[management, proxy] Add CrowdSec IP reputation integration for reverse proxy (#5722)

2026-04-16 07:16:38 +00:00 · 2026-04-14 19:14:58 +09:00
parent 4eed459f27
commit 0a30b9b275
37 changed files with 2157 additions and 552 deletions
--- a/proxy/internal/crowdsec/bouncer.go
+++ b/proxy/internal/crowdsec/bouncer.go
@@ -0,0 +1,251 @@
+// Package crowdsec provides a CrowdSec stream bouncer that maintains a local
+// decision cache for IP reputation checks.
+package crowdsec
+
+import (
+	"context"
+	"errors"
+	"net/netip"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/crowdsecurity/crowdsec/pkg/models"
+	csbouncer "github.com/crowdsecurity/go-cs-bouncer"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/proxy/internal/restrict"
+)
+
+// Bouncer wraps a CrowdSec StreamBouncer, maintaining a local cache of
+// active decisions for fast IP lookups. It implements restrict.CrowdSecChecker.
+type Bouncer struct {
+	mu       sync.RWMutex
+	ips      map[netip.Addr]*restrict.CrowdSecDecision
+	prefixes map[netip.Prefix]*restrict.CrowdSecDecision
+	ready    atomic.Bool
+
+	apiURL         string
+	apiKey         string
+	tickerInterval time.Duration
+	logger         *log.Entry
+
+	// lifeMu protects cancel and done from concurrent Start/Stop calls.
+	lifeMu sync.Mutex
+	cancel context.CancelFunc
+	done   chan struct{}
+}
+
+// compile-time check
+var _ restrict.CrowdSecChecker = (*Bouncer)(nil)
+
+// NewBouncer creates a bouncer but does not start the stream.
+func NewBouncer(apiURL, apiKey string, logger *log.Entry) *Bouncer {
+	return &Bouncer{
+		apiURL:   apiURL,
+		apiKey:   apiKey,
+		logger:   logger,
+		ips:      make(map[netip.Addr]*restrict.CrowdSecDecision),
+		prefixes: make(map[netip.Prefix]*restrict.CrowdSecDecision),
+	}
+}
+
+// Start launches the background goroutine that streams decisions from the
+// CrowdSec LAPI. The stream runs until Stop is called or ctx is cancelled.
+func (b *Bouncer) Start(ctx context.Context) error {
+	interval := b.tickerInterval
+	if interval == 0 {
+		interval = 10 * time.Second
+	}
+	stream := &csbouncer.StreamBouncer{
+		APIKey:              b.apiKey,
+		APIUrl:              b.apiURL,
+		TickerInterval:      interval.String(),
+		UserAgent:           "netbird-proxy/1.0",
+		Scopes:              []string{"ip", "range"},
+		RetryInitialConnect: true,
+	}
+
+	b.logger.Infof("connecting to CrowdSec LAPI at %s", b.apiURL)
+
+	if err := stream.Init(); err != nil {
+		return err
+	}
+
+	// Reset state from any previous run.
+	b.mu.Lock()
+	b.ips = make(map[netip.Addr]*restrict.CrowdSecDecision)
+	b.prefixes = make(map[netip.Prefix]*restrict.CrowdSecDecision)
+	b.mu.Unlock()
+	b.ready.Store(false)
+
+	ctx, cancel := context.WithCancel(ctx)
+	done := make(chan struct{})
+
+	b.lifeMu.Lock()
+	if b.cancel != nil {
+		b.lifeMu.Unlock()
+		cancel()
+		return errors.New("bouncer already started")
+	}
+	b.cancel = cancel
+	b.done = done
+	b.lifeMu.Unlock()
+
+	var wg sync.WaitGroup
+	wg.Add(2)
+
+	go func() {
+		defer wg.Done()
+		if err := stream.Run(ctx); err != nil && ctx.Err() == nil {
+			b.logger.Errorf("CrowdSec stream ended: %v", err)
+		}
+	}()
+
+	go func() {
+		defer wg.Done()
+		b.consumeStream(ctx, stream)
+	}()
+
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	return nil
+}
+
+// Stop cancels the stream and waits for all goroutines to finish.
+func (b *Bouncer) Stop() {
+	b.lifeMu.Lock()
+	cancel := b.cancel
+	done := b.done
+	b.cancel = nil
+	b.lifeMu.Unlock()
+
+	if cancel != nil {
+		cancel()
+		<-done
+	}
+}
+
+// Ready returns true after the first batch of decisions has been processed.
