Bastion installs as a regular Plesk extension, and it captures the search intent many operators describe as a CrowdSec plugin for Plesk. Everything else, the CrowdSec engine, the auth_request nginx module, the bastion-php-fpm pool, the APT upgrade hook, is provisioned by the extension’s post-install routine.
Requirements
- Plesk Obsidian 18.0.77 or later, Linux only.
- Debian or Ubuntu (APT-based). RHEL / Rocky / AlmaLinux support is on the roadmap, not shipped yet.
- sw-nginx 1.28.x or 1.30.x (Plesk-bundled).
- iptables or nftables for the L4 firewall bouncer.
Install from the Plesk Marketplace
- Plesk → Extensions Catalog → search Bastion Security → Install.
- Open the extension → Settings → click Install CrowdSec. Provisions: CrowdSec engine, LAPI on
localhost:8080, and one bouncer registration (plesk-bouncer). AppSec, firewall-bouncer and custom-bouncer ship as separate scripts undersbin/; multi-bouncer auto-registration is on the roadmap. - (Optional) Paste your hCaptcha, reCAPTCHA or Turnstile site key/secret for the captcha challenge page.
After step 2, all domains on the server are protected by the L7 bouncer (auth_request via the bastion nginx module). No vhost edits, no nginx reload by hand.
What gets installed
| Component | Purpose |
|---|---|
| nginx dynamic module | Performs the per-request auth_request handshake. |
| Server-block include | Hooks the module into every Plesk vhost. |
| Standalone PHP-FPM pool | Runs the captcha + verify endpoint on a private Unix socket. |
| APT upgrade hook | Pre/post handlers for the bundled nginx upgrade flow. |
| LAPI bans map | Compiled nginx fast-path of currently banned scopes. |
| Geo + decision lookup | Resolves request country and CrowdSec action for each call. |
Detailed install paths and permissions are available in the extension README shipped with the build and to active subscribers in the customer portal.
Trial and licensing
7-day trial via the Plesk Marketplace — card required to start. After the trial, the per-server subscription (CHF 19 / server / month) is billed automatically until you cancel.