Set custom dashboard path and password

June 23, 2026 · View on GitHub

Krawl

A modern, customizable web honeypot server designed to detect and track malicious activity from attackers and web crawlers through deceptive web pages, fake credentials, and canary tokens.

Table of Contents

Demo

Tip: crawl the robots.txt paths for additional fun

Krawl URL: http://demo.krawlme.com

View the dashboard http://demo.krawlme.com/das_dashboard

What is Krawl?

Krawl is a cloud‑native deception server designed to detect, delay, and analyze malicious attackers, web crawlers and automated scanners.

It creates realistic fake web applications filled with low‑hanging fruit such as admin panels, configuration files, and exposed fake credentials to attract and identify suspicious activity.

dashboard

By wasting attacker resources, Krawl helps clearly distinguish malicious behavior from legitimate crawlers.

It features:

  • AI Generated Deception Pages: Let attackers help generate your fake vulnerable attack surface
  • Spider Trap Pages: Infinite random links to waste crawler resources based on the spidertrap project
  • Fake Login Pages: WordPress, phpMyAdmin, admin panels
  • Honeypot Paths: Advertised in robots.txt to catch scanners
  • Fake Credentials: Realistic-looking usernames, passwords, API keys
  • Canary Token Integration: External alert triggering
  • Random server headers: Confuse attacks based on server header and version
  • Real-time Dashboard: Monitor suspicious activity
  • Customizable Wordlists: Easy JSON-based configuration
  • Random Error Injection: Mimic real server behavior

You can easily expose Krawl alongside your other services to shield them from web crawlers and malicious users using a reverse proxy. For more details, see the Reverse Proxy documentation.

use case

Krawl Dashboard

Krawl provides a comprehensive dashboard, accessible at a random secret path generated at startup or at a custom path configured via KRAWL_DASHBOARD_SECRET_PATH. This keeps the dashboard hidden from attackers scanning your honeypot.

The dashboard is organized in six tabs:

  • Overview: high-level view of attack activity: an interactive map of IP origins, recent suspicious requests, and top IPs, User-Agents, and paths.

geoip

  • Attacks: detailed breakdown of captured credentials, honeypot triggers, and detected attack types (SQLi, XSS, path traversal, etc.) with charts and tables.

attack_types

  • IP Insight: in-depth forensic view of a selected IP: geolocation, ISP/ASN info, reputation flags, behavioral timeline, attack type distribution, and full access history.

ipinsight

Additionally, after authenticating with the dashboard password, two protected tabs become available:

  • Tracked IPs: maintain a watchlist of IP addresses you want to monitor over time.
  • IP Banlist: manage IP bans, view detected attackers, and export the banlist in raw or IPTables format.
  • Deception: manage AI generated pages, export them or import new ones.

For more details, see the Dashboard documentation.

Deployment Modes

Krawl supports two deployment modes, controlled by the mode setting in config.yaml or the KRAWL_MODE environment variable.

StandaloneScalable
DatabaseSQLite (WAL mode)PostgreSQL
CacheIn-memory Python dictRedis (multi-tier TTL)
Replicas1 (single instance)1+ (horizontal scaling)
External depsNonePostgreSQL + Redis
Best forDev, homelabs, <500k requestsProduction, HA, >500k requests

Standalone — ideal for development environments or homelabs with low request counts. Zero additional configuration needed, just run Krawl and it works.

  • Single container deployment — no external dependencies
  • Lower RAM and resource usage

Scalable — designed for production environments or high-traffic honeypots. The Helm chart defaults to this mode.

  • Faster, more responsive dashboard thanks to Redis multi-tier caching
  • Lower disk I/O with Redis acting as a hot-path cache in front of PostgreSQL
  • Horizontal scaling — increase the number of Krawl replicas behind a load balancer

For detailed configuration, Docker Compose examples, Kubernetes/Helm setup, and step-by-step migration instructions, see the Deployment Modes documentation.

Quickstart

Docker Run

Run Krawl in standalone mode with the latest image:

docker run -d \
  -p 5000:5000 \
  -e KRAWL_DASHBOARD_SECRET_PATH="/my-secret-dashboard" \
  -e KRAWL_DASHBOARD_PASSWORD="my-secret-password" \
  -v krawl-data:/app/data \
  --name krawl \
  ghcr.io/blessedrebus/krawl:latest

Access the server at http://localhost:5000

Docker Compose

Create a docker-compose.yaml with one of the two deployment modes.

Standalone — just Krawl server with Sqlite storage:

services:
  krawl:
    image: ghcr.io/blessedrebus/krawl:latest
    container_name: krawl-server
    ports:
      - "5000:5000"
    environment:
      - CONFIG_LOCATION=config.yaml
      # - KRAWL_DASHBOARD_PASSWORD=my-secret-password
    volumes:
      - ./config.yaml:/app/config.yaml:ro
      - krawl-data:/app/data
    restart: unless-stopped

volumes:
  krawl-data:

Scalable — with PostgreSQL and Redis:

Caution

The example below uses default passwords (krawl/krawl). Change them before deploying to production.

services:
  postgres:
    image: postgres:16-alpine
    environment:
      POSTGRES_DB: krawl
      POSTGRES_USER: krawl
      POSTGRES_PASSWORD: krawl
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U krawl -d krawl"]
      interval: 10s
      timeout: 5s
      retries: 5

  redis:
    image: redis:7-alpine
    volumes:
      - redis_data:/data
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

  krawl:
    image: ghcr.io/blessedrebus/krawl:latest
    container_name: krawl-server
    ports:
      - "5000:5000"
    environment:
      - CONFIG_LOCATION=config.yaml
      - KRAWL_MODE=scalable
      - KRAWL_POSTGRES_HOST=postgres
      - KRAWL_POSTGRES_PORT=5432
      - KRAWL_POSTGRES_USER=krawl
      - KRAWL_POSTGRES_PASSWORD=krawl
      - KRAWL_POSTGRES_DATABASE=krawl
      - KRAWL_REDIS_HOST=redis
      - KRAWL_REDIS_PORT=6379
      # - KRAWL_DASHBOARD_PASSWORD=my-secret-password
    volumes:
      - ./config.yaml:/app/config.yaml:ro
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy

volumes:
  postgres_data:
  redis_data:

To deploy, just run

docker compose up -d

Production-ready compose files are also available in the docker/ directory. For development (builds from source with hot-reload), use the compose files at the project root.

For more details on both modes, see Deployment Modes.

Kubernetes

Krawl is also available natively on Kubernetes. Installation can be done either via manifest or using the Helm chart.

The Helm chart defaults to scalable mode with bundled PostgreSQL and Redis:

helm install krawl oci://ghcr.io/blessedrebus/krawl-chart --version 2.2.0 \
  -n krawl-system --create-namespace \
  --set postgres.password=your-password \
  --set redis.password=your-redis-password \
  --set dashboardPassword=your-dashboard-password \
  --set config.dashboard.secret_path=/my-secret-dashboard

Minimal example values files are provided for both modes:

See Deployment Modes and Chart documentation for full configuration and migration instructions.

Uvicorn (Python)

Run Krawl directly with Python 3.13+ and uvicorn for local development or testing:

pip install -r requirements.txt
uvicorn app:app --host 0.0.0.0 --port 5000 --app-dir src --no-server-header

Access the server at http://localhost:5000

Configuration

Krawl uses a configuration hierarchy in which environment variables take precedence over the configuration file. This approach is recommended for Docker deployments and quick out-of-the-box customization.

Configuration via config.yaml

You can use the config.yaml file for advanced configurations, such as Docker Compose or Helm chart deployments.

