cs-unifi-bouncer-pro
Production-grade CrowdSec bouncer for UniFi network controllers
5.0K

cs-unifi-bouncer-pro is a production-grade CrowdSec bouncer for self-hosted UniFi network controllers. It automatically translates CrowdSec ban decisions into firewall rules, blocking malicious IPs at the network edge in real time.
It auto-detects zone-based (UniFi Network ≥ 8.x) or legacy WAN_IN firewall modes, applies bans across multiple sites simultaneously, and manages multi-shard Traffic Matching Lists with bin-packing and automatic rebalance. Bans are persisted in a crash-safe bbolt database, a configurable circuit breaker handles controller outages, and startup reconciliation corrects drift after a crash or restart. The image is distroless, under 20 MB, runs as nonroot (UID 65532), and is Cosign-signed with a CycloneDX SBOM attached to every release.
services:
bouncer:
image: developingchet/cs-unifi-bouncer-pro:latest
restart: unless-stopped
environment:
UNIFI_URL: https://192.168.1.1
UNIFI_API_KEY: your-api-key
CROWDSEC_LAPI_URL: http://crowdsec:8080
CROWDSEC_LAPI_KEY: your-bouncer-key
ZONE_PAIRS: External->Dmz
volumes:
- bouncer-data:/data
volumes:
bouncer-data:
For full setup including CrowdSec registration, TLS, multi-site, and Docker Secrets support, see the Setup Guide.
SHARD_MERGE_THRESHOLD)/v1/usage-metrics (default: 30 min; configurable)status bans, status ip, status historyBAN_TTL per CrowdSec scenario via BLOCK_SCENARIO_DURATION_MAPZONE_PAIRS_SCENARIO_MAP@ip1,ip2,... suffix on zone pairsDECISION_RATE_LIMIT)| Variable | Example | Description |
|---|---|---|
UNIFI_URL | https://192.168.1.1 | UniFi controller base URL |
UNIFI_API_KEY | your-api-key | API key (Settings → Control Plane → API Keys); or use UNIFI_USERNAME + UNIFI_PASSWORD |
CROWDSEC_LAPI_URL | http://crowdsec:8080 | CrowdSec LAPI URL (default assumes a Docker service named crowdsec) |
CROWDSEC_LAPI_KEY | your-bouncer-key | Bouncer key from cscli bouncers add unifi-bouncer |
ZONE_PAIRS | External->Dmz | Zone pair(s) for block policies; src[:sport,...]->dst[:dport,...][@dstIP,...] — port and destination IP filters are optional |
Sensitive variables (UNIFI_API_KEY, UNIFI_PASSWORD, CROWDSEC_LAPI_KEY) accept a _FILE suffix for Docker secrets and Kubernetes secret mounts. For the full variable reference see the Configuration Reference.
| Tag | When to use |
|---|---|
latest | stable, always points to the newest release |
v1.2.5 | exact version, recommended for production |
1.0 | minor-pinned |
1 | major-pinned |
This image is signed with Cosign (keyless OIDC). Verify with:
cosign verify developingchet/cs-unifi-bouncer-pro:v1.2.5 \
--certificate-identity-regexp="https://github.com/developingchet/cs-unifi-bouncer-pro/.github/workflows/release.yml@refs/tags/.*" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
A CycloneDX SBOM is attached to each release and embedded as a Cosign attestation on the image.
Content type
Image
Digest
sha256:9373d66be…
Size
423.2 kB
Last updated
4 months ago
docker pull developingchet/cs-unifi-bouncer-pro:sha256-6ba45fd33fe9147d9fc3101703b21c02dd74d1f3dd7dfc0af2f4f2ac3ea510e6.att