+func (b *Bouncer) Ready() bool {
+	return b.ready.Load()
+}
+
+// CheckIP looks up addr in the local decision cache. Returns nil if no
+// active decision exists for the address.
+//
+// Prefix lookups are O(1): instead of scanning all stored prefixes, we
+// probe the map for every possible containing prefix of the address
+// (at most 33 for IPv4, 129 for IPv6).
+func (b *Bouncer) CheckIP(addr netip.Addr) *restrict.CrowdSecDecision {
+	addr = addr.Unmap()
+
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+
+	if d, ok := b.ips[addr]; ok {
+		return d
+	}
+
+	maxBits := 32
+	if addr.Is6() {
+		maxBits = 128
+	}
+	// Walk from most-specific to least-specific prefix so the narrowest
+	// matching decision wins when ranges overlap.
+	for bits := maxBits; bits >= 0; bits-- {
+		prefix := netip.PrefixFrom(addr, bits).Masked()
+		if d, ok := b.prefixes[prefix]; ok {
+			return d
+		}
+	}
+
+	return nil
+}
+
+func (b *Bouncer) consumeStream(ctx context.Context, stream *csbouncer.StreamBouncer) {
+	first := true
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case resp, ok := <-stream.Stream:
+			if !ok {
+				return
+			}
+			b.mu.Lock()
+			b.applyDeleted(resp.Deleted)
+			b.applyNew(resp.New)
+			b.mu.Unlock()
+
+			if first {
+				b.ready.Store(true)
+				b.logger.Info("CrowdSec bouncer synced initial decisions")
+				first = false
+			}
+		}
+	}
+}
+
+func (b *Bouncer) applyDeleted(decisions []*models.Decision) {
+	for _, d := range decisions {
+		if d.Value == nil || d.Scope == nil {
+			continue
+		}
+		value := *d.Value
+
+		if strings.ToLower(*d.Scope) == "range" || strings.Contains(value, "/") {
+			prefix, err := netip.ParsePrefix(value)
+			if err != nil {
+				b.logger.Debugf("skip unparsable CrowdSec range deletion %q: %v", value, err)
+				continue
+			}
+			prefix = normalizePrefix(prefix)
+			delete(b.prefixes, prefix)
+		} else {
+			addr, err := netip.ParseAddr(value)
+			if err != nil {
+				b.logger.Debugf("skip unparsable CrowdSec IP deletion %q: %v", value, err)
+				continue
+			}
+			delete(b.ips, addr.Unmap())
+		}
+	}
+}
+
+func (b *Bouncer) applyNew(decisions []*models.Decision) {
+	for _, d := range decisions {
+		if d.Value == nil || d.Type == nil || d.Scope == nil {
+			continue
+		}
+		dec := &restrict.CrowdSecDecision{Type: restrict.DecisionType(*d.Type)}
+		value := *d.Value
+
+		if strings.ToLower(*d.Scope) == "range" || strings.Contains(value, "/") {
+			prefix, err := netip.ParsePrefix(value)
+			if err != nil {
+				b.logger.Debugf("skip unparsable CrowdSec range %q: %v", value, err)
+				continue
+			}
+			prefix = normalizePrefix(prefix)
+			b.prefixes[prefix] = dec
+		} else {
+			addr, err := netip.ParseAddr(value)
+			if err != nil {
+				b.logger.Debugf("skip unparsable CrowdSec IP %q: %v", value, err)
+				continue
+			}
+			b.ips[addr.Unmap()] = dec
+		}
+	}
+}
+
+// normalizePrefix unmaps v4-mapped-v6 addresses and zeros host bits so
+// the prefix is a valid map key that matches CheckIP's probe logic.
