[prev in list] [next in list] [prev in thread] [next in thread]
List: fail2ban-users
Subject: [Fail2ban-users] Fail2ban proxy protocol
From: "Felix E. Klee" <felix.klee () inka ! de>
Date: 2021-09-01 17:23:16
Message-ID: 87fsuofbwb.fsf () inka ! de
[Download RAW message or body]
My site is served via a IPv4 to IPv6 proxy with proxy protocol enabled:
https://www.mythic-beasts.com/support/topics/proxy
Nginx config:
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
server {
server_name example.com;
types {
text/html html;
text/css css;
text/xml xml;
image/png png;
image/jpeg jpeg jpg;
}
location / {
root /srv/example.com;
index index.html;
autoindex on;
auth_basic "Secret";
auth_basic_user_file /etc/apache2/.htpasswd;
}
listen [::]:443 ssl proxy_protocol;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
server_name example.com;
listen [::]:80 proxy_protocol;
return 301 https://example.com$request_uri;
}
To prevent brute forcing of HTTP auth, I enabled Fail2ban:
[nginx-http-auth]
enabled = true
maxretry = 5
bantime = 10m
action = %(action_mwl)s
destemail = webmaster@example.com
Now the problem: Fail2ban sees only the proxy's IP. So a ban affects
all clients.
How do I make Fail2ban see the client's actual IP?
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic