Bastion is panel-first. Every setting below has a UI control in the Plesk extension. The CLI examples are for inspection, operators rarely need them.
LAPI
The local CrowdSec LAPI runs on localhost:8080 and is the single source of truth for every bouncer. The extension stores the bouncer API key in pm_Settings and reloads CrowdSec on save. Hierarchical scopes (server / subscription / hostname) are on the roadmap; today, scope granularity is server-wide with a per-domain whitelist override (see below).
AppSec (L7 WAF)
AppSec rules and CVE virtual-patches are managed through the Hub catalog:
# Inspect installed AppSec rules
cscli appsec-rules list
# Install a single rule via the Hub UI, or:
sudo cscli appsec-rules install crowdsecurity/base-config
sudo systemctl reload crowdsecThe appsec-bouncer is queried by verify.php on every request, verdicts are returned in the same auth_request roundtrip.
Captcha provider
Three providers are supported: hCaptcha (default), reCAPTCHA v2, Turnstile. Configure under Settings → Captcha. A solved challenge issues an HMAC cookie valid for 24 h; the visitor passes auth_request without re-challenge until the cookie expires.
Per-domain whitelist
A whitelist toggle bypasses Bastion for a single domain, useful when a customer’s CDN forwards real client IPs and the upstream CDN should authoritatively gate traffic. The toggle writes a dedicated nginx include that loads after the main CrowdSec map, guaranteeing it overrides global enforcement for the selected domain only.
Manual decisions
From Decisions → Add in the panel (or cscli decisions add on the shell) you can apply three action types:
ban, drop the request.captcha, challenge the visitor before letting them through.throttle, rate-limit the source.
Each decision carries an expiry (--duration 4h, --duration 24h, etc.). Expiring decisions keep the support audit trail clean. To exempt a domain entirely, use the per-domain whitelist instead, it bypasses the auth_request module rather than going through LAPI.