+func normalizePrefix(p netip.Prefix) netip.Prefix {
+	return netip.PrefixFrom(p.Addr().Unmap(), p.Bits()).Masked()
+}
--- a/proxy/internal/crowdsec/bouncer_test.go
+++ b/proxy/internal/crowdsec/bouncer_test.go
@@ -0,0 +1,337 @@
+package crowdsec
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/netip"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/crowdsecurity/crowdsec/pkg/models"
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/proxy/internal/restrict"
+)
+
+func TestBouncer_CheckIP_Empty(t *testing.T) {
+	b := newTestBouncer()
+	b.ready.Store(true)
+
+	assert.Nil(t, b.CheckIP(netip.MustParseAddr("1.2.3.4")))
+}
+
+func TestBouncer_CheckIP_ExactMatch(t *testing.T) {
+	b := newTestBouncer()
+	b.ready.Store(true)
+	b.ips[netip.MustParseAddr("10.0.0.1")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+
+	d := b.CheckIP(netip.MustParseAddr("10.0.0.1"))
+	require.NotNil(t, d)
+	assert.Equal(t, restrict.DecisionBan, d.Type)
+
+	assert.Nil(t, b.CheckIP(netip.MustParseAddr("10.0.0.2")))
+}
+
+func TestBouncer_CheckIP_PrefixMatch(t *testing.T) {
+	b := newTestBouncer()
+	b.ready.Store(true)
+	b.prefixes[netip.MustParsePrefix("192.168.1.0/24")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+
+	d := b.CheckIP(netip.MustParseAddr("192.168.1.100"))
+	require.NotNil(t, d)
+	assert.Equal(t, restrict.DecisionBan, d.Type)
+
+	assert.Nil(t, b.CheckIP(netip.MustParseAddr("192.168.2.1")))
+}
+
+func TestBouncer_CheckIP_UnmapsV4InV6(t *testing.T) {
+	b := newTestBouncer()
+	b.ready.Store(true)
+	b.ips[netip.MustParseAddr("10.0.0.1")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+
+	d := b.CheckIP(netip.MustParseAddr("::ffff:10.0.0.1"))
+	require.NotNil(t, d)
+	assert.Equal(t, restrict.DecisionBan, d.Type)
+}
+
+func TestBouncer_Ready(t *testing.T) {
+	b := newTestBouncer()
+	assert.False(t, b.Ready())
+
+	b.ready.Store(true)
+	assert.True(t, b.Ready())
+}
+
+func TestBouncer_CheckIP_ExactBeforePrefix(t *testing.T) {
+	b := newTestBouncer()
+	b.ready.Store(true)
+	b.ips[netip.MustParseAddr("10.0.0.1")] = &restrict.CrowdSecDecision{Type: restrict.DecisionCaptcha}
+	b.prefixes[netip.MustParsePrefix("10.0.0.0/8")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+
+	d := b.CheckIP(netip.MustParseAddr("10.0.0.1"))
+	require.NotNil(t, d)
+	assert.Equal(t, restrict.DecisionCaptcha, d.Type)
+
+	d2 := b.CheckIP(netip.MustParseAddr("10.0.0.2"))
+	require.NotNil(t, d2)
+	assert.Equal(t, restrict.DecisionBan, d2.Type)
+}
+
+func TestBouncer_ApplyNew_IP(t *testing.T) {
+	b := newTestBouncer()
+
+	b.applyNew(makeDecisions(
+		decision{scope: "ip", value: "1.2.3.4", dtype: "ban", scenario: "test/brute"},
+		decision{scope: "ip", value: "5.6.7.8", dtype: "captcha", scenario: "test/crawl"},
+	))
+
+	require.Len(t, b.ips, 2)
+	assert.Equal(t, restrict.DecisionBan, b.ips[netip.MustParseAddr("1.2.3.4")].Type)
+	assert.Equal(t, restrict.DecisionCaptcha, b.ips[netip.MustParseAddr("5.6.7.8")].Type)
+}
+
+func TestBouncer_ApplyNew_Range(t *testing.T) {
+	b := newTestBouncer()
+
+	b.applyNew(makeDecisions(
+		decision{scope: "range", value: "10.0.0.0/8", dtype: "ban"},
+	))
+
+	require.Len(t, b.prefixes, 1)
+	assert.NotNil(t, b.prefixes[netip.MustParsePrefix("10.0.0.0/8")])
+}
+
+func TestBouncer_ApplyDeleted_IP(t *testing.T) {
+	b := newTestBouncer()
+	b.ips[netip.MustParseAddr("1.2.3.4")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+	b.ips[netip.MustParseAddr("5.6.7.8")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+
+	b.applyDeleted(makeDecisions(
+		decision{scope: "ip", value: "1.2.3.4", dtype: "ban"},
+	))
+
