrowdSec service status
2
docker exec -it <crowdsec-container> cscli bouncers list
3

4
# Check LAPI connection
5
curl -s http://127.0.0.1:8080/v1/decisions | head

Issue: No attacks detected

1
# Check log acquisition status
2
docker exec -it <crowdsec-container> cscli metrics
3

4
# Check scenario status
5
docker exec -it <crowdsec-container> cscli scenarios list

Issue: False positive blocking legitimate users

1
# View current ban list
2
docker exec -it <crowdsec-container> cscli decisions list
3

4
# Remove specific IP ban
5
docker exec -it <crowdsec-container> cscli decisions delete --ip <IP>
6

7
# Add whitelist
8
docker exec -it <crowdsec-container> cscli parsers install crowdsecurity/whitelists

4.2 Traefik Connection Issues#

Issue: 503 Service Unavailable

1
# Check container network
2
docker network inspect dokploy-network
3

4
# Check if service is in correct network
5
docker inspect <container> | grep -A 10 Networks

Issue: Real IP not obtained correctly

Check if forwardedHeaders.trustedIPs in traefik.yml includes all Cloudflare IPs.

4.3 Log Collection Issues#

Issue: No logs in Loki

1
# Check Alloy status
2
docker logs <alloy-container> --tail 100
3

4
# Check Loki health status
5
curl -s http://127.0.0.1:3100/ready

Issue: Missing log labels

Check that stage.labels and stage.json configurations in Alloy config are correct.

4.4 Missing Monitoring Data#

Issue: No data in VictoriaMetrics

1
# Check scrape target status
2
curl -s http://127.0.0.1:20001/targets
3

4
# Manually query metrics
5
curl -s "http://127.0.0.1:20001/api/v1/query?query=up"

Issue: CrowdSec metrics push failed

Check if the URL in victoriametrics.yaml is correct and ensure container names match actual names.

Summary#

This article detailed the process of building a complete security and monitoring system in a Dokploy environment:

CrowdSec Multi-layer Protection: Containerized deployment + Host Firewall Bouncer + Traefik Plugin
Traefik + Cloudflare Integration: IP Allowlist + Real IP Recognition
Observability Platform: Loki Logs + VictoriaMetrics Metrics + Grafana Visualization
Comprehensive Log Collection: Docker containers, system logs, Traefik access logs, security logs

This system provides complete protection from network layer to application layer, along with comprehensive observability support, suitable for production environments.

References: