Infra-Mirrors/docker-swag
1
0
Fork 0
mirror of https://github.com/linuxserver/docker-swag.git synced 2024-06-26 06:32:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added a fail2ban jail for nginx unauthorized

Browse Source
This commit is contained in:
quietsy 2022-01-09 17:16:11 +02:00
parent bedff470cf
commit 251917b23f
5 changed files with 28 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
## Versions
* **09.01.22:** - Added a fail2ban jail for nginx unauthorized
* **21.12.21:** - Fixed issue with iptables not working as expected
* **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)
* **22.11.21:** - Added support for Infomaniak DNS for certificate generation.

1
readme-vars.yml
View File

@ -154,6 +154,7 @@ app_setup_nginx_reverse_proxy_block: ""
# changelog
changelogs:
- { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" }
- { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" }
- { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" }
- { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." }

7
root/defaults/fail2ban/filter.d/nginx-unauthorized.conf Normal file
View File

@ -0,0 +1,7 @@
# A fail2ban filter for unauthorized log messages
[Definition]
failregex = ^<HOST>.*"(GET|POST|HEAD).*" 401 .*$
ignoreregex =

20
root/defaults/jail.local
View File

@ -1,10 +1,14 @@
## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local
# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container
[DEFAULT]
# Prevents banning LAN subnets
ignoreip = 10.0.0.0/8
192.168.0.0/16
172.16.0.0/12
# Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports".
banaction = iptables-allports
@ -21,37 +25,35 @@ maxretry = 5
[ssh]
enabled = false
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /config/log/nginx/error.log
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /config/log/nginx/access.log
maxretry = 2
[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /config/log/nginx/access.log
[nginx-deny]
enabled = true
port = http,https
filter = nginx-deny
logpath = /config/log/nginx/error.log
[nginx-unauthorized]
enabled = true
port = http,https
filter = nginx-unauthorized
logpath = /config/log/nginx/unauthorized.log

9
root/defaults/nginx.conf
View File

@ -1,4 +1,4 @@
## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf
user abc;
@ -55,6 +55,13 @@ http {
'' close;
}
# Saves unauthorized log messages to a separate log file
map $status $unauthorized {
default 0;
~^401 1;
}
access_log /config/log/nginx/unauthorized.log combined if=$unauthorized;
# Sets the path, format, and configuration for a buffered log write.
access_log /config/log/nginx/access.log;