+	assert.Len(t, b.ips, 1)
+	assert.Nil(t, b.ips[netip.MustParseAddr("1.2.3.4")])
+	assert.NotNil(t, b.ips[netip.MustParseAddr("5.6.7.8")])
+}
+
+func TestBouncer_ApplyDeleted_Range(t *testing.T) {
+	b := newTestBouncer()
+	b.prefixes[netip.MustParsePrefix("10.0.0.0/8")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+	b.prefixes[netip.MustParsePrefix("192.168.0.0/16")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+
+	b.applyDeleted(makeDecisions(
+		decision{scope: "range", value: "10.0.0.0/8", dtype: "ban"},
+	))
+
+	require.Len(t, b.prefixes, 1)
+	assert.NotNil(t, b.prefixes[netip.MustParsePrefix("192.168.0.0/16")])
+}
+
+func TestBouncer_ApplyNew_OverwritesExisting(t *testing.T) {
+	b := newTestBouncer()
+	b.ips[netip.MustParseAddr("1.2.3.4")] = &restrict.CrowdSecDecision{Type: restrict.DecisionBan}
+
+	b.applyNew(makeDecisions(
+		decision{scope: "ip", value: "1.2.3.4", dtype: "captcha"},
+	))
+
+	assert.Equal(t, restrict.DecisionCaptcha, b.ips[netip.MustParseAddr("1.2.3.4")].Type)
+}
+
+func TestBouncer_ApplyNew_SkipsInvalid(t *testing.T) {
+	b := newTestBouncer()
+
+	b.applyNew(makeDecisions(
+		decision{scope: "ip", value: "not-an-ip", dtype: "ban"},
+		decision{scope: "range", value: "also-not-valid", dtype: "ban"},
+	))
+
+	assert.Empty(t, b.ips)
+	assert.Empty(t, b.prefixes)
+}
+
+// TestBouncer_StreamIntegration tests the full flow: fake LAPI → StreamBouncer → Bouncer cache → CheckIP.
+func TestBouncer_StreamIntegration(t *testing.T) {
+	lapi := newFakeLAPI()
+	ts := httptest.NewServer(lapi)
+	defer ts.Close()
+
+	// Seed the LAPI with initial decisions.
+	lapi.setDecisions(
+		decision{scope: "ip", value: "1.2.3.4", dtype: "ban", scenario: "crowdsecurity/ssh-bf"},
+		decision{scope: "range", value: "10.0.0.0/8", dtype: "ban", scenario: "crowdsecurity/http-probing"},
+		decision{scope: "ip", value: "5.5.5.5", dtype: "captcha", scenario: "crowdsecurity/http-crawl"},
+	)
+
+	b := NewBouncer(ts.URL, "test-key", log.NewEntry(log.StandardLogger()))
+	b.tickerInterval = 200 * time.Millisecond
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	require.NoError(t, b.Start(ctx))
+	defer b.Stop()
+
+	// Wait for initial sync.
+	require.Eventually(t, b.Ready, 5*time.Second, 50*time.Millisecond, "bouncer should become ready")
+
+	// Verify decisions are cached.
+	d := b.CheckIP(netip.MustParseAddr("1.2.3.4"))
+	require.NotNil(t, d, "1.2.3.4 should be banned")
+	assert.Equal(t, restrict.DecisionBan, d.Type)
+
+	d2 := b.CheckIP(netip.MustParseAddr("10.1.2.3"))
+	require.NotNil(t, d2, "10.1.2.3 should match range ban")
+	assert.Equal(t, restrict.DecisionBan, d2.Type)
+
+	d3 := b.CheckIP(netip.MustParseAddr("5.5.5.5"))
+	require.NotNil(t, d3, "5.5.5.5 should have captcha")
+	assert.Equal(t, restrict.DecisionCaptcha, d3.Type)
+
+	assert.Nil(t, b.CheckIP(netip.MustParseAddr("9.9.9.9")), "unknown IP should be nil")
+
+	// Simulate a delta update: delete one IP, add a new one.
+	lapi.setDelta(
+		[]decision{{scope: "ip", value: "1.2.3.4", dtype: "ban"}},
+		[]decision{{scope: "ip", value: "2.3.4.5", dtype: "throttle", scenario: "crowdsecurity/http-flood"}},
+	)
+
+	// Wait for the delta to be picked up.
+	require.Eventually(t, func() bool {
+		return b.CheckIP(netip.MustParseAddr("2.3.4.5")) != nil
+	}, 5*time.Second, 50*time.Millisecond, "new decision should appear")
+
+	assert.Nil(t, b.CheckIP(netip.MustParseAddr("1.2.3.4")), "deleted decision should be gone")
+
+	d4 := b.CheckIP(netip.MustParseAddr("2.3.4.5"))
+	require.NotNil(t, d4)
+	assert.Equal(t, restrict.DecisionThrottle, d4.Type)
+
+	// Range ban should still be active.
