CrowdSec Configuration

Settings for the CrowdSec LAPI connection and decision filtering.

Connection

crowdsec.api_url Required

Env: CROWDSEC_URL · Default: http://localhost:8080/

The URL of the CrowdSec Local API (LAPI). Include the trailing slash.

crowdsec:
  api_url: "http://localhost:8080/"

crowdsec.api_key Required

Env: CROWDSEC_BOUNCER_API_KEY · Default: —

The bouncer API key. Generate one with:

sudo cscli bouncers add cs-routeros-bouncer

crowdsec.retry_initial_connect Optional

Env: CROWDSEC_RETRY_INITIAL_CONNECT · Default: true

When enabled, the bouncer retries connecting to LAPI on startup if the initial connection fails. Useful when the bouncer starts before CrowdSec is ready.

Polling

crowdsec.update_frequency Optional

Env: CROWDSEC_UPDATE_FREQUENCY · Default: 10s

How often to poll LAPI for new or expired decisions. Uses Go duration format (e.g., 10s, 1m, 30s).

Tip

Lower values provide faster response but increase LAPI load. 10s is a good balance for most setups.

crowdsec.reconciliation_interval Optional

Env: CROWDSEC_RECONCILIATION_INTERVAL · Default: 15m

How often to fetch a full active-decision snapshot from LAPI and reconcile it with MikroTik address-list membership. This repairs drift when an address-list entry is removed manually or expires on the router while CrowdSec still considers the decision active.

crowdsec.reconciliation_interval / CROWDSEC_RECONCILIATION_INTERVAL uses Go duration format, such as 1m, 15m, or 1h.

Set to 0 to disable periodic reconciliation. Any non-zero value must be at least 1m.

crowdsec:
  reconciliation_interval: "15m"

crowdsec.lapi_metrics_interval Optional

Env: CROWDSEC_LAPI_METRICS_INTERVAL · Default: 15m

How often to report usage metrics to the CrowdSec LAPI /v1/usage-metrics endpoint. Set to 0 to disable.

Each push includes:

• Active decisions — per-origin (e.g., crowdsec, cscli, CAPI) and per-IP-type (ipv4, ipv6)
• Dropped traffic — bytes and packets blocked by MikroTik firewall rules (delta since last push)
• Bouncer metadata — type, version, OS info, uptime

This data appears in the CrowdSec Console and helps track bouncer effectiveness.

crowdsec:
  lapi_metrics_interval: "15m"

Decision Filtering

crowdsec.origins Optional

Env: CROWDSEC_ORIGINS · Default: [] (all origins)

Filter decisions by their origin. Empty means all decisions are processed.

| Origin | Description | | ---------- | ---------------------------------------------- | | crowdsec | Decisions from CrowdSec detection engine | | cscli | Manual decisions via cscli decisions add | | CAPI | Community blocklists from CrowdSec Central API | | lists:* | Named list origins such as lists:<name> |

# Only local decisions (no community blocklists)
crowdsec:
  origins: ["crowdsec", "cscli"]

Local-only mode

Setting origins: ["crowdsec", "cscli"] is the recommended way to exclude community blocklists (CAPI). This avoids pushing 20,000+ IPs to the router.

When set as an environment variable, CROWDSEC_ORIGINS is space-separated:

CROWDSEC_ORIGINS="crowdsec cscli"

Leaving origins empty accepts all origins, including CAPI and named list origins. Use lists:* as the wildcard pattern for lists:<name> entries when setting origins or CROWDSEC_ORIGINS. See CAPI Blocklists for scale and router sizing guidance.

crowdsec.scopes Optional

Env: CROWDSEC_SCOPES · Default: ["ip", "range"]

Decision scopes to process. Supported values: ip, range.

crowdsec.supported_decisions_types Optional

Env: CROWDSEC_DECISIONS_TYPES · Default: ["ban"]

Only decisions of these types are processed.

Caution

This bouncer only implements the ban action, which translates to drop/reject firewall rules on MikroTik. Other CrowdSec decision types such as captcha or throttle are not applicable to a network firewall bouncer and will be silently ignored even if listed here.

crowdsec.scenarios_containing Optional

Env: CROWDSEC_SCENARIOS_CONTAINING · Default: [] (no filter)

Only process decisions from scenarios whose name contains one of these literal substrings. Empty means no include filtering.

crowdsec:
  scenarios_containing: ["ssh", "http"]

For example, "ssh" matches crowdsecurity/ssh-bf and any other scenario name containing ssh.

crowdsec.scenarios_not_containing Optional

Env: CROWDSEC_SCENARIOS_NOT_CONTAINING · Default: [] (no filter)

Exclude decisions from scenarios whose name contains one of these literal substrings.

crowdsec:
  scenarios_not_containing: ["test", "honeypot"]

Use include and exclude filters together when you want a narrow subset of decisions. If no decisions appear, first check that the substrings match the scenario names shown by cscli decisions list -o json.

TLS Authentication

For mutual TLS authentication with the LAPI:

crowdsec.cert_path Optional

Env: CROWDSEC_CERT_PATH · Default: —

Path to the TLS client certificate (PEM format).

crowdsec.key_path Optional

Env: CROWDSEC_KEY_PATH · Default: —

Path to the TLS client key (PEM format).

crowdsec.ca_cert_path Optional

Env: CROWDSEC_CA_CERT_PATH · Default: —

Path to the CA certificate (PEM format) for verifying the LAPI server certificate.

crowdsec.insecure_skip_verify Optional

Env: CROWDSEC_INSECURE_SKIP_VERIFY · Default: false

Skip TLS certificate verification for LAPI connections.

Danger

Only use in development/testing. Never in production.