Configuration via Environmental Variables

Environment VariableDescriptionDefault
CONFIG_LOCATIONPath to yaml config fileconfig.yaml
KRAWL_PORTServer listening port5000
KRAWL_DELAYResponse delay in milliseconds100
KRAWL_SERVER_HEADERHTTP Server header for deception""
KRAWL_LINKS_LENGTH_RANGELink length range as min,max5,15
KRAWL_LINKS_PER_PAGE_RANGELinks per page as min,max10,15
KRAWL_CHAR_SPACECharacters used for link generationabcdefgh...
KRAWL_MAX_COUNTERInitial counter value10
KRAWL_CANARY_TOKEN_URLExternal canary token URLNone
KRAWL_CANARY_TOKEN_TRIESRequests before showing canary token10
KRAWL_DASHBOARD_SECRET_PATHCustom dashboard pathAuto-generated
KRAWL_DASHBOARD_PASSWORDPassword for protected dashboard panelsAuto-generated
KRAWL_DASHBOARD_CACHE_WARMUPPre-compute dashboard data every 5 minutes for instant page loadstrue
KRAWL_DASHBOARD_WARMUP_PAGESNumber of pages to pre-warm per table panel10
KRAWL_DASHBOARD_WARMUP_AGGREGATIONPre-compute full top_paths/top_ua aggregations for zero-query servingfalse
KRAWL_DASHBOARD_TOP_N_MIN_COUNTMinimum access count for top paths/user agents panels (set to 1 to disable)5
KRAWL_PROBABILITY_ERROR_CODESError response probability (0-100%)0
KRAWL_DATABASE_PATHDatabase file locationdata/krawl.db
KRAWL_DATABASE_PERSIST_SUSPICIOUS_ONLYOnly persist suspicious requests to the access logfalse
KRAWL_BACKUPS_PATHPath where database dump are savedbackups
KRAWL_BACKUPS_CRONcron expression to control backup job schedule*/30 * * * *
KRAWL_BACKUPS_ENABLEDBoolean to enable db dump jobtrue
KRAWL_DATABASE_RETENTION_DAYSDays to retain data in database30
KRAWL_TARPIT_ENABLEDTrap AI agents with slow responses and random textfalse
KRAWL_TARPIT_DELAY_SECONDSExtra delay in seconds added per response when tarpit is active5
KRAWL_HTTP_RISKY_METHODS_THRESHOLDThreshold for risky HTTP methods detection0.1
KRAWL_VIOLATED_ROBOTS_THRESHOLDThreshold for robots.txt violations0.1
KRAWL_UNEVEN_REQUEST_TIMING_THRESHOLDCoefficient of variation threshold for timing0.5
KRAWL_UNEVEN_REQUEST_TIMING_TIME_WINDOW_SECONDSTime window for request timing analysis in seconds300
KRAWL_USER_AGENTS_USED_THRESHOLDThreshold for detecting multiple user agents2
KRAWL_ATTACK_URLS_THRESHOLDThreshold for attack URL detection1
KRAWL_INFINITE_PAGES_FOR_MALICIOUSServe infinite pages to malicious IPstrue
KRAWL_MAX_PAGES_LIMITMaximum page limit for crawlers250
KRAWL_BAN_DURATION_SECONDSBan duration in seconds for rate-limited IPs600
KRAWL_AI_ENABLEDEnable AI-generated deception pagesfalse
KRAWL_AI_PROVIDERAI provider ("openrouter" or "openai")"openrouter"
KRAWL_AI_OPENAI_BASE_URLOptional OpenAI Base URL for custom API endpoints"https://api.openai.com/v1"
KRAWL_AI_API_KEYAPI key for AI providerNone
KRAWL_AI_MODELAI model to use for page generation"nvidia/nemotron-3-super-120b-a12b:free"
KRAWL_AI_TIMEOUTRequest timeout in seconds for AI API calls60
KRAWL_AI_MAX_DAILY_REQUESTSMax number of AI-generated pages per day (0 = unlimited)0
KRAWL_AI_PROMPTCustom prompt template for AI page generationDefault prompt
KRAWL_CUSTOM_TEMPLATE_PATHPath inside the container to a custom HTML template. Template must include {counter} and {content} placeholders./templates/custom_page.html
Scalable mode
KRAWL_MODEDeployment mode (standalone or scalable)standalone
KRAWL_POSTGRES_HOSTPostgreSQL hostnamelocalhost
KRAWL_POSTGRES_PORTPostgreSQL port5432
KRAWL_POSTGRES_USERPostgreSQL usernamekrawl
KRAWL_POSTGRES_PASSWORDPostgreSQL passwordkrawl
KRAWL_POSTGRES_DATABASEPostgreSQL database namekrawl
KRAWL_REDIS_HOSTRedis hostnamelocalhost
KRAWL_REDIS_PORTRedis port6379
KRAWL_REDIS_DBRedis database number0
KRAWL_REDIS_PASSWORDRedis passwordNone
KRAWL_REDIS_CACHE_TTLTTL in seconds for dashboard warmup data600
KRAWL_REDIS_HOT_TTLTTL in seconds for hot-path data (ban info, IP categories)30
KRAWL_REDIS_TABLE_TTLTTL in seconds for paginated dashboard tables120

For example

# Set canary token
export CONFIG_LOCATION="config.yaml"
export KRAWL_CANARY_TOKEN_URL="http://your-canary-token-url"

# Set number of pages range (min,max format)
export KRAWL_LINKS_PER_PAGE_RANGE="5,25"

# Set analyzer thresholds
export KRAWL_HTTP_RISKY_METHODS_THRESHOLD="0.2"
export KRAWL_VIOLATED_ROBOTS_THRESHOLD="0.15"

# Set custom dashboard path and password
export KRAWL_DASHBOARD_SECRET_PATH="/my-secret-dashboard"
export KRAWL_DASHBOARD_PASSWORD="my-secret-password"

Example of a Docker run with env variables (standalone mode):

docker run -d \
  -p 5000:5000 \
  -e KRAWL_MODE=standalone \
  -e KRAWL_PORT=5000 \
  -e KRAWL_DELAY=100 \
  -e KRAWL_DASHBOARD_PASSWORD="my-secret-password" \
  -e KRAWL_CUSTOM_TEMPLATE_PATH="/templates/custom_page.html" \
  -e KRAWL_CANARY_TOKEN_URL="http://your-canary-token-url" \
  --name krawl \
  ghcr.io/blessedrebus/krawl:latest

Use Krawl to Ban Malicious IPs

Krawl uses a reputation-based system to classify attacker IP addresses and provides two ways to export IP lists for firewall integration.

