Skip to content

[BUG] appsec responding with 502, 503 or 504 should be considered as unavailable #337

Description

@dani

Describe the bug 🐛
When reaching the appsec endpoint through a proxy (in my case envoy, but would be the same with anything else), setting crowdsecAppsecUnreachableBlock to false has no effect. When using a L7 proxy to reach the appsec endpoint, if appsec is down, the proxy will respond (usually with a 502, 503 or 504 error code). In this case, Traefik will block every requests no matter crowdsecAppsecUnreachableBlock

Expected behavior 👀
Appsec endpoint replying with 502, 503 or 504, it should be considered as appsec being unavailable, so crowdsecAppsecUnreachableBlock setting is honored

Context 🔎
When I shut down crowdsec, traefik replies with a 403 for any req, despite crowdsecAppsecUnreachableBlock being false. In Traefik's logs :

time=2026-06-17T08:12:00.559+02:00 level=DEBUG msg="handleNextServeHTTP ip:192.168.7.106 isWaf:true appsecQuery statusCode:503" component=CrowdsecBouncerTraefikPlugin
time=2026-06-17T08:12:00.557+02:00 level=DEBUG msg="ServeHTTP ip:192.168.7.106 isTrusted:false" component=CrowdsecBouncerTraefikPlugin

Version (please complete the following information):

  • OS: Docker
  • Traefik version: 3.7.5
  • Plugin version: 1.6.0
  • Redis ? : no

To Reproduce
Steps to reproduce the behavior:

  1. Configure so that Traefik -> appsec endpoint is done through an L7 proxy
  2. Shutdown crowdsec
  3. Try any request : Traefik replies with a 403

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions