More complete documentation for setting up Crowdsec and the proxy manually.

[PizzaLovingNerd]

Addresses netbirdio/netbird#6059.

Summary by CodeRabbit

• Documentation
  • Enhanced CrowdSec migration guide with clearer Traefik/proxy configuration steps and complete setup examples
  • Added guidance on proxy token generation location and new configuration variables for reverse proxy integration

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation-only update to the CrowdSec migration guide. Adds clarification on token generation path, expands Step 7a to explicitly cover Traefik/proxy configuration alongside CrowdSec setup, introduces Traefik dynamic configuration with proxy protocol v2 server transport, and documents three new proxy environment variables for CrowdSec enforcement behavior.

Changes

CrowdSec with Reverse Proxy Configuration

Layer / File(s)	Summary
Token generation clarification src/pages/selfhosted/migration/enable-reverse-proxy.mdx	Step 2 token-generation instructions add a clarifying note about the typical <netbird-data-dir> location when using the combined-container setup.
CrowdSec and Traefik/proxy integration setup src/pages/selfhosted/migration/enable-reverse-proxy.mdx	Step 7a is expanded to document loading Traefik dynamic configuration with proxy protocol v2 server transport, mounting the dynamic config into Traefik, adding proxy labels to route through the custom transport, providing the traefik-dynamic.yaml content with transport definition, and adding three new proxy.env variables required for CrowdSec enforcement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• SunsetDrifter
• TechHutTV

Poem

🐰 A rabbit hops through proxy paths so fine,
With CrowdSec dancing to Traefik's design,
Protocol v2 and trusted IPs align,
Documentation blooms in forwarded lines divine!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: updating documentation to provide more complete guidance on setting up CrowdSec and the reverse proxy manually.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

src/pages/selfhosted/migration/enable-reverse-proxy.mdx

Oops! Something went wrong! :(

ESLint: 9.39.4

TypeError: Converting circular structure to JSON
--> starting at object with constructor 'Object'
| property 'configs' -> object with constructor 'Object'
| property 'flat' -> object with constructor 'Object'
| ...
| property 'plugins' -> object with constructor 'Object'
--- property 'react' closes the circle
Referenced from:
at JSON.stringify ()
at file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:308:45
at Array.map ()
at ConfigValidator.formatErrors (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:299:23)
at ConfigValidator.validateConfigSchema (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/shared/config-validator.js:330:84)
at ConfigArrayFactory._normalizeConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:676:19)
at ConfigArrayFactory._loadConfigData (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:641:21)
at ConfigArrayFactory._loadExtendedShareableConfig (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:946:21)
at ConfigArrayFactory._loadExtends (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:814:25)
at ConfigArrayFactory._normalizeObjectConfigDataBody (file:///node_modules/.pnpm/@eslint+eslintrc@3.3.5/node_modules/@eslint/eslintrc/lib/config-array-factory.js:752:25)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pages/selfhosted/migration/enable-reverse-proxy.mdx`:
- Around line 366-368: The hardcoded NB_PROXY_TRUSTED_PROXIES=172.30.0.10 will
not match the Traefik IP from the main migration flow; update the docs so
CrowdSec trusts the correct proxy: either (1) change the example
NB_PROXY_TRUSTED_PROXIES to a subnet (e.g., 172.30.0.0/24) so the entire Docker
network is trusted, (2) add the suggested static IP assignment for Traefik in
the Step 7a docker-compose/networks section (netbird + ipv4_address) so Traefik
actually gets 172.30.0.10, or (3) add a short note instructing users to replace
172.30.0.10 with their Traefik container IP (with the docker inspect command)
before starting CrowdSec; refer to NB_PROXY_TRUSTED_PROXIES, the Traefik service
config in Step 7a, and the netbird network example when making the change.
- Line 86: Update the phrasing "20 character Token ID" to use a hyphenated
compound adjective: change it to "20-character Token ID" (look for that exact
phrase in the paragraph that explains the nbx_ token format and the Token ID).
Ensure any other instances of numeric + adjective before a noun (e.g., "40
characters" used as adjective) are hyphenated similarly if present.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f48d74a2-349e-4802-a85a-bec0096cd26c

📥 Commits

Reviewing files that changed from the base of the PR and between 7fb329a and 80bb052.

📒 Files selected for processing (1)

• src/pages/selfhosted/migration/enable-reverse-proxy.mdx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Hyphenate the compound adjective.