The /api/export-ips endpoint queries the database directly and supports filtering by IP category (attacker, bad_crawler, regular_user, good_crawler) and output format (raw, iptables, nftables):

curl "https://your-krawl-instance/<DASHBOARD-PATH>/api/export-ips?categories=attacker&fwtype=raw"

This enables automatic blocking of malicious traffic across various platforms:

For full API parameters, examples, and adding custom firewall formats, see the Firewall Exporters documentation.

IP Reputation

Krawl uses tasks that analyze recent traffic to build and continuously update an IP reputation score. It runs periodically and evaluates each active IP address based on multiple behavioral indicators to classify it as an attacker, crawler, or regular user. Thresholds are fully customizable.

ip reputation

The analysis includes:

  • Risky HTTP methods usage (e.g. POST, PUT, DELETE ratios)
  • Robots.txt violations
  • Request timing anomalies (bursty or irregular patterns)
  • User-Agent consistency
  • Attack URL detection (e.g. SQL injection, XSS patterns)

Each signal contributes to a weighted scoring model that assigns a reputation category:

  • attacker
  • bad_crawler
  • good_crawler
  • regular_user
  • unknown (for insufficient data)

The resulting scores and metrics are stored in the database and used by Krawl to drive dashboards, reputation tracking, and automated mitigation actions such as IP banning or firewall integration.

AI-Generated Deception Pages

Krawl can automatically generate realistic deception pages using AI models from OpenRouter or OpenAI APIs. This feature creates unique, plausible honeypot pages on-the-fly to deceive attackers without manual page creation.

Key Features:

  • Dynamic Generation: Creates unique HTML pages for any request path
  • Smart Caching: Caches generated pages to avoid redundant API calls
  • Daily Rate Limiting: Control API costs with configurable request limits
  • Multiple Providers: Support for OpenRouter (free options) and OpenAI
  • Graceful Fallback: Falls back to standard honeypot when disabled or limit reached
  • Cached Serving: Previously generated pages served even when AI is disabled

Quick Setup:

ai:
  enabled: true
  provider: "openrouter"
  openai_base_url: "your-custom-base-url"
  api_key: "your-api-key"
  model: "nvidia/nemotron-3-super-120b-a12b:free"
  timeout: 60
  max_daily_requests: 10

For detailed configuration and usage, see the AI Generation documentation.

You can also contribute deception templates by opening a PR, see Contributing Deception Templates.

Forward server header

If Krawl is deployed behind a proxy such as NGINX the server header should be forwarded using the following configuration in your proxy:

location / {
    proxy_pass https://your-krawl-instance;
    proxy_pass_header Server;
}

Metrics & Monitoring

Krawl exposes Prometheus metrics at /<dashboard_secret_path>/metrics (enabled by default) and ships with a ready-to-import Grafana dashboard at grafana-dashboard.json.

See the Monitoring documentation for the full metric list, Grafana import steps, and Prometheus / Kubernetes (ServiceMonitor) scraping setup.

Additional Documentation

TopicDescription
AI GenerationConfigure AI-generated deception pages using OpenRouter or OpenAI
Deception PagesManage, import, and export deception pages; bulk operations and date-based filtering
Deployment ModesStandalone (SQLite) vs Scalable (PostgreSQL + Redis) mode, configuration, and data migration
HoneypotFull overview of honeypot pages: fake logins, directory listings, credential files, SQLi/XSS/XXE/command injection traps, and more
DashboardAccess and explore the real-time monitoring dashboard
APIExternal APIs used by Krawl for IP data, reputation, and geolocation
Reverse ProxyHow to deploy Krawl behind NGINX or use decoy subdomains
Database BackupsEnable and configure the automatic database dump job
Canary TokenSet up external alert triggers via canarytokens.org
WordlistCustomize fake usernames, passwords, and directory listings
ArchitectureTechnical overview of the codebase, request pipeline, database schema, and background tasks
Firewall ExportersExport IP banlists in raw, iptables, or nftables format via REST API
Metrics & MonitoringPrometheus metrics endpoint, exposed metrics reference, Grafana dashboard, and ServiceMonitor scraping

Contributing

Contributions welcome! Please:

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Submit a pull request (explain the changes!)

Disclaimer

Caution

This is a deception/honeypot system. Deploy in isolated environments and monitor carefully for security events. Use responsibly and in compliance with applicable laws and regulations.

Star History

Star History Chart