Docs

Troubleshooting

Inspect bouncers, recover from nginx upgrades, and unblock legitimate users.

Bastion ships three log streams: the captcha PHP pool, the APT upgrade hook, and the underlying CrowdSec engine. Their exact paths are documented in the extension About panel for active subscribers.

Captcha is not served

# Is the nginx module loaded?
sudo nginx -V 2>&1 | grep bastion

# Is the server-block included?
sudo nginx -T 2>/dev/null | grep bastion-server-block

If a check fails, run the Extension → Settings → Reinstall components action, it re-runs the three Bastion install routines (nginx module, captcha pool, server-block include).

nginx fails to reload after sw-nginx upgrade

The APT post-hook stashes the Bastion load-config if the new module fails nginx -t. The Diagnostics tab surfaces a banner when this happens, with a one-click Reinstall nginx module button, the panel ships a precompiled module for the running nginx version and falls back to local compilation when build tools are present.

Legitimate user blocked

  1. Open Decisions in the extension, filter by source IP.
  2. Click Add exception → choose action (captcha or remove the existing ban) → set duration (24h, 7d, …) → note the support ticket ID.
  3. The exception lands in LAPI; bouncers pick it up on their next pull (interval set by each bouncer’s config, CrowdSec defaults are in the seconds-to-minutes range).

For a domain-wide bypass, prefer the per-domain Whitelist toggle rather than a permanent decision.

CrowdSec engine is down

sudo systemctl status crowdsec
sudo cscli lapi status
sudo cscli bouncers list

If LAPI is unreachable, every bouncer fails open to avoid serving 5xx to legitimate traffic. The Plesk dashboard banner will surface the outage.

← Back to docs index