"20 character" should be hyphenated when used as a compound adjective before a noun.

📝 Proposed fix

-This outputs a token in the format `nbx_...` (40 characters). **Save the token immediately** - it is only displayed once. The management server stores only a SHA-256 hash. Make sure not to accidentally copy the 20 character Token ID instead.
+This outputs a token in the format `nbx_...` (40 characters). **Save the token immediately** - it is only displayed once. The management server stores only a SHA-256 hash. Make sure not to accidentally copy the 20-character Token ID instead.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	This outputs a token in the format `nbx_...` (40 characters). **Save the token immediately** - it is only displayed once. The management server stores only a SHA-256 hash. Make sure not to accidentally copy the 20 character Token ID instead.
	This outputs a token in the format `nbx_...` (40 characters). **Save the token immediately** - it is only displayed once. The management server stores only a SHA-256 hash. Make sure not to accidentally copy the 20-character Token ID instead.

🧰 Tools

🪛 LanguageTool

[grammar] ~86-~86: Use a hyphen to join words.
Context: ...ake sure not to accidentally copy the 20 character Token ID instead. You can man...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/selfhosted/migration/enable-reverse-proxy.mdx` at line 86, Update
the phrasing "20 character Token ID" to use a hyphenated compound adjective:
change it to "20-character Token ID" (look for that exact phrase in the
paragraph that explains the nbx_ token format and the Token ID). Ensure any
other instances of numeric + adjective before a noun (e.g., "40 characters" used
as adjective) are hyphenated similarly if present.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Hardcoded Traefik IP doesn't match the main migration flow.

Line 368 sets NB_PROXY_TRUSTED_PROXIES=172.30.0.10, but the main migration steps (Steps 1-7) never assign this static IP to Traefik. The IP 172.30.0.10 is only configured in the optional section "Connecting through Traefik instead of Docker network" (starting line 532), which is separate from the CrowdSec setup.

Without a matching static IP, the proxy won't trust Traefik's actual Docker IP when parsing client addresses from the proxy protocol headers, which will break CrowdSec's IP reputation enforcement.

Impact: CrowdSec will either fail to identify client IPs correctly or block legitimate traffic.

Consider one of these solutions:

Option 1 (recommended): Use subnet notation instead of a single IP to trust the entire Docker network:

-NB_PROXY_TRUSTED_PROXIES=172.30.0.10
+NB_PROXY_TRUSTED_PROXIES=172.30.0.0/24

Option 2: Add static IP configuration to Step 7a before the CrowdSec container instructions:

Expand to see proposed addition to Step 7a

Add this subsection before "Add the following service to your docker-compose.yml:" on line 271:

First, assign a static IP to Traefik so the proxy can trust it:

```yaml
networks:
  netbird:
    driver: bridge
    ipam:
      config:
        - subnet: 172.30.0.0/24
          gateway: 172.30.0.1

services:
  traefik:
    # ...existing traefik config...
    networks:
      netbird:
        ipv4_address: 172.30.0.10

This ensures NB_PROXY_TRUSTED_PROXIES (configured later) matches Traefik's IP.

</details>

**Option 3**: Add a note instructing users to determine their Traefik container IP:

```diff
 NB_PROXY_FORWARDED_PROTO=https
 NB_PROXY_PROXY_PROTOCOL=true
-NB_PROXY_TRUSTED_PROXIES=172.30.0.10
+NB_PROXY_TRUSTED_PROXIES=<traefik-container-ip>

<Note>
Replace `<traefik-container-ip>` with your Traefik container's IP address on the Docker network. Find it by running:
```bash
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <traefik-container-name>

```

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/selfhosted/migration/enable-reverse-proxy.mdx` around lines 366 -
368, The hardcoded NB_PROXY_TRUSTED_PROXIES=172.30.0.10 will not match the
Traefik IP from the main migration flow; update the docs so CrowdSec trusts the
correct proxy: either (1) change the example NB_PROXY_TRUSTED_PROXIES to a
subnet (e.g., 172.30.0.0/24) so the entire Docker network is trusted, (2) add
the suggested static IP assignment for Traefik in the Step 7a
docker-compose/networks section (netbird + ipv4_address) so Traefik actually
gets 172.30.0.10, or (3) add a short note instructing users to replace
172.30.0.10 with their Traefik container IP (with the docker inspect command)
before starting CrowdSec; refer to NB_PROXY_TRUSTED_PROXIES, the Traefik service
config in Step 7a, and the netbird network example when making the change.