+	assert.NotNil(t, b.CheckIP(netip.MustParseAddr("10.99.99.99")))
+}
+
+// Helpers
+
+func newTestBouncer() *Bouncer {
+	return &Bouncer{
+		ips:      make(map[netip.Addr]*restrict.CrowdSecDecision),
+		prefixes: make(map[netip.Prefix]*restrict.CrowdSecDecision),
+		logger:   log.NewEntry(log.StandardLogger()),
+	}
+}
+
+type decision struct {
+	scope    string
+	value    string
+	dtype    string
+	scenario string
+}
+
+func makeDecisions(decs ...decision) []*models.Decision {
+	out := make([]*models.Decision, len(decs))
+	for i, d := range decs {
+		out[i] = &models.Decision{
+			Scope:    strPtr(d.scope),
+			Value:    strPtr(d.value),
+			Type:     strPtr(d.dtype),
+			Scenario: strPtr(d.scenario),
+			Duration: strPtr("1h"),
+			Origin:   strPtr("cscli"),
+		}
+	}
+	return out
+}
+
+func strPtr(s string) *string { return &s }
+
+// fakeLAPI is a minimal fake CrowdSec LAPI that serves /v1/decisions/stream.
+type fakeLAPI struct {
+	mu       sync.Mutex
+	initial  []decision
+	newDelta []decision
+	delDelta []decision
+	served   bool // true after the initial snapshot has been served
+}
+
+func newFakeLAPI() *fakeLAPI {
+	return &fakeLAPI{}
+}
+
+func (f *fakeLAPI) setDecisions(decs ...decision) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.initial = decs
+	f.served = false
+}
+
+func (f *fakeLAPI) setDelta(deleted, added []decision) {
+	f.mu.Lock()
+	defer f.mu.Unlock()
+	f.delDelta = deleted
+	f.newDelta = added
+}
+
+func (f *fakeLAPI) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path != "/v1/decisions/stream" {
+		http.NotFound(w, r)
+		return
+	}
+
+	f.mu.Lock()
+	defer f.mu.Unlock()
+
+	resp := streamResponse{}
+
+	if !f.served {
+		for _, d := range f.initial {
+			resp.New = append(resp.New, toLAPIDecision(d))
+		}
+		f.served = true
+	} else {
+		for _, d := range f.delDelta {
+			resp.Deleted = append(resp.Deleted, toLAPIDecision(d))
+		}
+		for _, d := range f.newDelta {
+			resp.New = append(resp.New, toLAPIDecision(d))
+		}
+		// Clear delta after serving once.
+		f.delDelta = nil
+		f.newDelta = nil
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(resp) //nolint:errcheck
+}
+
+// streamResponse mirrors the CrowdSec LAPI /v1/decisions/stream JSON structure.
+type streamResponse struct {
+	New     []*lapiDecision `json:"new"`
+	Deleted []*lapiDecision `json:"deleted"`
+}
+
+type lapiDecision struct {
+	Duration *string `json:"duration"`
+	Origin   *string `json:"origin"`
+	Scenario *string `json:"scenario"`
+	Scope    *string `json:"scope"`
+	Type     *string `json:"type"`
+	Value    *string `json:"value"`
+}
+
+func toLAPIDecision(d decision) *lapiDecision {
+	return &lapiDecision{
+		Duration: strPtr("1h"),
+		Origin:   strPtr("cscli"),
+		Scenario: strPtr(d.scenario),
+		Scope:    strPtr(d.scope),
+		Type:     strPtr(d.dtype),
+		Value:    strPtr(d.value),
+	}
+}
--- a/proxy/internal/crowdsec/registry.go
+++ b/proxy/internal/crowdsec/registry.go
@@ -0,0 +1,103 @@
+package crowdsec
+
+import (
+	"context"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/proxy/internal/types"
+)
+
+// Registry manages a single shared Bouncer instance with reference counting.
+// The bouncer starts when the first service acquires it and stops when the
+// last service releases it.
+type Registry struct {
+	mu      sync.Mutex
+	bouncer *Bouncer
+	refs    map[types.ServiceID]struct{}
+	apiURL  string
+	apiKey  string
+	logger  *log.Entry
+	cancel  context.CancelFunc
+}
+
+// NewRegistry creates a registry. The bouncer is not started until Acquire is called.
