diff --git a/.gitignore b/.gitignore
index 197328a..938de78 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@ Thumbs.db
 *.swp
 *.swo
 *~
+crowdsec/
diff --git a/config.yml b/config.yml
index ef49afd..22d0b3f 100644
--- a/config.yml
+++ b/config.yml
@@ -6,6 +6,9 @@ http:
       entryPoints:
         - https
       service: gogs
+      middlewares:
+        - secure-headers
+        - crowdsec-bouncer
       tls:
         certResolver: letsencrypt
 
@@ -28,3 +31,22 @@ http:
         contentTypeNosniff: true
         browserXssFilter: true
         referrerPolicy: "same-origin"
+
+    # IP whitelist for internal network access only
+    internal-whitelist:
+      ipWhiteList:
+        sourceRange:
+          - "10.20.10.0/24"
+          - "10.20.140.0/24"
+          - "127.0.0.1/32"
+
+    # Crowdsec bouncer middleware
+    crowdsec-bouncer:
+      plugin:
+        bouncer:
+          enabled: true
+          crowdsecMode: live
+          crowdsecLapiKey: zQB3/JX6G+wxzYf4TvpMkmFLhSODYnfRhSkh8+y4+Zo
+          crowdsecLapiHost: crowdsec:8080
+          crowdsecLapiScheme: http
+          forwardedHeadersCustomName: X-Custom-Header
diff --git a/docker-compose.yml b/docker-compose.yml
index 4761c1a..d233041 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,6 +9,7 @@ services:
       - no-new-privileges:true
     networks:
       - traefik
+      - crowdsec
     ports:
       - "80:80"      # HTTP
       - "443:443"    # HTTPS
@@ -21,6 +22,7 @@ services:
       - ./traefik.yml:/traefik.yml:ro
       - ./acme.json:/acme.json
       - ./config.yml:/config.yml:ro
+      - ./logs:/var/log/traefik
     labels:
       - "traefik.enable=true"
       # Dashboard
@@ -28,10 +30,10 @@ services:
       - "traefik.http.routers.traefik.entrypoints=https"
       - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
       - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.routers.traefik.middlewares=traefik-auth"
-      # Dashboard auth (username: admin, password: change-this-password)
+      - "traefik.http.routers.traefik.middlewares=traefik-auth,internal-whitelist@file"
+      # Dashboard auth (username: admin, password: IdCTOFygYRqyDPSTOkUgMg==)
       # Generate new password: echo $(htpasswd -nb admin yourpassword) | sed -e s/\\$/\\$\\$/g
-      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$8evjlb96$$v8Y6gLV8KLVhqGB1N9NKQR/"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=admin:$$apr1$$GF9aEQUw$$iEUiC8oacwqPDqd4yPBnn/"
       # Global redirect to HTTPS
       - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
       - "traefik.http.routers.http-catchall.entrypoints=http"
@@ -42,3 +44,6 @@ networks:
   traefik:
     name: traefik
     driver: bridge
+  crowdsec:
+    name: crowdsec
+    external: true
diff --git a/traefik.yml b/traefik.yml
index 2d3293b..8a8a2fd 100644
--- a/traefik.yml
+++ b/traefik.yml
@@ -2,6 +2,12 @@ api:
   dashboard: true
   debug: false
 
+experimental:
+  plugins:
+    bouncer:
+      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+      version: v1.3.3
+
 entryPoints:
   http:
     address: ":80"