+func NewRegistry(apiURL, apiKey string, logger *log.Entry) *Registry {
+	return &Registry{
+		apiURL: apiURL,
+		apiKey: apiKey,
+		logger: logger,
+		refs:   make(map[types.ServiceID]struct{}),
+	}
+}
+
+// Available returns true when the LAPI URL and API key are configured.
+func (r *Registry) Available() bool {
+	return r.apiURL != "" && r.apiKey != ""
+}
+
+// Acquire registers svcID as a consumer and starts the bouncer if this is the
+// first consumer. Returns the shared Bouncer (which implements the restrict
+// package's CrowdSecChecker interface). Returns nil if not Available.
+func (r *Registry) Acquire(svcID types.ServiceID) *Bouncer {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	if !r.Available() {
+		return nil
+	}
+
+	if _, exists := r.refs[svcID]; exists {
+		return r.bouncer
+	}
+
+	if r.bouncer == nil {
+		r.startLocked()
+	}
+
+	// startLocked may fail, leaving r.bouncer nil.
+	if r.bouncer == nil {
+		return nil
+	}
+
+	r.refs[svcID] = struct{}{}
+	return r.bouncer
+}
+
+// Release removes svcID as a consumer. Stops the bouncer when the last
+// consumer releases.
+func (r *Registry) Release(svcID types.ServiceID) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	delete(r.refs, svcID)
+
+	if len(r.refs) == 0 && r.bouncer != nil {
+		r.stopLocked()
+	}
+}
+
+func (r *Registry) startLocked() {
+	b := NewBouncer(r.apiURL, r.apiKey, r.logger)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	r.cancel = cancel
+
+	if err := b.Start(ctx); err != nil {
+		r.logger.Errorf("failed to start CrowdSec bouncer: %v", err)
+		cancel()
+		return
+	}
+
+	r.bouncer = b
+	r.logger.Info("CrowdSec bouncer started")
+}
+
+func (r *Registry) stopLocked() {
+	r.bouncer.Stop()
+	r.cancel()
+	r.bouncer = nil
+	r.cancel = nil
+	r.logger.Info("CrowdSec bouncer stopped")
+}
--- a/proxy/internal/crowdsec/registry_test.go
+++ b/proxy/internal/crowdsec/registry_test.go
@@ -0,0 +1,66 @@
+package crowdsec
+
+import (
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/proxy/internal/types"
+)
+
+func TestRegistry_Available(t *testing.T) {
+	r := NewRegistry("http://localhost:8080/", "test-key", log.NewEntry(log.StandardLogger()))
+	assert.True(t, r.Available())
+
+	r2 := NewRegistry("", "", log.NewEntry(log.StandardLogger()))
+	assert.False(t, r2.Available())
+
+	r3 := NewRegistry("http://localhost:8080/", "", log.NewEntry(log.StandardLogger()))
+	assert.False(t, r3.Available())
+}
+
+func TestRegistry_Acquire_NotAvailable(t *testing.T) {
+	r := NewRegistry("", "", log.NewEntry(log.StandardLogger()))
+	b := r.Acquire("svc-1")
+	assert.Nil(t, b)
+}
+
+func TestRegistry_Acquire_Idempotent(t *testing.T) {
+	r := newTestRegistry()
+
+	b1 := r.Acquire("svc-1")
+	// Can't start without a real LAPI, but we can verify the ref tracking.
+	// The bouncer will be nil because Start fails, but the ref is tracked.
+	_ = b1
+
+	assert.Len(t, r.refs, 1)
+
+	// Second acquire of same service should not add another ref.
+	r.Acquire("svc-1")
+	assert.Len(t, r.refs, 1)
+}
+
+func TestRegistry_Release_Removes(t *testing.T) {
+	r := newTestRegistry()
+	r.refs[types.ServiceID("svc-1")] = struct{}{}
+
+	r.Release("svc-1")
+	assert.Empty(t, r.refs)
+}
+
+func TestRegistry_Release_Noop(t *testing.T) {
+	r := newTestRegistry()
+	// Releasing a service that was never acquired should not panic.
+	r.Release("nonexistent")
+	assert.Empty(t, r.refs)
+}
+
+func newTestRegistry() *Registry {
+	return &Registry{
+		apiURL: "http://localhost:8080/",
+		apiKey: "test-key",
+		logger: log.NewEntry(log.StandardLogger()),
+		refs:   make(map[types.ServiceID]struct{}),
+	}
+}